| NIST 800-171 |
3.1.1 |
Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.2 |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? |
Derived |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.3 |
Control the flow of CUI in accordance with approved authorizations. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.4 |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
With regards to the development of the service, are different mission, testing, auditing, and system support roles allocated to different individuals (organisation staff, vendor staff, external contractors, associates) as a matter of policy |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.5 |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
In your organisation, are privileged accounts (super-users) restricted by role or to specific staff? |
Derived |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.6 |
Use non-privileged accounts or roles when accessing nonsecurity functions. |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.7 |
Prevent non-privileged users from executing privileged functions and audit the execution of such functions in audit logs. |
In your organisation, are privileged accounts (super-users) restricted by role or to specific staff? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.8 |
Limit unsuccessful logon attempts. |
Does the service limit unsuccessful logon attempts, e.g. by resetting the user password after several such attempts? |
Derived |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.9 |
Provide privacy and security notices consistent with applicable CUI rules. |
Is the privacy policy made available free of charge, stating explicitly what sites and services it covers, and:
Published on the internet; or
Provided to customers prior to use of the service?
|
Derived |
Privacy - Requests |
United States |
|
|
1 |
| NIST 800-171 |
3.1.10 |
Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity. |
Are all internal organisation systems (including operating systems) configured with a session or screen lock that:
- activates after a maximum of 15 minutes of user inactivity or if manually activated by the user;
- activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices;
- completely conceals all information on the screen;
- ensures that the screen does not enter a power saving state before the screen or session lock is activated;
- requires the user to reauthenticate to unlock the system; and
- denies users the ability to disable the session or screen locking mechanism?
- does not display any secure information of its own |
Basic |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.11 |
Terminate (automatically) a user session after a defined condition. |
For the service, are user log-in sessions automatically terminated after a period of inactivity, or in response to a security incident? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.12 |
Monitor and control remote access sessions. |
In relation to the chat/instant messaging functionality available within the service, select all that apply. |
Derived |
Privacy - Functionality |
United States |
|
|
1 |
| NIST 800-171 |
3.1.13 |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.14 |
Route remote access via managed access control points. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.15 |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
Within your organisation, are additional authorisation protocols required to execute privileged commands remotely, compared to on-site? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.1.16 |
Authorize wireless access prior to allowing such connections. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.17 |
Protect wireless access using authentication and encryption. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.1.18 |
Control connection of mobile devices. |
Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including
•use of a Mobile Device Management solution applied to all mobile devices and
• encryption of any sensitive information transferred to mobile devices? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.19 |
Encrypt CUI on mobile devices. |
Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including
•use of a Mobile Device Management solution applied to all mobile devices and
• encryption of any sensitive information transferred to mobile devices? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.20 |
Verify and control/limit connections to and use of external information systems. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.21 |
Limit use of portable storage devices on external systems. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.1.22 |
Control CUI posted or processed on publicly accessible systems. |
Does your organisation share user data with third parties in any circumstance other than the following? If yes, please specify.
-the individual has consented to the use or disclosure of the information;
-the use or disclosure of the information is required or authorised by or under a law or a court/tribunal order in the customer's country;
- the use or disclosure is required or permitted under privacy legislation in the customer's country; or
-the entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body?
For service in Australia, refer to the Australian Privacy Principles, as well as the permitted general situations and permitted health situations.
For service in New Zealand, refer to the Privacy Principles and information sharing provisions in the Privacy Act 2020, as well as the Oranga Tamariki Act 1989 and the Family Violence Act 2018.
For the UK, refer to Keeping Children Safe in Education
|
Derived |
Privacy - Requests |
United States |
|
|
1 |
| NIST 800-171 |
AC-1 |
Access control policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.2.1 |
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
Basic |
Security - HR |
United States |
Y |
|
1 |
| NIST 800-171 |
3.2.2 |
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
Basic |
Security - HR |
United States |
Y |
|
1 |
| NIST 800-171 |
3.2.3 |
Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
Derived |
Security - HR |
United States |
|
|
1 |
| NIST 800-171 |
AT-1 |
Security awareness and training policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
AT-4 |
Security training records |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.3.1 |
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful unauthorized system activity. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
Basic |
Security - Plans and Quality |
United States |
Y |
|
1 |
| NIST 800-171 |
3.3.2 |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
Basic |
Security - Logging |
United States |
Y |
|
1 |
| NIST 800-171 |
3.3.3 |
Review and update events. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
Derived |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-171 |
3.3.4 |
Alert in the event of an audit process failure. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
Derived |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.3.5 |
Correlate audit review, analysis, and reporting processes for investigation and response to indications of suspicious, or unusual activity. |
Does your organisation have a documented and implemented event log auditing procedure which outlines, at a minimum:
• Schedule of audits (annual or real-time for sensitive data);
• Definitions of security violations;
• Actions to be taken when violations are detected; and
• Reporting requirements? |
Derived |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.3.6 |
Provide audit reduction and report generation to support on-demand analysis and reporting. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
Derived |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.3.7 |
Provide system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
Derived |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.3.8 |
Protect audit information and audit tools from unauthorized access, modification, and deletion. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
Derived |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.3.9 |
Limit management of audit functionality to a subset of privileged users. |
|
Derived |
|
United States |
|
|
1 |
| NIST 800-171 |
AU-1 |
Audit and accountability policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.4.1 |
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
Basic |
Security - Plans and Quality |
United States |
Y |
|
1 |
| NIST 800-171 |
3.4.2 |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.4.3 |
Track, review, approve/ or disapprove, and audit log changes to orgaizational systems. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
Derived |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-171 |
3.4.4 |
Analyze the security impact of changes prior to implementation. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
Derived |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-171 |
3.4.5 |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.4.6 |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.4.7 |
Restrict, disable, prevent the use of nonessential programs, functions, ports, protocols, and services. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.4.8 |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.4.9 |
Control and monitor user-installed software. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
CM-1 |
Configuration management policies |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CM-2(1) |
Baseline configuration - reviews and updates |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CM-2(7) |
Baseline configuration - configure systems, components, or devices for high-risk areas |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CM-3(2) |
Configuration change control - test/validate/document changes |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CM-8(5) |
System component inventory - no duplicate accounting of components |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CM-9 |
Configuration management plan |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.5.1 |
Identify system users, processes acting on behalf of users, devices. |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.5.2 |
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. |
Does all access to the service require authentication and authorisation, including both human access, and access by process or devices? |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.5.3 |
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.4 |
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
Within the service, is the multi-factor authentication used relay-resistant (e.g. nonces, one-time authentication tokens)? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.5 |
Prevent reuse of identifiers for a defined period. |
Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.6 |
Disable identifiers after a defined period of inactivity. |
Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.7 |
Enforce a minimum password complexity and change of characters when new passwords are created. |
For the service, when a new password is selected by a user, is there a restriction on:
• How similar the new password is to the previous password;
• The time duration or number of password changes before a previous password can be reused by a user? |
Derived |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.5.8 |
Prohibit password reuse for a specified number of generations. |
For the service, when a new password is selected by a user, is there a restriction on:
• How similar the new password is to the previous password;
• The time duration or number of password changes before a previous password can be reused by a user? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.9 |
Allow temporary password use for system logons with an immediate change to a permanent password. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.10 |
Store and transmit only cryptographically-protected of passwords. |
Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.5.11 |
Obscure feedback of authentication information. |
Are passwords obscured or masked as users enter them in order to access the service? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
IA-1 |
Identification and authentication policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.6.1 |
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
Basic |
Security - Processess and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.6.2 |
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. |
When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? |
Basic |
Security - Processess and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.6.3 |
Test the organizational incident response capability. |
Is the incident response capability of the organisation regularly tested and reviewed? |
Derived |
Security - Processess and Testing |
United States |
|
|
1 |
| NIST 800-171 |
IR-1 |
Incident response policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
IR-8 |
Incident response plan |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.7.1 |
Perform maintenance on organizational systems. |
Does your organisation use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring:
- the integrity and authenticity of patches;
- successful application of patches;
- that patches remain in place; and
- that the list of supported software for updates is reviewed regularly; and - that by default, patches to the product are applied automatically i.e. without the need for customer action |
Basic |
Security - Processess and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.7.2 |
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
3.7.3 |
Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
Does your organisation enforce enhanced security configurations for organisation systems and components moving:
Physically to high-risk areas; and
Off-site for maintenance; |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.7.4 |
Check media containing diagnostic and test programs for malicious code before the media are used in the organizational systems. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.7.5 |
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.7.6 |
Supervise the maintenance activities of maintenance personnel without required access authorization. |
Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
MA-1 |
System maintenance policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
MA-4(2) |
Non-local maintenance - document non-local maintenance |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
NFO |
Security - Logging |
United States |
|
|
1 |
| NIST 800-171 |
3.8.1 |
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Basic |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.8.2 |
Limit access to CUI on information system media to authorized users. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Basic |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.8.3 |
Sanitize or destroy information system media containing CUI before disposal or release for reuse. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
Basic |
Security - Plans and Quality |
United States |
Y |
|
1 |
| NIST 800-171 |
3.8.4 |
Mark media with necessary CUI markings and distribution limitations. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.8.5 |
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.8.6 |
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.8.7 |
Control the use of removable media on system components. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.8.8 |
Prohibit the use of portable storage devices when such devices have no identifiable owner. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.8.9 |
Protect the confidentiality of backup CUI at storage locations. |
|
Derived |
|
United States |
|
|
1 |
| NIST 800-171 |
MP-1 |
Media protection policy and procedures |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
NFO |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.9.1 |
Screen individuals prior to authorizing access to organizational systems containing CUI. |
Do all vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements? |
Basic |
Security - HR |
United States |
Y |
|
1 |
| NIST 800-171 |
3.9.2 |
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs):
- Validated and approved by appropriate personnel;
- Periodically reviewed (at least annually) and revalidated or revoked; and
- Reviewed and revalidated or revoked following changes to role, employment and/or inactivity?
- Provided appropriate security notices when they access the system |
Basic |
Security - Access |
United States |
Y |
|
1 |
| NIST 800-171 |
PS-1 |
Personnel security policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PS-6 |
Access agreements |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PS-7 |
Third-party / external personnel security |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PS-8 |
Personnel sanctions |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.10.1 |
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
Basic |
Security - Hosting and Location |
United States |
Y |
|
1 |
| NIST 800-171 |
3.10.2 |
Protect and monitor the physical facility and support infrastructure for organizational systems. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
Basic |
Security - Hosting and Location |
United States |
Y |
|
1 |
| NIST 800-171 |
3.10.3 |
Escort visitors and monitor visitor activity. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
Derived |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
3.10.4 |
Maintain audit logs of physical access. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
Derived |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
3.10.5 |
Control and manage physical access devices. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
Derived |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
3.10.6 |
Enforce safeguarding measures for CUI at alternate work sites. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
PE-1 |
Physical and environmental protection policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PE-6(1) |
Monitoring physical access - intrusion alarms / surveillance equipment |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NFO |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
PE-8 |
Visitor access records |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NFO |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
PE-16 |
Delivery and removal |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NFO |
Security - Hosting and Location |
United States |
|
|
1 |
| NIST 800-171 |
3.11.1 |
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
Basic |
Security - Plans and Quality |
United States |
Y |
|
1 |
| NIST 800-171 |
3.11.2 |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Derived |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.11.3 |
Remediate vulnerabilities in accordance with risk assessments. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Derived |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
RA-1 |
Risk assessment policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
RA-5(1) |
Vulnerability scanning - tool update capability |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
RA-5(2) |
Vulnerability scanning - update by frequency / prior to new scan / when identified |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.12.1 |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Which compliance certifications or assessments are undertaken by independent assessors? |
Basic |
Security - Compliance Controls |
United States |
Y |
|
1 |
| NIST 800-171 |
3.12.2 |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Basic |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.12.3 |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Basic |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.12.4 |
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
Basic |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-171 |
CA-1 |
Security assessment and authorization policies and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-2(1) |
Security assessments / independent assessors |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-3 |
System interconnections |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-3(5) |
System interconnections / restrictions on external system connections |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-7 |
Continuous monitoring |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-7(1) |
Continuous monitoring / independent assessment |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
CA-9 |
Internal system connections |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PL-1 |
Security planning policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PL-2(3) |
System security plan - plan / coordinate with other organizational entities |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PL-4 |
Rules of behaviour |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PL-4(1) |
Rules of behaviour - social media and networking restrictions |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
PL-8 |
Information security architecture |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.13.1 |
Monitor, control, and protect l communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
Within the organisation, for internal systems and components (e.g. databases, internal user networks) that routinely deal with sensitive data or are widely accessed, is there a separation between internet facing components and other online components? |
Basic |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.13.2 |
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
Does the service's application development have the following characteristics:-
Environments are separated into at least development, testing and production environments;
-
Development and modification of software only takes place in development environments;
-
Unauthorised access to the authoritative software source is prevented;
-
Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
-
Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
-
Privacy-by-design principles;
-
Threat modelling is used in support of application development; and
-
Alignment to a security and privacy architecture that has been drawn up for the system?
|
Basic |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-171 |
3.13.3 |
Separate user functionality from information system management functionality. |
Is privileged system management segregated from user functionality? (e.g. through different computers, different operating systems, use of VPNs) |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.13.4 |
Prevent unauthorized and unintended information transfer via shared system resources. |
What are the minimum encryption algorithms applied to protect data at rest, including backups, data storage and auditable logs? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.5 |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
Within the organisation, for internal systems and components (e.g. databases, internal user networks) that routinely deal with sensitive data or are widely accessed, is there a separation between internet facing components and other online components? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.6 |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Derived |
Security - Technical |
United States |
Y |
|
1 |
| NIST 800-171 |
3.13.7 |
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
|
Derived |
|
United States |
|
|
1 |
| NIST 800-171 |
3.13.8 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.9 |
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.10 |
Establish and manage cryptographic keys for cryptography employed in the organizational systems. |
Does your organisation have a documented and implemented key management process which describes at a minimum:
• Key generation;
• Key registration;
• Key storage;
• Key distribution and installation;
• Key use;
• Key rotation;
• Key backup;
• Key recovery;
• Key revocation;
• Key suspension; and
• Key destruction? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.11 |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.12 |
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
In relation to the chat/instant messaging functionality available within the service, select all that apply. |
Derived |
Privacy - Functionality |
United States |
|
|
1 |
| NIST 800-171 |
3.13.13 |
Control and monitor the use of mobile code. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
Derived |
Security - Access |
United States |
|
|
1 |
| NIST 800-171 |
3.13.14 |
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. |
In relation to the chat/instant messaging functionality available within the service, select all that apply. |
Derived |
Privacy - Functionality |
United States |
|
|
1 |
| NIST 800-171 |
3.13.15 |
Protect the authenticity of communications sessions. |
Are all of the service's web servers secured with digital certificates signed by a reputable trusted authority? |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.13.16 |
Protect the confidentiality of CUI at rest. |
|
Derived |
|
United States |
Y |
|
1 |
| NIST 800-171 |
SA-1 |
System and services acquisition policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-2 |
Allocation of resources |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-3 |
System Development Life Cycle |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-4 |
Acquisition process |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-4(1) |
Acquisition process - functional properties of security controls |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-4(2) |
Acquisition process - design / implementation information for security controls |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-4(9) |
Acquisition process - functions / ports / protocols / services in use |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-4(10) |
Acquisition process - use of approved Personal Identity Verification (PIV) products |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-5 |
System documentation |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-9 |
External system services |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-9(2) |
External systems - identification of functions / ports / protocols / services |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-10 |
Developer configuration management |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SA-11 |
Developer security testing and evaluation |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-1 |
System and communications protection policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-7(3) |
Boundary protection - access points |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-7(4) |
Boundary protection - external telecommunications services |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-20 |
Secure name/address resolution service (authoritative source) |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-21 |
Secure name/address resolution service (recursive or caching resolver) |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-22 |
Architecture and provisioning for name/address resolution service |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SC-39 |
Process isolation |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
3.14.1 |
Identify, report, and correct system flaws in a timely manner. |
Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? |
Basic |
Security - Processess and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.14.2 |
Provide protection from malicious code at designated locations within organizational systems. |
At a minimum, are the following features built into the file upload functionality available within the service?
- All files are scanned for Malware/Viruses during upload
- All files are scanned for Malware/Viruses while at rest
- All files found to contain Malware/Viruses are quarantined or deleted
|
Basic |
Privacy - Functionality |
United States |
|
|
1 |
| NIST 800-171 |
3.14.3 |
Monitor system security alerts and advisories and take actions in response. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Basic |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.14.4 |
Update malicious code protection mechanisms when new releases are available. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Derived |
Security - Processes and Testing |
United States |
Y |
|
1 |
| NIST 800-171 |
3.14.6 |
Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
3.14.7 |
Identify unauthorized use of organizational systems. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Derived |
Security - Technical |
United States |
|
|
1 |
| NIST 800-171 |
SI-1 |
System and information integrity policy and procedures |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SI-4(5) |
System monitoring - system-generated alerts |
|
NFO |
|
United States |
|
|
1 |
| NIST 800-171 |
SI-16 |
Memory protection |
|
NFO |
|
United States |
|
|
1 |
| AUISM |
G1 |
A Chief Information Security Officer provides leadership and oversight of cyber security. |
|
|
|
Australia |
|
|
|
| AUISM |
G2 |
The identity and value of systems, applications and data is determined and documented. |
|
|
|
Australia |
|
|
|
| AUISM |
G3 |
The confidentiality, integrity and availability requirements for systems, applications and data are determined and documented. |
|
|
|
Australia |
|
|
|
| AUISM |
G4 |
Security risk management processes are embedded into organisational risk management frameworks. |
|
|
|
Australia |
|
|
|
| AUISM |
G5 |
Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life. |
|
|
|
Australia |
|
|
|
| AUISM |
P1 |
Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. |
|
|
|
Australia |
|
|
|
| AUISM |
P2 |
Systems and applications are delivered and supported by trusted suppliers. |
|
|
|
Australia |
|
|
|
| AUISM |
P3 |
Systems and applications are configured to reduce their attack surface. |
|
|
|
Australia |
|
|
|
| AUISM |
P4 |
Systems and applications are administered in a secure and accountable manner. |
|
|
|
Australia |
|
|
|
| AUISM |
P5 |
Security vulnerabilities in systems and applications are identified and mitigated in a timely manner. |
|
|
|
Australia |
|
|
|
| AUISM |
P6 |
Only trusted and supported operating systems, applications and computer code can execute on systems. |
|
|
|
Australia |
|
|
|
| AUISM |
P7 |
Data is encrypted at rest and in transit between different systems. |
|
|
|
Australia |
|
|
|
| AUISM |
P8 |
Data communicated between different systems is controlled and inspectable. |
|
|
|
Australia |
|
|
|
| AUISM |
P9 |
Data, applications and configuration settings are backed up in a secure and proven manner on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
P10 |
Only trusted and vetted personnel are granted access to systems, applications and data repositories. |
|
|
|
Australia |
|
|
|
| AUISM |
P11 |
Personnel are granted the minimum access to systems, applications and data repositories required for their duties. |
|
|
|
Australia |
|
|
|
| AUISM |
P12 |
Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories. |
|
|
|
Australia |
|
|
|
| AUISM |
P13 |
Personnel are provided with ongoing cyber security awareness training. |
|
|
|
Australia |
|
|
|
| AUISM |
P14 |
Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel. |
|
|
|
Australia |
|
|
|
| AUISM |
D1 |
Event logs are collected and analysed in a timely manner to detect cyber security events. |
|
|
|
Australia |
|
|
|
| AUISM |
D2 |
Cyber security events are analysed in a timely manner to identify cyber security incidents. |
|
|
|
Australia |
|
|
|
| AUISM |
R1 |
Cyber security incidents are reported both internally and externally to relevant bodies in a timely manner. |
|
|
|
Australia |
|
|
|
| AUISM |
R2 |
Cyber security incidents are contained, eradicated and recovered from in a timely manner. |
|
|
|
Australia |
|
|
|
| AUISM |
R3 |
Business continuity and disaster recovery plans are enacted when required. |
|
|
|
Australia |
|
|
|
| AUISM |
714 |
A CISO is appointed to provide cyber security leadership and guidance for their organisation. |
Is there a nominated role within the organisation responsible for information security (i.e., CIO, CTO, CISO)? |
|
Security - Governance |
Australia |
|
|
|
| AUISM |
1478 |
The CISO oversees their organisationís cyber security program and ensures their organisationís compliance with cyber security policy, standards, regulations and legislation. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1617 |
The CISO regularly reviews and updates their organisationís cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities. |
|
|
|
Australia |
|
|
|
| AUISM |
724 |
The CISO implements cyber security measurement metrics and key performance indicators for their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
725 |
The CISO coordinates cyber security and business alignment through a cyber security steering committee or advisory board, comprising of key cyber security and business executives, which meets formally and on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
726 |
The CISO coordinates security risk management activities between cyber security and business teams. |
|
|
|
Australia |
|
|
|
| AUISM |
718 |
The CISO reports directly to their organisationís senior executive or Board on cyber security matters. |
|
|
|
Australia |
|
|
|
| AUISM |
733 |
The CISO is fully aware of all cyber security incidents within their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
1618 |
The CISO oversees their organisationís response to cyber security incidents. |
|
|
|
Australia |
|
|
|
| AUISM |
734 |
The CISO contributes to the development and maintenance of business continuity and disaster recovery plans for their organisation to ensure that business-critical services are supported appropriately in the event of a disaster. |
|
|
|
Australia |
|
|
|
| AUISM |
720 |
The CISO develops, implements and maintains a cyber security communications strategy for their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
731 |
The CISO oversees cyber supply chain risk management activities for their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
732 |
The CISO receives and manages a dedicated cyber security budget for their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
717 |
The CISO oversees the management of cyber security personnel within their organisation. |
|
|
|
Australia |
|
|
|
| AUISM |
735 |
The CISO oversees the development, implementation and maintenance of their organisationís cyber security awareness training program. |
|
|
|
Australia |
|
|
|
| AUISM |
1071 |
Each system has a designated system owner. |
|
|
|
Australia |
|
|
|
| AUISM |
1525 |
System owners register each system with its authorising officer. |
|
|
|
Australia |
|
|
|
| AUISM |
1633 |
System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised. |
|
|
|
Australia |
|
|
|
| AUISM |
1634 |
System owners select controls for each system and tailor them to achieve desired security objectives. |
|
|
|
Australia |
|
|
|
| AUISM |
1635 |
System owners implement controls for each system and its operating environment. |
|
|
|
Australia |
|
|
|
| AUISM |
1636 |
System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
27 |
System owners obtain authorisation to operate each system from its authorising officer based on the acceptance of the security risks associated with its operation. |
|
|
|
Australia |
|
|
|
| AUISM |
1526 |
System owners monitor each system, and associated cyber threats, security risks and controls, on an ongoing basis. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1587 |
System owners report the security status of each system to its authorising officer at least annually. |
|
|
|
Australia |
|
|
|
| AUISM |
576 |
An incident management policy, and associated incident response plan, is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1784 |
The incident management policy, including the associated incident response plan, is exercised at least annually. |
|
|
|
Australia |
|
|
|
| AUISM |
125 |
A cyber security incident register is developed, implemented and maintained. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1803 |
A cyber security incident register contains the following for each cyber security incident:[ul][li]the date the cyber security incident occurred[/li][li]the date the cyber security incident was discovered[/li][li]a description of the cyber security incident[/li][li]any actions taken in response to the cyber security incident[/li][li]to whom the cyber security incident was reported.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1625 |
A trusted insider program is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1626 |
Legal advice is sought regarding the development and implementation of a trusted insider program. |
|
|
|
Australia |
|
|
|
| AUISM |
120 |
Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise. |
|
|
|
Australia |
|
|
|
| AUISM |
133 |
When a data spill occurs, data owners are advised and access to the data is restricted. |
|
|
|
Australia |
|
|
|
| AUISM |
917 |
When malicious code is detected, the following steps are taken to handle the infection:[ul][li]the infected systems are isolated[/li][li]all previously connected media used in the period leading up to the infection are scanned for signs of infection and isolated if necessary[/li][li]antivirus software is used to remove the infection from infected systems and media[/li][li]if the infection cannot be reliably removed, systems are restored from a known good backup or rebuilt.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
137 |
Legal advice is sought before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. |
|
|
|
Australia |
|
|
|
| AUISM |
1609 |
System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. |
|
|
|
Australia |
|
|
|
| AUISM |
1731 |
Planning and coordination of intrusion remediation activities are conducted on a separate system to that which has been compromised. |
|
|
|
Australia |
|
|
|
| AUISM |
1732 |
To the extent possible, all intrusion remediation activities are conducted in a coordinated manner during the same planned outage. |
|
|
|
Australia |
|
|
|
| AUISM |
1213 |
Following intrusion remediation activities, full network traffic is captured for at least seven days and analysed to determine whether the adversary has been successfully removed from the system. |
|
|
|
Australia |
|
|
|
| AUISM |
138 |
The integrity of evidence gathered during an investigation is maintained by investigators:[ul][li]recording all of their actions[/li][li]creating checksums for all evidence[/li][li]copying evidence onto media for archiving[/li][li]maintaining a proper chain of custody.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
123 |
Cyber security incidents are reported to an organisationís Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. |
When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
140 |
Cyber security incidents are reported to the ACSC. |
When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1631 |
Suppliers of applications, ICT equipment and services associated with systems are identified. |
|
|
|
Australia |
|
|
|
| AUISM |
1452 |
A supply chain risk assessment is performed for suppliers of applications, ICT equipment and services in order to assess the impact to a systemís security risk profile. |
Select the option which best describes where user data or any related data (e.g., metadata, logs, user content) is stored or processed across all components of the service, including live solution, backup, disaster recovery, test environment, and development environments. |
|
Security - Hosting and Location |
Australia |
|
Y |
|
| AUISM |
1567 |
Suppliers identified as high risk by a cyber supply chain risk assessment are not used. |
|
|
|
Australia |
|
|
|
| AUISM |
1568 |
Applications, ICT equipment and services are chosen from suppliers that have made a commitment to the security of their products and services. |
|
|
|
Australia |
|
|
|
| AUISM |
1632 |
Applications, ICT equipment and services are chosen from suppliers that have a strong track record of transparency and maintaining the security of their own systems and cyber supply chains. |
|
|
|
Australia |
|
|
|
| AUISM |
1569 |
A shared responsibility model is created, documented and shared between suppliers and their customers in order to articulate the security responsibilities of each party. |
|
|
|
Australia |
|
|
|
| AUISM |
1785 |
A supplier relationship management policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1786 |
An approved supplier list is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1787 |
Applications, ICT equipment and services are sourced from approved suppliers. |
|
|
|
Australia |
|
|
|
| AUISM |
1788 |
Multiple potential suppliers are identified for sourcing critical applications, ICT equipment and services. |
|
|
|
Australia |
|
|
|
| AUISM |
1789 |
Sufficient spares of critical ICT equipment are sourced and kept in reserve. |
|
|
|
Australia |
|
|
|
| AUISM |
1790 |
Applications, ICT equipment and services are delivered in a manner that maintains their integrity. |
|
|
|
Australia |
|
|
|
| AUISM |
1791 |
The integrity of applications, ICT equipment and services are assessed as part of acceptance of products and services. |
|
|
|
Australia |
|
|
|
| AUISM |
1792 |
The authenticity of applications, ICT equipment and services are assessed as part of acceptance of products and services. |
|
|
|
Australia |
|
|
|
| AUISM |
1736 |
A managed service register is developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1737 |
A managed service register contains the following for each managed service:[ul][li]managed service providerís name[/li][li]managed serviceís name[/li][li]purpose for using the managed service[/li][li]sensitivity or classification of data involved[/li][li]due date for the next security assessment of the managed service[/li][li]contractual arrangements for the managed service[/li][li]point of contact for users of the managed service[/li][li]24/7 contact details for the managed service provider.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1793 |
Managed service providers and their managed services undergo a security assessment by an IRAP assessor at least every 24 months. |
|
|
|
Australia |
|
|
|
| AUISM |
1637 |
An outsourced cloud service register is developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1638 |
An outsourced cloud service register contains the following for each outsourced cloud service:[ul][li]cloud service providerís name[/li][li]cloud serviceís name[/li][li]purpose for using the cloud service[/li][li]sensitivity or classification of data involved[/li][li]due date for the next security assessment of the cloud service[/li][li]contractual arrangements for the cloud service[/li][li]point of contact for users of the cloud service[/li][li]24/7 contact details for the cloud service provider.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1529 |
Only community or private clouds are used for outsourced SECRET and TOP SECRET cloud services. |
|
|
|
Australia |
|
|
|
| AUISM |
1570 |
Outsourced cloud service providers and their cloud services undergo a security assessment by an IRAP assessor at least every 24 months. |
If the service includes outsourced cloud-based services, are those cloud-based services IRAP assessed?
See https://www.cyber.gov.au/irap for information about IRAP assessment. |
|
Security - Hosting and Location |
Australia |
|
Y |
|
| AUISM |
1395 |
Service providers, including any subcontractors, provide an appropriate level of protection for any data entrusted to them or their services. |
|
|
|
Australia |
|
|
|
| AUISM |
72 |
Security requirements associated with the confidentiality, integrity and availability of data are documented in contractual arrangements with service providers and reviewed on a regular and ongoing basis to ensure they remain fit for purpose. |
|
|
|
Australia |
|
|
|
| AUISM |
1571 |
The right to verify compliance with security requirements is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1738 |
The right to verify compliance with security requirements documented in contractual arrangements with service providers is exercised on a regular and ongoing basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1804 |
Break clauses associated with failure to meet security requirements are documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
141 |
The requirement for service providers to report cyber security incidents to a designated point of contact as soon as possible after they occur or are discovered is documented in contractual arrangements with service providers. |
When a data loss/corruption event occurs, are affected customers and/or organisations notified as soon as possible after this is discovered and given all relevant details? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1794 |
A minimum notification period of one month by service providers for significant changes to their own service provider arrangements is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1451 |
Types of data and its ownership is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1572 |
The regions or availability zones where data will be processed, stored and communicated is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1573 |
Access to all logs relating to an organisationís data and services is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1574 |
The storage of data in a portable manner that allows for backups, service migration and service decommissioning without any loss of data is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1575 |
A minimum notification period of one month for the cessation of any services by a service provider is documented in contractual arrangements with service providers. |
|
|
|
Australia |
|
|
|
| AUISM |
1073 |
An organisationís systems and data are not accessed or administered by a service provider unless a contractual arrangement exists between the organisation and the service provider to do so. |
|
|
|
Australia |
|
|
|
| AUISM |
1576 |
If an organisationís systems or data are accessed or administered by a service provider in an unauthorised manner, the organisation is immediately notified. |
|
|
|
Australia |
|
|
|
| AUISM |
39 |
A cyber security strategy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
47 |
Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the systemís authorising officer. |
|
|
|
Australia |
|
|
|
| AUISM |
1739 |
A systemís security architecture is approved prior to the development of the system. |
|
|
|
Australia |
|
|
|
| AUISM |
888 |
Security documentation is reviewed at least annually and includes a ëcurrent as at [date]í or equivalent statement. |
|
|
|
Australia |
|
|
|
| AUISM |
1602 |
Security documentation, including notification of subsequent changes, is communicated to all stakeholders. |
|
|
|
Australia |
|
|
|
| AUISM |
41 |
Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified. |
|
|
|
Australia |
|
|
|
| AUISM |
43 |
Systems have an incident response plan that covers the following:[ul][li]guidelines on what constitutes a cyber security incident[/li][li]the types of cyber security incidents likely to be encountered and the expected response to each type[/li][li]how to report cyber security incidents, internally to an organisation and externally to relevant authorities[/li][li]other parties which need to be informed in the event of a cyber security incident[/li][li]the authority, or authorities, responsible for investigating and responding to cyber security incidents[/li][li]the criteria by which an investigation of a cyber security incident would be requested from a law enforcement agency, the Australian Cyber Security Centre or other relevant authority[/li][li]the steps necessary to ensure the integrity of evidence relating to a cyber security incident[/li][li]system contingency measures or a reference to such details if they are located in a separate document.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1163 |
Systems have a continuous monitoring plan that includes:[ul][li]conducting vulnerability scans for systems at least monthly[/li][li]conducting vulnerability assessments or penetration tests for systems at least annually[/li][li]analysing identified security vulnerabilities to determine their potential impact[/li][li]using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost.[/li] |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
|
Security - Processes and Testing |
Australia |
|
|
|
| AUISM |
1563 |
At the conclusion of a security assessment for a system, a security assessment report is produced by the assessor and covers:[ul][li]the scope of the security assessment[/li][li]the systemís strengths and weaknesses[/li][li]security risks associated with the operation of the system[/li][li]the effectiveness of the implementation of controls[/li][li]any recommended remediation actions.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1564 |
At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner. |
|
|
|
Australia |
|
|
|
| AUISM |
810 |
Systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
1053 |
Servers, network devices and cryptographic equipment are secured in server rooms or communications rooms that meet the requirements for a security zone suitable for their sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
1530 |
Servers, network devices and cryptographic equipment are secured in security containers or secure rooms suitable for their sensitivity or classification taking into account the combination of security zones they reside in. |
|
|
|
Australia |
|
|
|
| AUISM |
813 |
Server rooms, communications rooms, security containers and secure rooms are not left in unsecured states. |
|
|
|
Australia |
|
|
|
| AUISM |
1074 |
Keys or equivalent access mechanisms to server rooms, communications rooms, security containers and secure rooms are appropriately controlled. |
|
|
|
Australia |
|
|
|
| AUISM |
1296 |
Physical security is implemented to protect network devices in public areas from physical damage or unauthorised access. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
|
Security - Hosting and Location |
Australia |
|
Y |
|
| AUISM |
1543 |
An authorised RF and IR device register for SECRET and TOP SECRET areas is developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
225 |
Unauthorised RF and IR devices are not brought into SECRET and TOP SECRET areas. |
|
|
|
Australia |
|
|
|
| AUISM |
829 |
Security measures are used to detect and respond to unauthorised RF devices in SECRET and TOP SECRET areas. |
|
|
|
Australia |
|
|
|
| AUISM |
164 |
Unauthorised people are prevented from observing systems, in particular workstation displays and keyboards, within facilities. |
|
|
|
Australia |
|
|
|
| AUISM |
161 |
ICT equipment and media are secured when not in use. |
|
|
|
Australia |
|
|
|
| AUISM |
252 |
Cyber security awareness training is undertaken annually by all personnel and covers:[ul][li]the purpose of the cyber security awareness training[/li][li]security appointments and contacts[/li][li]authorised use of systems and their resources[/li][li]protection of systems and their resources[/li][li]reporting of cyber security incidents and suspected compromises of systems and their resources.[/li] |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
|
Security - HR |
Australia |
|
Y |
|
| AUISM |
1565 |
Tailored privileged user training is undertaken annually by all privileged users. |
|
|
|
Australia |
|
|
|
| AUISM |
1740 |
Personnel dealing with banking details and payment requests are advised of what business email compromise is, how to manage such situations and how to report it. |
|
|
|
Australia |
|
|
|
| AUISM |
817 |
Personnel are advised of what suspicious contact via online services is and how to report it. |
|
|
|
Australia |
|
|
|
| AUISM |
820 |
Personnel are advised to not post work information to unauthorised online services and to report cases where such information is posted. |
|
|
|
Australia |
|
|
|
| AUISM |
1146 |
Personnel are advised to maintain separate work and personal accounts for online services. |
|
|
|
Australia |
|
|
|
| AUISM |
821 |
Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information. |
|
|
|
Australia |
|
|
|
| AUISM |
824 |
Personnel are advised not to send or receive files via unauthorised online services. |
|
|
|
Australia |
|
|
|
| AUISM |
432 |
Access requirements for a system and its resources are documented in its system security plan. |
|
|
|
Australia |
|
|
|
| AUISM |
434 |
Personnel undergo appropriate employment screening and, where necessary, hold an appropriate security clearance before being granted access to a system and its resources. |
Do all vendor staff, external contractors and associates who have access to user data or user content undergo employment screening (e.g., criminal history checks, working with children checks) as per applicable regulatory requirements? |
|
Security - HR |
Australia |
|
Y |
|
| AUISM |
435 |
Personnel receive any necessary briefings before being granted access to a system and its resources. |
|
|
|
Australia |
|
|
|
| AUISM |
414 |
Personnel granted access to a system and its resources are uniquely identifiable. |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
415 |
The use of shared user accounts is strictly controlled, and personnel using such accounts are uniquely identifiable. |
|
|
|
Australia |
|
|
|
| AUISM |
1583 |
Personnel who are contractors are identified as such. |
|
|
|
Australia |
|
|
|
| AUISM |
420 |
Where a system processes, stores or communicates AUSTEO, AGAO or REL data, personnel who are foreign nationals are identified as such, including by their specific nationality. |
|
|
|
Australia |
|
|
|
| AUISM |
405 |
Requests for unprivileged access to systems, applications and data repositories are validated when first requested. |
At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs):
- Validated and approved by appropriate personnel;
- Periodically reviewed (at least annually) and revalidated or revoked; and
- Reviewed and revalidated or revoked following changes to role, employment and/or inactivity?
- Provided appropriate security notices when they access the system |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1566 |
Use of unprivileged access is logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1714 |
Unprivileged access event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
409 |
Foreign nationals, including seconded foreign nationals, do not have access to systems that process, store or communicate AUSTEO or REL data unless effective controls are in place to ensure such data is not accessible to them. |
|
|
|
Australia |
|
|
|
| AUISM |
411 |
Foreign nationals, excluding seconded foreign nationals, do not have access to systems that process, store or communicate AGAO data unless effective controls are in place to ensure such data is not accessible to them. |
|
|
|
Australia |
|
|
|
| AUISM |
1507 |
Requests for privileged access to systems and applications are validated when first requested. |
|
|
|
Australia |
|
|
|
| AUISM |
1733 |
Requests for privileged access to data repositories are validated when first requested. |
|
|
|
Australia |
|
|
|
| AUISM |
1508 |
Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. |
|
|
|
Australia |
|
|
|
| AUISM |
1175 |
Privileged user accounts are prevented from accessing the internet, email and web services. |
|
|
|
Australia |
|
|
|
| AUISM |
1653 |
Privileged service accounts are prevented from accessing the internet, email and web services. |
|
|
|
Australia |
|
|
|
| AUISM |
1649 |
Just-in-time administration is used for administering systems and applications. |
|
|
|
Australia |
|
|
|
| AUISM |
445 |
Privileged users are assigned a dedicated privileged account to be used solely for tasks requiring privileged access. |
|
|
|
Australia |
|
|
|
| AUISM |
1509 |
Privileged access events are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1651 |
Privileged access event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1650 |
Privileged account and group management events are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1652 |
Privileged account and group management event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
446 |
Foreign nationals, including seconded foreign nationals, do not have privileged access to systems that process, store or communicate AUSTEO or REL data. |
|
|
|
Australia |
|
|
|
| AUISM |
447 |
Foreign nationals, excluding seconded foreign nationals, do not have privileged access to systems that process, store or communicate AGAO data. |
|
|
|
Australia |
|
|
|
| AUISM |
430 |
Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access. |
Is there a documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that:
no longer have a legitimate requirement for access (implemented on the same day); and
are detected undertaking malicious activities (implemented immediately)?
|
|
Security - HR |
Australia |
|
Y |
|
| AUISM |
1591 |
Access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities. |
Is there a documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that:
no longer have a legitimate requirement for access (implemented on the same day); and
are detected undertaking malicious activities (implemented immediately)?
|
|
Security - HR |
Australia |
|
Y |
|
| AUISM |
1404 |
Unprivileged access to systems and applications is automatically disabled after 45 days of inactivity. |
At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs):
- Validated and approved by appropriate personnel;
- Periodically reviewed (at least annually) and revalidated or revoked; and
- Reviewed and revalidated or revoked following changes to role, employment and/or inactivity?
- Provided appropriate security notices when they access the system |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1648 |
Privileged access to systems and applications is automatically disabled after 45 days of inactivity. |
|
|
|
Australia |
|
|
|
| AUISM |
1716 |
Access to data repositories is automatically disabled after 45 days of inactivity. |
|
|
|
Australia |
|
|
|
| AUISM |
1647 |
Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. |
|
|
|
Australia |
|
|
|
| AUISM |
1734 |
Privileged access to data repositories is automatically disabled after 12 months unless revalidated. |
|
|
|
Australia |
|
|
|
| AUISM |
407 |
A secure record is maintained for the life of each system covering:[ul][li]all personnel authorised to access the system, and their user identification[/li][li]who provided authorisation for access[/li][li]when access was granted[/li][li]the level of access that was granted[/li][li]when access, and the level of access, was last reviewed[/li][li]when the level of access was changed, and to what extent (if applicable)[/li][li]when access was withdrawn (if applicable).[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
441 |
When personnel are granted temporary access to a system, effective controls are put in place to restrict their access to only data required for them to undertake their duties. |
|
|
|
Australia |
|
|
|
| AUISM |
443 |
Temporary access is not granted to systems that process, store or communicate caveated or sensitive compartmented information. |
|
|
|
Australia |
|
|
|
| AUISM |
1610 |
A method of emergency access to systems is documented and tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. |
|
|
|
Australia |
|
|
|
| AUISM |
1611 |
Break glass accounts are only used when normal authentication processes cannot be used. |
|
|
|
Australia |
|
|
|
| AUISM |
1612 |
Break glass accounts are only used for specific authorised activities. |
|
|
|
Australia |
|
|
|
| AUISM |
1614 |
Break glass account credentials are changed by the account custodian after they are accessed by any other party. |
|
|
|
Australia |
|
|
|
| AUISM |
1615 |
Break glass accounts are tested after credentials are changed. |
|
|
|
Australia |
|
|
|
| AUISM |
1613 |
Use of break glass accounts is logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1715 |
Break glass event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
78 |
Systems processing, storing or communicating AUSTEO or AGAO data remain at all times under the control of an Australian national working for or on behalf of the Australian Government. |
|
|
|
Australia |
|
|
|
| AUISM |
854 |
AUSTEO and AGAO data can only be accessed from systems under the sole control of the Australian Government that are located within facilities authorised by the Australian Government. |
|
|
|
Australia |
|
|
|
| AUISM |
181 |
Cabling infrastructure is installed in accordance with relevant Australian Standards, as directed by the Australian Communications and Media Authority. |
|
|
|
Australia |
|
|
|
| AUISM |
1111 |
Fibre-optic cables are used for cabling infrastructure instead of copper cables. |
|
|
|
Australia |
|
|
|
| AUISM |
211 |
A cable register is developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
208 |
A cable register contains the following for each cable:[ul][li]cable identifier[/li][li]cable colour[/li][li]sensitivity/classification[/li][li]source[/li][li]destination[/li][li]location[/li][li]seal numbers (if applicable).[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1645 |
Floor plan diagrams are developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1646 |
Floor plan diagrams contain the following:[ul][li]cable paths (including ingress and egress points between floors)[/li][li]cable reticulation system and conduit paths[/li][li]floor concentration boxes[/li][li]wall outlet boxes[/li][li]network cabinets.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
206 |
Cable labelling processes, and supporting cable labelling procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1096 |
Cables are labelled at each end with sufficient source and destination details to enable the physical identification and inspection of the cable. |
|
|
|
Australia |
|
|
|
| AUISM |
1639 |
Building management cables are labelled with their purpose in black writing on a yellow background, with a minimum size of 2.5 cm x 1 cm, and attached at five-metre intervals. |
|
|
|
Australia |
|
|
|
| AUISM |
1640 |
Cables for foreign systems installed in Australian facilities are labelled at inspection points. |
|
|
|
Australia |
|
|
|
| AUISM |
926 |
OFFICIAL and PROTECTED cables are coloured neither salmon pink nor red. |
|
|
|
Australia |
|
|
|
| AUISM |
1718 |
SECRET cables colours are coloured salmon pink. |
|
|
|
Australia |
|
|
|
| AUISM |
1719 |
TOP SECRET cables colours are coloured red. |
|
|
|
Australia |
|
|
|
| AUISM |
1216 |
SECRET and TOP SECRET cables with non-conformant cable colouring are both banded with the appropriate colour and labelled at inspection points. |
|
|
|
Australia |
|
|
|
| AUISM |
1112 |
Cables are inspectable at a minimum of five-metre intervals. |
|
|
|
Australia |
|
|
|
| AUISM |
1119 |
Cables in TOP SECRET areas are fully inspectable for their entire length. |
|
|
|
Australia |
|
|
|
| AUISM |
187 |
SECRET and TOP SECRET systems belong exclusively to their own cable groups. |
|
|
|
Australia |
|
|
|
| AUISM |
189 |
Cables only carry a single cable group, unless each cable group belongs to a different subunit. |
|
|
|
Australia |
|
|
|
| AUISM |
1114 |
Cable groups sharing a common cable reticulation system have a dividing partition or a visible gap between the cable groups. |
|
|
|
Australia |
|
|
|
| AUISM |
1130 |
In shared facilities, cables are run in an enclosed cable reticulation system. |
|
|
|
Australia |
|
|
|
| AUISM |
1164 |
In shared facilities, conduits or the front covers of ducts, cable trays in floors and ceilings, and associated fittings are clear plastic. |
|
|
|
Australia |
|
|
|
| AUISM |
195 |
In shared facilities, uniquely identifiable SCEC-approved tamper-evident seals are used to seal all removable covers on TOP SECRET cable reticulation systems. |
|
|
|
Australia |
|
|
|
| AUISM |
194 |
In shared facilities, a visible smear of conduit glue is used to seal all plastic conduit joints and TOP SECRET conduits connected by threaded lock nuts. |
|
|
|
Australia |
|
|
|
| AUISM |
201 |
Labels for TOP SECRET conduits are a minimum size of 2.5 cm x 1 cm, attached at five-metre intervals and marked as ëTS RUNí. |
|
|
|
Australia |
|
|
|
| AUISM |
1115 |
Cables from cable trays to wall outlet boxes are run in flexible or plastic conduit. |
|
|
|
Australia |
|
|
|
| AUISM |
1133 |
In shared facilities, TOP SECRET cables are not run in party walls. |
|
|
|
Australia |
|
|
|
| AUISM |
1122 |
Where wall penetrations exit a TOP SECRET area into a lower classified area, TOP SECRET cables are encased in conduit with all gaps between the TOP SECRET conduit and the wall filled with an appropriate sealing compound. |
|
|
|
Australia |
|
|
|
| AUISM |
1104 |
Wall outlet boxes have connectors on opposite sides of the wall outlet box if the cable group contains cables belonging to different systems. |
|
|
|
Australia |
|
|
|
| AUISM |
1105 |
Different cables groups do not share a wall outlet box. |
|
|
|
Australia |
|
|
|
| AUISM |
1095 |
Wall outlet boxes denote the systems, cable identifiers and wall outlet box identifier. |
|
|
|
Australia |
|
|
|
| AUISM |
1107 |
OFFICIAL and PROTECTED wall outlet boxes are coloured neither salmon pink nor red. |
|
|
|
Australia |
|
|
|
| AUISM |
1720 |
SECRET wall outlet boxes are coloured salmon pink. |
|
|
|
Australia |
|
|
|
| AUISM |
1721 |
TOP SECRET wall outlet boxes are coloured red. |
|
|
|
Australia |
|
|
|
| AUISM |
1109 |
Wall outlet box covers are clear plastic. |
|
|
|
Australia |
|
|
|
| AUISM |
218 |
If TOP SECRET fibre-optic fly leads exceeding five metres in length are used to connect wall outlet boxes to ICT equipment, they are run in a protective and easily inspected pathway that is clearly labelled at the ICT equipment end with the wall outlet boxís identifier. |
|
|
|
Australia |
|
|
|
| AUISM |
1102 |
Cable reticulation systems leading into cabinets are terminated as close as possible to the cabinet. |
|
|
|
Australia |
|
|
|
| AUISM |
1101 |
In TOP SECRET areas, cable reticulation systems leading into cabinets in server rooms or communications rooms are terminated as close as possible to the cabinet. |
|
|
|
Australia |
|
|
|
| AUISM |
1103 |
In TOP SECRET areas, cable reticulation systems leading into cabinets not in server rooms or communications rooms are terminated at the boundary of the cabinet. |
|
|
|
Australia |
|
|
|
| AUISM |
1098 |
Cables are terminated in individual cabinets; or for small systems, one cabinet with a division plate to delineate cable groups. |
|
|
|
Australia |
|
|
|
| AUISM |
1100 |
TOP SECRET cables are terminated in an individual TOP SECRET cabinet. |
|
|
|
Australia |
|
|
|
| AUISM |
213 |
Different cable groups do not terminate on the same patch panel. |
|
|
|
Australia |
|
|
|
| AUISM |
1116 |
There is a visible gap between TOP SECRET cabinets and cabinets of lower classifications. |
|
|
|
Australia |
|
|
|
| AUISM |
216 |
TOP SECRET and non-TOP SECRET patch panels are physically separated by installing them in separate cabinets. |
|
|
|
Australia |
|
|
|
| AUISM |
217 |
Where spatial constraints demand patch panels of lower classifications than TOP SECRET be located in the same cabinet as a TOP SECRET patch panel:[ul][li]a physical barrier in the cabinet is provided to separate patch panels[/li][li]only personnel holding a Positive Vetting security clearance have access to the cabinet[/li][li]approval from the TOP SECRET systemís authorising officer is obtained prior to installation.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
198 |
When penetrating a TOP SECRET audio secure room, the Australian Security Intelligence Organisation is consulted and all directions provided are complied with. |
|
|
|
Australia |
|
|
|
| AUISM |
1123 |
A power distribution board with a feed from an Uninterruptible Power Supply is used to power all TOP SECRET ICT equipment. |
|
|
|
Australia |
|
|
|
| AUISM |
248 |
System owners deploying OFFICIAL or PROTECTED systems with Radio Frequency transmitters that will be co-located with SECRET or TOP SECRET systems contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. |
|
|
|
Australia |
|
|
|
| AUISM |
247 |
System owners deploying SECRET or TOP SECRET systems with Radio Frequency transmitters inside or co-located with their facility contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. |
|
|
|
Australia |
|
|
|
| AUISM |
1137 |
System owners deploying SECRET or TOP SECRET systems in shared facilities contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. |
|
|
|
Australia |
|
|
|
| AUISM |
249 |
System owners deploying systems or military platforms overseas contact the ACSC for an emanation security threat assessment and implement any additional installation criteria derived from the threat assessment. |
|
|
|
Australia |
|
|
|
| AUISM |
246 |
An emanation security threat assessment is sought as early as possible in a systemís life cycle as implementing emanation security can have significant cost implications. |
|
|
|
Australia |
|
|
|
| AUISM |
250 |
ICT equipment meets industry and government standards relating to electromagnetic interference/electromagnetic compatibility. |
|
|
|
Australia |
|
|
|
| AUISM |
1078 |
A telephone system usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
229 |
Personnel are advised of the permitted sensitivity or classification of information that can be discussed over both internal and external telephone systems. |
|
|
|
Australia |
|
|
|
| AUISM |
230 |
Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur. |
|
|
|
Australia |
|
|
|
| AUISM |
231 |
When using cryptographic equipment to permit different levels of conversation for different kinds of connections, telephone systems give a visual indication of what kind of connection has been made. |
|
|
|
Australia |
|
|
|
| AUISM |
232 |
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems. |
|
|
|
Australia |
|
|
|
| AUISM |
233 |
Cordless telephone systems are not used for sensitive or classified conversations. |
|
|
|
Australia |
|
|
|
| AUISM |
235 |
Speakerphones are not used on telephone systems in TOP SECRET areas unless the telephone system is located in an audio secure room, the room is audio secure during conversations and only personnel involved in conversations are present in the room. |
|
|
|
Australia |
|
|
|
| AUISM |
236 |
Off-hook audio protection features are used on telephone systems in areas where background conversations may exceed the sensitivity or classification that the telephone system is authorised for communicating. |
|
|
|
Australia |
|
|
|
| AUISM |
931 |
In SECRET and TOP SECRET areas, push-to-talk handsets or push-to-talk headsets are used to meet any off-hook audio protection requirements. |
|
|
|
Australia |
|
|
|
| AUISM |
1562 |
Video conferencing and IP telephony infrastructure is hardened. |
|
|
|
Australia |
|
|
|
| AUISM |
546 |
When video conferencing or IP telephony traffic passes through a gateway containing a firewall or proxy, a video-aware or voice-aware firewall or proxy is used. |
|
|
|
Australia |
|
|
|
| AUISM |
548 |
Video conferencing and IP telephony calls are established using a secure session initiation protocol. |
|
|
|
Australia |
|
|
|
| AUISM |
547 |
Video conferencing and IP telephony calls are conducted using a secure real-time transport protocol. |
|
|
|
Australia |
|
|
|
| AUISM |
554 |
An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation. |
|
|
|
Australia |
|
|
|
| AUISM |
553 |
Authentication and authorisation is used for all actions on a video conferencing network, including call setup and changing settings. |
|
|
|
Australia |
|
|
|
| AUISM |
555 |
Authentication and authorisation is used for all actions on an IP telephony network, including registering a new IP phone, changing phone users, changing settings and accessing voicemail. |
|
|
|
Australia |
|
|
|
| AUISM |
551 |
IP telephony is configured such that:[ul][li]IP phones authenticate themselves to the call controller upon registration[/li][li]auto-registration is disabled and only authorised devices are allowed to access the network[/li][li]unauthorised devices are blocked by default[/li][li]all unused and prohibited functionality is disabled.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1014 |
Individual logins are implemented for IP phones used for SECRET or TOP SECRET conversations. |
|
|
|
Australia |
|
|
|
| AUISM |
549 |
Video conferencing and IP telephony traffic is separated physically or logically from other data traffic. |
|
|
|
Australia |
|
|
|
| AUISM |
556 |
Workstations are not connected to video conferencing units or IP phones unless the workstation or the device uses Virtual Local Area Networks or similar mechanisms to maintain separation between video conferencing, IP telephony and other data traffic. |
|
|
|
Australia |
|
|
|
| AUISM |
558 |
IP phones used in public areas do not have the ability to access data networks, voicemail and directory services. |
|
|
|
Australia |
|
|
|
| AUISM |
559 |
Microphones (including headsets and USB handsets) and webcams are not used with non-SECRET workstations in SECRET areas. |
|
|
|
Australia |
|
|
|
| AUISM |
1450 |
Microphones (including headsets and USB handsets) and webcams are not used with non-TOP SECRET workstations in TOP SECRET areas. |
|
|
|
Australia |
|
|
|
| AUISM |
1019 |
A denial of service response plan for video conferencing and IP telephony services is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1805 |
A denial of service response plan for video conferencing and IP telephony services contains the following:[ul][li]how to identify signs of a denial-of-service attack[/li][li]how to identify the source of a denial-of-service attack[/li][li]how capabilities can be maintained during a denial-of-service attack[/li][li]what actions can be taken to respond to a denial-of-service attack.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
588 |
A fax machine and MFD usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1092 |
Separate fax machines or MFDs are used for sending sensitive or classified fax messages and all other fax messages. |
|
|
|
Australia |
|
|
|
| AUISM |
241 |
When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
1075 |
The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time. |
|
|
|
Australia |
|
|
|
| AUISM |
590 |
Controls for MFDs connected to networks are of a similar strength to those for other devices on networks. |
|
|
|
Australia |
|
|
|
| AUISM |
245 |
A direct connection from an MFD to a digital telephone system is not enabled unless the digital telephone system is authorised to operate at the same sensitivity or classification as the network to which the MFD is connected. |
|
|
|
Australia |
|
|
|
| AUISM |
589 |
MFDs connected to networks are not used to copy documents above the sensitivity or classification of connected networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1036 |
Fax machines and MFDs are located in areas where their use can be observed. |
|
|
|
Australia |
|
|
|
| AUISM |
1533 |
A mobile device management policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1195 |
A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices. |
|
|
|
Australia |
|
|
|
| AUISM |
687 |
Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD. |
|
|
|
Australia |
|
|
|
| AUISM |
1297 |
Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data. |
|
|
|
Australia |
|
|
|
| AUISM |
1400 |
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data. |
|
|
|
Australia |
|
|
|
| AUISM |
694 |
Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data. |
|
|
|
Australia |
|
|
|
| AUISM |
1482 |
Personnel accessing systems or data using an organisation-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data. |
|
|
|
Australia |
|
|
|
| AUISM |
869 |
Mobile devices encrypt their internal storage and any removable media. |
|
|
|
Australia |
|
|
|
| AUISM |
1085 |
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
1196 |
OFFICIAL and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. |
|
|
|
Australia |
|
|
|
| AUISM |
1200 |
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported. |
|
|
|
Australia |
|
|
|
| AUISM |
1198 |
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1199 |
Bluetooth pairings for OFFICIAL and PROTECTED mobile devices are removed when there is no longer a requirement for their use. |
|
|
|
Australia |
|
|
|
| AUISM |
682 |
Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices. |
|
|
|
Australia |
|
|
|
| AUISM |
863 |
Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned. |
|
|
|
Australia |
|
|
|
| AUISM |
864 |
Mobile devices prevent personnel from disabling or modifying security functionality once provisioned. |
|
|
|
Australia |
|
|
|
| AUISM |
1366 |
Security updates are applied to mobile devices as soon as they become available. |
|
|
|
Australia |
|
|
|
| AUISM |
874 |
Mobile devices access the internet via a VPN connection to an organisationís internet gateway rather than via a direct connection to the internet. |
|
|
|
Australia |
|
|
|
| AUISM |
705 |
When accessing an organisationís network via a VPN connection, split tunnelling is disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1082 |
A mobile device usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1083 |
Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices. |
|
|
|
Australia |
|
|
|
| AUISM |
240 |
Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data. |
|
|
|
Australia |
|
|
|
| AUISM |
866 |
Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed. |
|
|
|
Australia |
|
|
|
| AUISM |
1145 |
Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1644 |
Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard. |
|
|
|
Australia |
|
|
|
| AUISM |
871 |
Mobile devices are kept under continual direct supervision when being actively used. |
|
|
|
Australia |
|
|
|
| AUISM |
870 |
Mobile devices are carried or stored in a secured state when not being actively used. |
|
|
|
Australia |
|
|
|
| AUISM |
1084 |
If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag. |
|
|
|
Australia |
|
|
|
| AUISM |
701 |
Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
702 |
If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures. |
|
|
|
Australia |
|
|
|
| AUISM |
1298 |
Personnel are advised of privacy and security risks when travelling overseas with mobile devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1554 |
If travelling overseas with mobile devices to high or extreme risk countries, personnel are:[ul][li]issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities[/li][li]advised on how to apply and inspect tamper seals to key areas of mobile devices[/li][li]advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1555 |
Before travelling overseas with mobile devices, personnel take the following actions:[ul][li]record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers[/li][li]update all operating systems and applications[/li][li]remove all non-essential accounts, applications and data[/li][li]apply security configuration settings, such as lock screens[/li][li]configure remote locate and wipe functionality[/li][li]enable encryption, including for any removable media[/li][li]backup all important data and configuration settings.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1299 |
Personnel take the following precautions when travelling overseas with mobile devices:[ul][li]never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes[/li][li]never storing credentials with mobile devices that they grant access to, such as in laptop bags[/li][li]never lending mobile devices or removable media to untrusted people, even if briefly[/li][li]never allowing untrusted people to connect their mobile devices or removable media, including for charging[/li][li]never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people[/li][li]avoiding connecting mobile devices to open or untrusted Wi-Fi networks[/li][li]using a VPN connection to encrypt all mobile device communications[/li][li]using encrypted messaging apps for communications instead of using foreign telecommunication networks[/li][li]disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication[/li][li]avoiding reuse of removable media once used with other partiesí systems or mobile devices[/li][li]ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand[/li][li]never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1088 |
Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:[ul][li]provide credentials to foreign government officials[/li][li]decrypt mobile devices for foreign government officials[/li][li]have mobile devices taken out of sight by foreign government officials[/li][li]have mobile devices or removable media stolen that are later returned[/li][li]lose mobile devices or removable media that are later found[/li][li]observe unusual behaviour of mobile devices.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1300 |
Upon returning from travelling overseas with mobile devices, personnel take the following actions:[ul][li]sanitise and reset mobile devices, including all removable media[/li][li]decommission any credentials that left their possession during their travel[/li][li]report if significant doubt exists as to the integrity of any mobile devices or removable media.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1556 |
If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:[ul][li]reset credentials used with mobile devices, including those used for remote access to their organisationís systems[/li][li]monitor accounts for any indicators of compromise, such as failed logon attempts.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
280 |
If procuring an evaluated product, a product that has completed a PP-based evaluation is selected in preference to one that has completed an EAL-based evaluation. |
|
|
|
Australia |
|
|
|
| AUISM |
285 |
Evaluated products are delivered in a manner consistent with any delivery procedures defined in associated evaluation documentation. |
|
|
|
Australia |
|
|
|
| AUISM |
286 |
When procuring high assurance ICT equipment, the ACSC is contacted for any equipment-specific delivery procedures. |
|
|
|
Australia |
|
|
|
| AUISM |
289 |
Evaluated products are installed, configured, administered and operated in accordance with vendor guidance and evaluation documentation. |
|
|
|
Australia |
|
|
|
| AUISM |
290 |
High assurance ICT equipment is installed, configured, administered and operated in accordance with guidance produced by the ACSC. |
|
|
|
Australia |
|
|
|
| AUISM |
292 |
High assurance ICT equipment is always operated in an evaluated configuration. |
|
|
|
Australia |
|
|
|
| AUISM |
1551 |
An ICT equipment management policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
336 |
An ICT equipment register is developed, implemented, maintained and verified on a regular basis. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
294 |
ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
296 |
The Australian Cyber Security Centre (ACSC)ís approval is sought before applying labels to external surfaces of high assurance ICT equipment. |
|
|
|
Australia |
|
|
|
| AUISM |
293 |
ICT equipment is classified based on the highest sensitivity or classification of data that it is approved for processing, storing or communicating. |
|
|
|
Australia |
|
|
|
| AUISM |
1599 |
ICT equipment is handled in a manner suitable for its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
1079 |
The ACSCís approval is sought before undertaking any maintenance or repairs to high assurance ICT equipment. |
|
|
|
Australia |
|
|
|
| AUISM |
305 |
Maintenance and repairs of ICT equipment is carried out on site by an appropriately cleared technician. |
|
|
|
Australia |
|
|
|
| AUISM |
307 |
If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the ICT equipment and associated media is sanitised before maintenance or repair work is undertaken. |
|
|
|
Australia |
|
|
|
| AUISM |
306 |
If an uncleared technician is used to undertake maintenance or repairs of ICT equipment, the technician is escorted by someone who:[ul][li]is appropriately cleared and briefed[/li][li]takes due care to ensure that data is not disclosed[/li][li]takes all responsible measures to ensure the integrity of the ICT equipment[/li][li]has the authority to direct the technician[/li][li]is sufficiently familiar with the ICT equipment to understand the work being performed.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
310 |
ICT equipment maintained or repaired off site is done so at facilities approved for handling the sensitivity or classification of the ICT equipment. |
|
|
|
Australia |
|
|
|
| AUISM |
1598 |
Following maintenance or repair activities for ICT equipment, the ICT equipment is inspected to confirm it retains its approved software configuration and that no unauthorised modifications have taken place. |
|
|
|
Australia |
|
|
|
| AUISM |
313 |
ICT equipment sanitisation processes, and supporting ICT equipment sanitisation procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1741 |
ICT equipment destruction processes, and supporting ICT equipment destruction procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
311 |
ICT equipment containing media is sanitised by removing the media from the ICT equipment or by sanitising the media in situ. |
|
|
|
Australia |
|
|
|
| AUISM |
1742 |
ICT equipment that cannot be sanitised is destroyed. |
|
|
|
Australia |
|
|
|
| AUISM |
1218 |
ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data, is sanitised in situ. |
|
|
|
Australia |
|
|
|
| AUISM |
312 |
ICT equipment, including associated media, that is located overseas and has processed, stored or communicated AUSTEO or AGAO data that cannot be sanitised in situ, is returned to Australia for destruction. |
|
|
|
Australia |
|
|
|
| AUISM |
315 |
High assurance ICT equipment is destroyed prior to its disposal. |
|
|
|
Australia |
|
|
|
| AUISM |
317 |
At least three pages of random text with no blank areas are printed on each colour printer cartridge or MFD print drum. |
|
|
|
Australia |
|
|
|
| AUISM |
1219 |
MFD print drums and image transfer rollers are inspected and destroyed if there is remnant toner which cannot be removed or a print is visible on the image transfer roller. |
|
|
|
Australia |
|
|
|
| AUISM |
1220 |
Printer and MFD platens are inspected and destroyed if any text or images are retained on the platen. |
|
|
|
Australia |
|
|
|
| AUISM |
1221 |
Printers and MFDs are checked to ensure no pages are trapped in the paper path due to a paper jam. |
|
|
|
Australia |
|
|
|
| AUISM |
318 |
When unable to sanitise printer cartridges or MFD print drums, they are destroyed as per electrostatic memory devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1534 |
Printer ribbons in printers and MFDs are removed and destroyed. |
|
|
|
Australia |
|
|
|
| AUISM |
1076 |
Televisions and computer monitors with minor burn-in or image persistence are sanitised by displaying a solid white image on the screen for an extended period of time. |
|
|
|
Australia |
|
|
|
| AUISM |
1222 |
Televisions and computer monitors that cannot be sanitised are destroyed. |
|
|
|
Australia |
|
|
|
| AUISM |
1223 |
Memory in network devices is sanitised using the following processes, in order of preference:[ul][li]following device-specific guidance provided in evaluation documentation[/li][li]following vendor sanitisation guidance[/li][li]loading a dummy configuration file, performing a factory reset and then reinstalling firmware.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1225 |
The paper tray of the fax machine is removed, and a fax message with a minimum length of four pages is transmitted, before the paper tray is re-installed to allow a fax summary page to be printed. |
|
|
|
Australia |
|
|
|
| AUISM |
1226 |
Fax machines are checked to ensure no pages are trapped in the paper path due to a paper jam. |
|
|
|
Australia |
|
|
|
| AUISM |
1550 |
ICT equipment disposal processes, and supporting ICT equipment disposal procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1217 |
Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate ICT equipment with its prior use are removed prior to its disposal. |
|
|
|
Australia |
|
|
|
| AUISM |
321 |
When disposing of ICT equipment that has been designed or modified to meet emanation security standards, the ACSC is contacted for requirements relating to its disposal. |
|
|
|
Australia |
|
|
|
| AUISM |
316 |
Following sanitisation, destruction or declassification, a formal administrative decision is made to release ICT equipment, or its waste, into the public domain. |
|
|
|
Australia |
|
|
|
| AUISM |
1549 |
A media management policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1359 |
A removable media usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1713 |
A removable media register is developed, implemented, maintained and verified on a regular basis. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
332 |
Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
323 |
Media is classified to the highest sensitivity or classification of data it stores, unless the media has been classified to a higher sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
337 |
Media is only used with systems that are authorised to process, store or communicate its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
325 |
Any media connected to a system with a higher sensitivity or classification than the media is reclassified to the higher sensitivity or classification, unless the media is read-only or the system has a mechanism through which read-only access can be ensured. |
|
|
|
Australia |
|
|
|
| AUISM |
330 |
Before reclassifying media to a lower sensitivity or classification, the media is sanitised or destroyed, and a formal administrative decision is made to reclassify it. |
|
|
|
Australia |
|
|
|
| AUISM |
831 |
Media is handled in a manner suitable for its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
1059 |
All data stored on media is encrypted. |
|
|
|
Australia |
|
|
|
| AUISM |
1600 |
Media is sanitised before it is used for the first time. |
|
|
|
Australia |
|
|
|
| AUISM |
1642 |
Media is sanitised before it is reused in a different security domain. |
|
|
|
Australia |
|
|
|
| AUISM |
347 |
When transferring data manually between two systems belonging to different security domains, write-once media is used unless the destination system has a mechanism through which read-only access can be ensured. |
|
|
|
Australia |
|
|
|
| AUISM |
947 |
When transferring data manually between two systems belonging to different security domains, rewritable media is sanitised after each data transfer. |
|
|
|
Australia |
|
|
|
| AUISM |
348 |
Media sanitisation processes, and supporting media sanitisation procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
351 |
Volatile media is sanitised by removing its power for at least 10 minutes. |
|
|
|
Australia |
|
|
|
| AUISM |
352 |
SECRET and TOP SECRET volatile media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification. |
|
|
|
Australia |
|
|
|
| AUISM |
835 |
Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time. |
|
|
|
Australia |
|
|
|
| AUISM |
354 |
Non-volatile magnetic media is sanitised by overwriting it at least once (or three times if pre-2001 or under 15 GB) in its entirety with a random pattern followed by a read back for verification. |
|
|
|
Australia |
|
|
|
| AUISM |
1065 |
The host-protected area and device configuration overlay table are reset prior to the sanitisation of non-volatile magnetic hard drives. |
|
|
|
Australia |
|
|
|
| AUISM |
1067 |
The ATA secure erase command is used, in addition to block overwriting software, to ensure the growth defects table of non-volatile magnetic hard drives is overwritten. |
|
|
|
Australia |
|
|
|
| AUISM |
356 |
Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification. |
|
|
|
Australia |
|
|
|
| AUISM |
357 |
Non-volatile EPROM media is sanitised by applying three times the manufacturerís specified ultraviolet erasure time and then overwriting it at least once in its entirety with a random pattern followed by a read back for verification. |
|
|
|
Australia |
|
|
|
| AUISM |
836 |
Non-volatile EEPROM media is sanitised by overwriting it at least once in its entirety with a random pattern followed by a read back for verification. |
|
|
|
Australia |
|
|
|
| AUISM |
358 |
Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification. |
|
|
|
Australia |
|
|
|
| AUISM |
359 |
Non-volatile flash memory media is sanitised by overwriting it at least twice in its entirety with a random pattern followed by a read back for verification. |
|
|
|
Australia |
|
|
|
| AUISM |
360 |
Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification. |
|
|
|
Australia |
|
|
|
| AUISM |
1735 |
Faulty or damaged media that cannot be successfully sanitised is destroyed prior to its disposal. |
|
|
|
Australia |
|
|
|
| AUISM |
363 |
Media destruction processes, and supporting media destruction procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
350 |
The following media types are destroyed prior to their disposal:[ul][li]microfiche and microfilm[/li][li]optical discs[/li][li]programmable read-only memory[/li][li]read-only memory[/li][li]other types of media that cannot be sanitised.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1361 |
Security Construction and Equipment Committee-approved equipment or ASIO-approved equipment is used when destroying media. |
|
|
|
Australia |
|
|
|
| AUISM |
1160 |
If using degaussers to destroy media, degaussers evaluated by the United Statesí National Security Agency are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1517 |
Equipment that is capable of reducing microform to a fine powder, with resultant particles not showing more than five consecutive characters per particle upon microscopic inspection, is used to destroy microfiche and microfilm. |
|
|
|
Australia |
|
|
|
| AUISM |
1722 |
Electrostatic memory devices are destroyed using a furnace/incinerator, hammer mill, disintegrator or grinder/sander. |
|
|
|
Australia |
|
|
|
| AUISM |
1723 |
Magnetic floppy disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting. |
|
|
|
Australia |
|
|
|
| AUISM |
1724 |
Magnetic hard disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or degausser. |
|
|
|
Australia |
|
|
|
| AUISM |
1725 |
Magnetic tapes are destroyed using a furnace/incinerator, hammer mill, disintegrator, degausser or by cutting. |
|
|
|
Australia |
|
|
|
| AUISM |
1726 |
Optical disks are destroyed using a furnace/incinerator, hammer mill, disintegrator, grinder/sander or by cutting. |
|
|
|
Australia |
|
|
|
| AUISM |
1727 |
Semiconductor memory is destroyed using a furnace/incinerator, hammer mill or disintegrator. |
|
|
|
Australia |
|
|
|
| AUISM |
368 |
Media destroyed using a hammer mill, disintegrator, grinder/sander or by cutting results in media waste particles no larger than 9 mm. |
|
|
|
Australia |
|
|
|
| AUISM |
1728 |
The resulting media waste particles from the destruction of SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, PROTECTED if greater than 3 mm and less than or equal to 6 mm, or SECRET if greater than 6 mm and less than or equal to 9 mm. |
|
|
|
Australia |
|
|
|
| AUISM |
1729 |
The resulting media waste particles from the destruction of TOP SECRET media is stored and handled as OFFICIAL if less than or equal to 3 mm, or SECRET if greater than 3 mm and less than or equal to 9 mm. |
|
|
|
Australia |
|
|
|
| AUISM |
361 |
Magnetic media is destroyed using a degausser with a suitable magnetic field strength and magnetic orientation. |
|
|
|
Australia |
|
|
|
| AUISM |
362 |
Product-specific directions provided by degausser manufacturers are followed. |
|
|
|
Australia |
|
|
|
| AUISM |
1641 |
Following the use of a degausser, magnetic media is physically damaged by deforming any internal platters. |
|
|
|
Australia |
|
|
|
| AUISM |
370 |
The destruction of media is performed under the supervision of at least one person cleared to its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
371 |
Personnel supervising the destruction of media supervise its handling to the point of destruction and ensure that the destruction is completed successfully. |
|
|
|
Australia |
|
|
|
| AUISM |
372 |
The destruction of media storing accountable material is performed under the supervision of at least two personnel cleared to its sensitivity or classification. |
|
|
|
Australia |
|
|
|
| AUISM |
373 |
Personnel supervising the destruction of media storing accountable material supervise its handling to the point of destruction, ensure that the destruction is completed successfully and sign a destruction certificate afterwards. |
|
|
|
Australia |
|
|
|
| AUISM |
839 |
The destruction of media storing accountable material is not outsourced. |
|
|
|
Australia |
|
|
|
| AUISM |
840 |
When outsourcing the destruction of media storing non-accountable material, a National Association for Information Destruction AAA certified destruction service with endorsements, as specified in ASIOís Protective Security Circular-167, is used. |
|
|
|
Australia |
|
|
|
| AUISM |
374 |
Media disposal processes, and supporting media disposal procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
378 |
Labels and markings indicating the owner, sensitivity, classification or any other marking that can associate media with its prior use are removed prior to its disposal. |
|
|
|
Australia |
|
|
|
| AUISM |
375 |
Following sanitisation, destruction or declassification, a formal administrative decision is made to release media, or its waste, into the public domain. |
|
|
|
Australia |
|
|
|
| AUISM |
1743 |
Operating systems are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. |
|
|
|
Australia |
|
|
|
| AUISM |
1407 |
The latest release, or the previous release, of operating systems are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1408 |
Where supported, 64-bit versions of operating systems are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1406 |
SOEs are used for workstations and servers. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1608 |
SOEs provided by third parties are scanned for malicious code and configurations. |
|
|
|
Australia |
|
|
|
| AUISM |
1588 |
SOEs are reviewed and updated at least annually. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1409 |
ACSC and vendor guidance is implemented to assist in hardening the configuration of operating systems. |
|
|
|
Australia |
|
|
|
| AUISM |
380 |
Unneeded accounts, components, services and functionality of operating systems are disabled or removed. |
|
|
|
Australia |
|
|
|
| AUISM |
383 |
Default accounts or credentials for operating systems, including for any pre-configured accounts, are changed. |
|
|
|
Australia |
|
|
|
| AUISM |
341 |
Automatic execution features for removable media are disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1654 |
Internet Explorer 11 is disabled or removed. |
|
|
|
Australia |
|
|
|
| AUISM |
1655 |
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. |
|
|
|
Australia |
|
|
|
| AUISM |
1492 |
Operating system exploit protection functionality is enabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1745 |
Early Launch Antimalware, Secure Boot, Trusted Boot and Measured Boot functionality is enabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1584 |
Unprivileged users are prevented from bypassing, disabling or modifying security functionality of operating systems. |
Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1491 |
Unprivileged users are prevented from running script execution engines, including:[ul][li]Windows Script Host (cscript.exe and wscript.exe)[/li][li]PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe)[/li][li]Command Prompt (cmd.exe)[/li][li]Windows Management Instrumentation (wmic.exe)[/li][li]Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).[/li] |
Are vendor staff, external contractors or associates with non-privileged accounts restricted from installing, uninstalling, disabling or making any changes to software and system configuration on servers and endpoints? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1592 |
Unprivileged users do not have the ability to install unapproved software. |
|
|
|
Australia |
|
|
|
| AUISM |
382 |
Unprivileged users do not have the ability to uninstall or disable approved software. |
|
|
|
Australia |
|
|
|
| AUISM |
843 |
Application control is implemented on workstations. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1490 |
Application control is implemented on internet-facing servers. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1656 |
Application control is implemented on non-internet-facing servers. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1657 |
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1658 |
Application control restricts the execution of drivers to an organisation-approved set. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
955 |
Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1582 |
Application control rulesets are validated on an annual or more frequent basis. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1471 |
When implementing application control using publisher certificate rules, both publisher names and product names are used. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
|
Security - Access |
Australia |
|
Y |
|
| AUISM |
1392 |
When implementing application control using path rules, only approved users can write to and modify content within approved folders and files. |
|
|
|
Australia |
|
|
|
| AUISM |
1746 |
When implementing application control using path rules, only approved users can change file system permissions for approved folders and files. |
|
|
|
Australia |
|
|
|
| AUISM |
1544 |
Microsoftís ërecommended block rulesí are implemented. |
|
|
|
Australia |
|
|
|
| AUISM |
1659 |
Microsoftís ërecommended driver block rulesí are implemented. |
|
|
|
Australia |
|
|
|
| AUISM |
846 |
All users (with the exception of local administrator accounts and break glass accounts) cannot disable, bypass or be exempted from application control. |
|
|
|
Australia |
|
|
|
| AUISM |
1660 |
Allowed and blocked execution events on workstations are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1661 |
Allowed and blocked execution events on internet-facing servers are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1662 |
Allowed and blocked execution events on non-internet-facing servers are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1663 |
Application control event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1621 |
Windows PowerShell 2.0 is disabled or removed. |
|
|
|
Australia |
|
|
|
| AUISM |
1622 |
PowerShell is configured to use Constrained Language Mode. |
|
|
|
Australia |
|
|
|
| AUISM |
1623 |
PowerShell is configured to use module logging, script block logging and transcription functionality. |
|
|
|
Australia |
|
|
|
| AUISM |
1624 |
PowerShell script block logs are protected by Protected Event Logging functionality. |
|
|
|
Australia |
|
|
|
| AUISM |
1664 |
Blocked PowerShell script execution events are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1665 |
PowerShell event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1341 |
A HIPS is implemented on workstations. |
Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1034 |
A HIPS is implemented on critical servers and high-value servers. |
Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1416 |
A software firewall is implemented on workstations and servers to restrict inbound and outbound network connections to an organisation-approved set of applications and services. |
Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1417 |
Antivirus software is implemented on workstations and servers with:[ul][li]signature-based detection functionality enabled and set to a high level[/li][li]heuristic-based detection functionality enabled and set to a high level[/li][li]reputation rating functionality enabled[/li][li]ransomware protection functionality enabled[/li][li]detection signatures configured to update on at least a daily basis[/li][li]regular scanning configured for all fixed disks and removable media.[/li] |
Are production servers (e.g., authentication servers, Domain Name System (DNS),web servers, file servers and email servers), containers, serverless servicesand all end points protected by HIPS (Host-based Intrusion Prevention System), software-based application firewalls, anti-virus and anti-malware all of which are kept up to date with definitions and maintained? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1418 |
If there is no business requirement for reading from removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. |
|
|
|
Australia |
|
|
|
| AUISM |
343 |
If there is no business requirement for writing to removable media and devices, such functionality is disabled via the use of device access control software or by disabling external communication interfaces. |
|
|
|
Australia |
|
|
|
| AUISM |
345 |
External communication interfaces that allow DMA are disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
582 |
The following events are logged for operating systems:[ul][li]application and operating system crashes and error messages[/li][li]changes to security policies and system configurations[/li][li]successful user logons and logoffs, failed user logons and account lockouts[/li][li]failures, restarts and changes to important processes and services[/li][li]requests to access internet resources[/li][li]security product-related events[/li][li]system startups and shutdowns.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1747 |
Operating system event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
938 |
Applications are chosen from vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. |
|
|
|
Australia |
|
|
|
| AUISM |
1467 |
The latest release of office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1483 |
The latest release of web server applications, and other internet-accessible server applications, are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1806 |
Default accounts or credentials for applications, including for any pre-configured accounts, are changed. |
|
|
|
Australia |
|
|
|
| AUISM |
1412 |
ACSC or vendor hardening guidance for web browsers, Microsoft Office and PDF software is implemented. |
|
|
|
Australia |
|
|
|
| AUISM |
1470 |
Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. |
|
|
|
Australia |
|
|
|
| AUISM |
1235 |
Add-ons, extensions and plug-ins for office productivity suites, web browsers, email clients, PDF software and security products are restricted to an organisation-approved set. |
|
|
|
Australia |
|
|
|
| AUISM |
1486 |
Web browsers do not process Java from the internet. |
|
|
|
Australia |
|
|
|
| AUISM |
1485 |
Web browsers do not process web advertisements from the internet. |
|
|
|
Australia |
|
|
|
| AUISM |
1666 |
Internet Explorer 11 does not process content from the internet. |
|
|
|
Australia |
|
|
|
| AUISM |
1667 |
Microsoft Office is blocked from creating child processes. |
|
|
|
Australia |
|
|
|
| AUISM |
1668 |
Microsoft Office is blocked from creating executable content. |
|
|
|
Australia |
|
|
|
| AUISM |
1669 |
Microsoft Office is blocked from injecting code into other processes. |
|
|
|
Australia |
|
|
|
| AUISM |
1542 |
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages. |
|
|
|
Australia |
|
|
|
| AUISM |
1670 |
PDF software is blocked from creating child processes. |
|
|
|
Australia |
|
|
|
| AUISM |
1601 |
Microsoftís Attack Surface Reduction rules are implemented. |
|
|
|
Australia |
|
|
|
| AUISM |
1585 |
Web browser, Microsoft Office and PDF software security settings cannot be changed by users. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1748 |
Office productivity suite, email client and security product security settings cannot be changed by users. |
|
|
|
Australia |
|
|
|
| AUISM |
1671 |
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. |
|
|
|
Australia |
|
|
|
| AUISM |
1488 |
Microsoft Office macros in files originating from the internet are blocked. |
Does your organisation:
- disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement;
- block macros in files originating from the internet;
- enable macro antivirus scanning; and
- ensure macro security settings can't be changed by users? |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
1672 |
Microsoft Office macro antivirus scanning is enabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1673 |
Microsoft Office macros are blocked from making Win32 API calls. |
|
|
|
Australia |
|
|
|
| AUISM |
1674 |
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute. |
|
|
|
Australia |
|
|
|
| AUISM |
1487 |
Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations. |
Does your organisation:
- disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement;
- block macros in files originating from the internet;
- enable macro antivirus scanning; and
- ensure macro security settings can't be changed by users? |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
1675 |
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View. |
|
|
|
Australia |
|
|
|
| AUISM |
1676 |
Microsoft Officeís list of trusted publishers is validated on an annual or more frequent basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1489 |
Microsoft Office macro security settings cannot be changed by users. |
Does your organisation:
- disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement;
- block macros in files originating from the internet;
- enable macro antivirus scanning; and
- ensure macro security settings can't be changed by users? |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
1677 |
Allowed and blocked Microsoft Office macro execution events are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1678 |
Microsoft Office macro event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1546 |
Users are authenticated before they are granted access to a system and its resources. |
|
|
|
Australia |
|
|
|
| AUISM |
974 |
Multi-factor authentication is used to authenticate unprivileged users of systems. |
Within the service, do you offer multi-factor authentication forend-users? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1173 |
Multi-factor authentication is used to authenticate privileged users of systems. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1504 |
Multi-factor authentication is used by an organisationís users if they authenticate to their organisationís internet-facing services. |
|
|
|
Australia |
|
|
|
| AUISM |
1679 |
Multi-factor authentication is used by an organisationís users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. |
|
|
|
Australia |
|
|
|
| AUISM |
1680 |
Multi-factor authentication (where available) is used by an organisationís users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. |
|
|
|
Australia |
|
|
|
| AUISM |
1681 |
Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisationís internet-facing services. |
|
|
|
Australia |
|
|
|
| AUISM |
1505 |
Multi-factor authentication is used to authenticate users accessing important data repositories. |
|
|
|
Australia |
|
|
|
| AUISM |
1401 |
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are. |
|
|
|
Australia |
|
|
|
| AUISM |
1682 |
Multi-factor authentication is verifier impersonation resistant. |
|
|
|
Australia |
|
|
|
| AUISM |
1559 |
Memorised secrets used for multi-factor authentication are a minimum of 6 characters, unless more stringent requirements apply. |
At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service:
if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity)
if using multi-factor authentication, passwords are a minimum of eight characters |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1560 |
Memorised secrets used for multi-factor authentication on SECRET systems are a minimum of 8 characters. |
|
|
|
Australia |
|
|
|
| AUISM |
1561 |
Memorised secrets used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters. |
|
|
|
Australia |
|
|
|
| AUISM |
1683 |
Successful and unsuccessful multi-factor authentication events are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1684 |
Multi-factor authentication event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
417 |
When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead. |
|
|
|
Australia |
|
|
|
| AUISM |
421 |
Passphrases used for single-factor authentication are at least 4 random words with a total minimum length of 14 characters, unless more stringent requirements apply. |
At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service:
if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity)
if using multi-factor authentication, passwords are a minimum of eight characters |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1557 |
Passphrases used for single-factor authentication on SECRET systems are at least 5 random words with a total minimum length of 17 characters. |
|
|
|
Australia |
|
|
|
| AUISM |
422 |
Passphrases used for single-factor authentication on TOP SECRET systems are at least 6 random words with a total minimum length of 20 characters. |
|
|
|
Australia |
|
|
|
| AUISM |
1558 |
Passphrases used for single-factor authentication are not a list of categorised words; do not form a real sentence in a natural language; and are not constructed from song lyrics, movies, literature or any other publicly available material. |
|
|
|
Australia |
|
|
|
| AUISM |
1593 |
Users provide sufficient evidence to verify their identity when requesting new credentials. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1227 |
Credentials set for user accounts are randomly generated. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1594 |
Credentials are provided to users via a secure communications channel or, if not possible, split into two parts with one part provided to users and the other part provided to supervisors. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1595 |
Credentials provided to users are changed on first use. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1596 |
Credentials, in the form of memorised secrets, are not reused by users across different systems. |
|
|
|
Australia |
|
|
|
| AUISM |
1403 |
Accounts are locked out after a maximum of five failed logon attempts. |
|
|
|
Australia |
|
|
|
| AUISM |
1603 |
Authentication methods susceptible to replay attacks are disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1055 |
LAN Manager and NT LAN Manager authentication methods are disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1620 |
Privileged accounts are members of the Protected Users security group. |
|
|
|
Australia |
|
|
|
| AUISM |
1685 |
Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. |
|
|
|
Australia |
|
|
|
| AUISM |
1619 |
Service accounts are created as group Managed Service Accounts. |
|
|
|
Australia |
|
|
|
| AUISM |
1795 |
Credentials for local administrator accounts and service accounts are a minimum of 30 characters. |
|
|
|
Australia |
|
|
|
| AUISM |
418 |
Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities. |
|
|
|
Australia |
|
|
|
| AUISM |
1597 |
Credentials are obscured as they are entered into systems. |
|
|
|
Australia |
|
|
|
| AUISM |
1402 |
Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database. |
Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? |
|
Security - Access |
Australia |
|
|
|
| AUISM |
1686 |
Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1749 |
Cached credentials are limited to one previous logon. |
|
|
|
Australia |
|
|
|
| AUISM |
1590 |
Credentials are changed if:[ul][li]they are directly compromised[/li][li]they are suspected of being compromised[/li][li]they appear in an online data breach database[/li][li]they are discovered stored on networks in the clear[/li][li]they are discovered being transferred across networks in the clear[/li][li]membership of a shared account changes[/li][li]they have not been changed in the past 12 months.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
853 |
On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. |
|
|
|
Australia |
|
|
|
| AUISM |
428 |
Systems are configured with a session or screen lock that:[ul][li]activates after a maximum of 15 minutes of user inactivity, or if manually activated by users[/li][li]conceals all session content on the screen[/li][li]ensures that the screen does not enter a power saving state before the session or screen lock is activated[/li][li]requires users to authenticate to unlock the session[/li][li]denies users the ability to disable the session or screen locking mechanism.[/li] |
Are all internal organisation systems (including operating systems) configured with a session or screen lock that:
- activates after a maximum of 15 minutes of user inactivity or if manually activated by the user;
- activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices;
- completely conceals all information on the screen;
- ensures that the screen does not enter a power saving state before the screen or session lock is activated;
- requires the user to reauthenticate to unlock the system; and
- denies users the ability to disable the session or screen locking mechanism?
- does not display any secure information of its own |
|
Security - Access |
Australia |
|
|
|
| AUISM |
408 |
Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted. |
|
|
|
Australia |
|
|
|
| AUISM |
979 |
Legal advice is sought on the exact wording of logon banners. |
|
|
|
Australia |
|
|
|
| AUISM |
1460 |
When using a software-based isolation mechanism to share a physical serverís hardware, the isolation mechanism is from a vendor that has made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products. |
|
|
|
Australia |
|
|
|
| AUISM |
1604 |
When using a software-based isolation mechanism to share a physical serverís hardware, the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism. |
|
|
|
Australia |
|
|
|
| AUISM |
1605 |
When using a software-based isolation mechanism to share a physical serverís hardware, the underlying operating system is hardened. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1606 |
When using a software-based isolation mechanism to share a physical serverís hardware, patches, updates or vendor mitigations for security vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner. |
|
|
|
Australia |
|
|
|
| AUISM |
1607 |
When using a software-based isolation mechanism to share a physical serverís hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner. |
|
|
|
Australia |
|
|
|
| AUISM |
1461 |
When using a software-based isolation mechanism to share a physical serverís hardware for SECRET or TOP SECRET computing environments, the physical server and all computing environments are of the same classification and belong to the same security domain. |
|
|
|
Australia |
|
|
|
| AUISM |
42 |
System administration processes, and supporting system administration procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1211 |
System administrators document requirements for administrative activities, consider potential security impacts, obtain any necessary approvals, notify users of any disruptions or outages, and maintain system and security documentation. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1380 |
Privileged users use separate privileged and unprivileged operating environments. |
|
|
|
Australia |
|
|
|
| AUISM |
1687 |
Privileged operating environments are not virtualised within unprivileged operating environments. |
|
|
|
Australia |
|
|
|
| AUISM |
1688 |
Unprivileged accounts cannot logon to privileged operating environments. |
|
|
|
Australia |
|
|
|
| AUISM |
1689 |
Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. |
|
|
|
Australia |
|
|
|
| AUISM |
1385 |
Administrative infrastructure is segregated from the wider network. |
|
|
|
Australia |
|
|
|
| AUISM |
1750 |
Administrative infrastructure for critical servers, high-value servers and regular servers is segregated from each other. |
|
|
|
Australia |
|
|
|
| AUISM |
1386 |
Network management traffic can only originate from administrative infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
1387 |
Administrative activities are conducted through jump servers. |
|
|
|
Australia |
|
|
|
| AUISM |
1381 |
Only privileged operating environments can communicate with jump servers. |
|
|
|
Australia |
|
|
|
| AUISM |
1388 |
Only jump servers can communicate with assets requiring administrative activities to be performed. |
|
|
|
Australia |
|
|
|
| AUISM |
1143 |
Patch management processes, and supporting patch management procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
298 |
A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware. |
Does your organisation use a centrally managed approach to patch, update or otherwise maintain applications, drivers, operating systems, and firmware and hardware which includes ensuring:
- the integrity and authenticity of patches;
- successful application of patches;
- that patches remain in place; and
- that the list of supported software for updates is reviewed regularly; and - that by default, patches to the product are applied automatically i.e. without the need for customer action |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1493 |
Software registers for workstations, servers, network devices and other ICT equipment are developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1643 |
Software registers contain versions and patch histories of applications, drivers, operating systems and firmware. |
|
|
|
Australia |
|
|
|
| AUISM |
1807 |
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |
|
|
|
Australia |
|
|
|
| AUISM |
1808 |
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. |
|
|
|
Australia |
|
|
|
| AUISM |
1698 |
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services. |
|
|
|
Australia |
|
|
|
| AUISM |
1699 |
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. |
|
|
|
Australia |
|
|
|
| AUISM |
1700 |
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. |
|
|
|
Australia |
|
|
|
| AUISM |
1701 |
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. |
|
|
|
Australia |
|
|
|
| AUISM |
1702 |
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1752 |
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of other ICT equipment. |
|
|
|
Australia |
|
|
|
| AUISM |
1703 |
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in drivers and firmware. |
|
|
|
Australia |
|
|
|
| AUISM |
1690 |
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1691 |
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. |
Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1692 |
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1693 |
Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release. |
Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? |
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1694 |
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1695 |
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1696 |
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1751 |
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of other ICT equipment are applied within two weeks of release, or within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
1697 |
Patches, updates or vendor mitigations for security vulnerabilities in drivers and firmware are applied within two weeks of release, or within 48 hours if an exploit exists. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
|
Security - Processess and Testing |
Australia |
|
Y |
|
| AUISM |
300 |
Patches, updates or vendor mitigations for security vulnerabilities in high assurance ICT equipment are applied only when approved by the ACSC, and in doing so, using methods and timeframes prescribed by the ACSC. |
|
|
|
Australia |
|
|
|
| AUISM |
1704 |
Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
|
|
|
Australia |
|
|
|
| AUISM |
304 |
Applications that are no longer supported by vendors are removed. |
|
|
|
Australia |
|
|
|
| AUISM |
1501 |
Operating systems that are no longer supported by vendors are replaced. |
|
|
|
Australia |
|
|
|
| AUISM |
1753 |
Network devices and other ICT equipment that are no longer supported by vendors are replaced. |
|
|
|
Australia |
|
|
|
| AUISM |
1809 |
When applications, operating systems, network devices or other ICT equipment that are no longer supported by vendors cannot be immediately removed or replaced, compensating controls are implemented until such time that they can be removed or replaced. |
|
|
|
Australia |
|
|
|
| AUISM |
1510 |
A digital preservation policy is developed, implemented and maintained. |
Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering:
- Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected);
- Restoration strategies (e.g., disaster recovery), including prioritization;
- Preservation strategies;
And considers the security of backed up data?
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1547 |
Data backup processes, and supporting data backup procedures, are developed, implemented and maintained. |
Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering:
- Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected);
- Restoration strategies (e.g., disaster recovery), including prioritization;
- Preservation strategies;
And considers the security of backed up data?
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1548 |
Data restoration processes, and supporting data restoration procedures, are developed, implemented and maintained. |
Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering:
- Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected);
- Restoration strategies (e.g., disaster recovery), including prioritization;
- Preservation strategies;
And considers the security of backed up data?
|
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1511 |
Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. |
Are all data backups stored for a minimum of 3 months?
|
|
Security - Data Deletion and Retention |
Australia |
|
Y |
|
| AUISM |
1810 |
Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. |
|
|
|
Australia |
|
|
|
| AUISM |
1811 |
Backups of important data, software and configuration settings are retained in a secure and resilient manner. |
|
|
|
Australia |
|
|
|
| AUISM |
1812 |
Unprivileged accounts cannot access backups belonging to other accounts. |
|
|
|
Australia |
|
|
|
| AUISM |
1813 |
Unprivileged accounts cannot access their own backups. |
|
|
|
Australia |
|
|
|
| AUISM |
1705 |
Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. |
|
|
|
Australia |
|
|
|
| AUISM |
1706 |
Privileged accounts (excluding backup administrator accounts) cannot access their own backups. |
|
|
|
Australia |
|
|
|
| AUISM |
1814 |
Unprivileged accounts are prevented from modifying and deleting backups. |
|
|
|
Australia |
|
|
|
| AUISM |
1707 |
Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. |
|
|
|
Australia |
|
|
|
| AUISM |
1708 |
Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. |
|
|
|
Australia |
|
|
|
| AUISM |
1515 |
Restoration of important data, software and configuration settings from backups to a common point of time is tested as part of disaster recovery exercises. |
Is the partial restoration of backups tested on a quarterly or more frequent basis? |
|
Security - Data Deletion and Retention |
Australia |
|
Y |
|
| AUISM |
|
|
|
|
|
Australia |
|
|
|
| AUISM |
580 |
An event logging policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
585 |
For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
|
Security - Logging |
Australia |
|
Y |
|
| AUISM |
1405 |
A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
|
Security - Logging |
Australia |
|
Y |
|
| AUISM |
1815 |
Event logs stored within a centralised event logging facility are protected from unauthorised modification and deletion. |
|
|
|
Australia |
|
|
|
| AUISM |
988 |
An accurate time source is established and used consistently across systems to assist with identifying connections between events. |
|
|
|
Australia |
|
|
|
| AUISM |
109 |
Event logs are analysed in a timely manner to detect cyber security events. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
|
Security - Logging |
Australia |
|
Y |
|
| AUISM |
1228 |
Cyber security events are analysed in a timely manner to identify cyber security incidents. |
|
|
|
Australia |
|
|
|
| AUISM |
859 |
Event logs are retained for a minimum of 7 years in accordance with the National Archives of Australiaís Administrative Functions Disposal Authority Express Version 2 publication. |
|
|
|
Australia |
|
|
|
| AUISM |
991 |
Domain Name System and web proxy event logs are retained for at least 18 months. |
|
|
|
Australia |
|
|
|
| AUISM |
400 |
Development, testing and production environments are segregated. |
|
|
|
Australia |
|
|
|
| AUISM |
1419 |
Development and modification of software only takes place in development environments. |
|
|
|
Australia |
|
|
|
| AUISM |
1420 |
Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment. |
Is production data used in non-production (e.g., test and development) environments? |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
1422 |
Unauthorised access to the authoritative source for software is prevented. |
|
|
|
Australia |
|
|
|
| AUISM |
1816 |
Unauthorised modification of the authoritative source for software is prevented. |
|
|
|
Australia |
|
|
|
| AUISM |
401 |
Secure-by-design principles and secure programming practices are used as part of application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1780 |
SecDevOps practices are used for application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1238 |
Threat modelling is used in support of application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1796 |
Files containing executable content are digitally signed as part of application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1797 |
Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1798 |
Secure configuration guidance is produced as part of application development. |
|
|
|
Australia |
|
|
|
| AUISM |
1730 |
A software bill of materials is produced and made available to consumers of software. |
|
|
|
Australia |
|
|
|
| AUISM |
402 |
Applications are robustly tested for security vulnerabilities by software developers, as well as independent parties, prior to their initial release and following any maintenance activities. |
|
|
|
Australia |
|
|
|
| AUISM |
1754 |
Security vulnerabilities identified in applications are resolved by software developers. |
|
|
|
Australia |
|
|
|
| AUISM |
1616 |
A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services. |
Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? |
|
Security - Processes and Testing |
Australia |
|
|
|
| AUISM |
1755 |
A vulnerability disclosure policy is developed, implemented and maintained. |
Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? |
|
Security - Processes and Testing |
Australia |
|
|
|
| AUISM |
1756 |
Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained. |
Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? |
|
Security - Processes and Testing |
Australia |
|
|
|
| AUISM |
1717 |
A ësecurity.txtí file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of security vulnerabilities in an organisationís products and services. |
|
|
|
Australia |
|
|
|
| AUISM |
971 |
The OWASP Application Security Verification Standard is followed when developing web applications. |
|
|
|
Australia |
|
|
|
| AUISM |
1239 |
Robust web application frameworks are used in the development of web applications. |
Are all service application developments assessed as per a security testing methodology that is consistent with the guidance provided by the latest industry standard frameworks (e.g., Open Web Application Security Project (OWASP) Testing Guide v4.2, Building Security In Maturity Model (BSIMM))? |
|
Security - Plans and Quality |
Australia |
|
Y |
|
| AUISM |
1552 |
All web application content is offered exclusively using HTTPS. |
|
|
|
Australia |
|
|
|
| AUISM |
1817 |
Clients are authenticated when calling web APIs that facilitate access to data not authorised for release into the public domain. |
|
|
|
Australia |
|
|
|
| AUISM |
1818 |
Clients are authenticated when calling web APIs that facilitate modification of data. |
|
|
|
Australia |
|
|
|
| AUISM |
1240 |
Validation or sanitisation is performed on all input handled by web applications. |
|
|
|
Australia |
|
|
|
| AUISM |
1241 |
Output encoding is performed on all output produced by web applications. |
|
|
|
Australia |
|
|
|
| AUISM |
1424 |
Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers. |
|
|
|
Australia |
|
|
|
| AUISM |
1536 |
The following events are logged for web applications: attempted access that is denied, crashes and error messages, and search queries initiated by users. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
|
Security - Logging |
Australia |
|
Y |
|
| AUISM |
1757 |
Web application event logs are stored centrally. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
|
Security - Logging |
Australia |
|
Y |
|
| AUISM |
1269 |
Database servers and web servers are functionally separated. |
|
|
|
Australia |
|
|
|
| AUISM |
1277 |
Data communicated between database servers and web servers is encrypted. |
What are the minimum encryption algorithms applied to protect all data in transit over networks, including encryption of data that is communicated between the user, web applications and system components (e.g., database systems)? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1270 |
Database servers are placed on a different network segment to user workstations. |
|
|
|
Australia |
|
|
|
| AUISM |
1271 |
Network access controls are implemented to restrict database server communications to strictly defined network resources, such as web servers, application servers and storage area networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1272 |
If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface. |
|
|
|
Australia |
|
|
|
| AUISM |
1273 |
Development and testing environments do not use the same database servers as production environments. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1245 |
All temporary installation files and logs are removed after DBMS software has been installed. |
|
|
|
Australia |
|
|
|
| AUISM |
1246 |
DBMS software is configured according to vendor guidance. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1247 |
Unneeded accounts, components, services and functionality of DBMS software are disabled or removed. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1249 |
DBMS software is configured to run as a separate account with the minimum privileges needed to perform its functions. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1250 |
The account under which DBMS software runs has limited access to non-essential areas of the database serverís file system. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1251 |
The ability of DBMS software to read local files from its database server is disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1260 |
Default database administrator accounts are disabled, renamed or have their credentials changed. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1262 |
Database administrators have unique and identifiable accounts. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1261 |
Database administrator accounts are not shared across different databases. |
|
|
|
Australia |
|
|
|
| AUISM |
1263 |
Database administrator accounts are used exclusively for administrative activities, with standard database accounts used for general purpose interactions with databases. |
Does your organisation enforce the following controls on database management system (DBMS) software:
• Follow vendor guidance for securing the database;
• DBMS software features and stored procedures, accounts and databases that are not required are disabled or removed;
• Least privileges;
• File-based access controls;
• Disable anonymous and default database administrator account;
• Unique username and password for each database administrator account;
• Use database administrator accounts for administrative tasks only; and
• Segregate test and production environment? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1264 |
Database administrator access is restricted to defined roles rather than accounts with default administrative permissions or all permissions. |
|
|
|
Australia |
|
|
|
| AUISM |
1243 |
A database register is developed, implemented, maintained and verified on a regular basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1256 |
File-based access controls are applied to database files. |
|
|
|
Australia |
|
|
|
| AUISM |
393 |
Databases and their contents are classified based on the sensitivity or classification of data that they contain. |
|
|
|
Australia |
|
|
|
| AUISM |
1255 |
Database usersí ability to access, insert, modify and remove database contents is restricted based on their work duties. |
|
|
|
Australia |
|
|
|
| AUISM |
1268 |
The need-to-know principle is enforced for database contents through the application of minimum privileges, database views and database roles. |
|
|
|
Australia |
|
|
|
| AUISM |
1274 |
Database contents from production environments are not used in development or testing environments unless the environment is secured to the same level as the production environment. |
|
|
|
Australia |
|
|
|
| AUISM |
1275 |
All queries to databases from web applications are filtered for legitimate content and correct syntax. |
|
|
|
Australia |
|
|
|
| AUISM |
1276 |
Parameterised queries or stored procedures are used for database interaction instead of dynamically generated queries. |
|
|
|
Australia |
|
|
|
| AUISM |
1278 |
Web applications are designed to provide as little error information as possible about the structure of databases. |
|
|
|
Australia |
|
|
|
| AUISM |
1537 |
The following events are logged for databases:[ul][li]access or modification of particularly important content[/li][li]addition of new users, especially privileged users[/li][li]changes to user roles or privileges[/li][li]attempts to elevate user privileges[/li][li]queries containing comments[/li][li]queries containing multiple embedded queries[/li][li]database and query alerts or failures[/li][li]database structure changes[/li][li]database administrator actions[/li][li]use of executable commands[/li][li]database logons and logoffs.[/li] |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
|
Security - Logging |
Australia |
|
|
|
| AUISM |
1758 |
Database event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
264 |
An email usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
267 |
Access to non-approved webmail services is blocked. |
|
|
|
Australia |
|
|
|
| AUISM |
270 |
Protective markings are applied to emails and reflect the highest sensitivity or classification of the subject, body and attachments. |
|
|
|
Australia |
|
|
|
| AUISM |
271 |
Protective marking tools do not automatically insert protective markings into emails. |
|
|
|
Australia |
|
|
|
| AUISM |
272 |
Protective marking tools do not allow users to select protective markings that a system has not been authorised to process, store or communicate. |
|
|
|
Australia |
|
|
|
| AUISM |
1089 |
Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used. |
|
|
|
Australia |
|
|
|
| AUISM |
565 |
Email servers are configured to block, log and report emails with inappropriate protective markings. |
|
|
|
Australia |
|
|
|
| AUISM |
1023 |
The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified. |
|
|
|
Australia |
|
|
|
| AUISM |
269 |
Emails containing Australian Eyes Only, Australian Government Access Only or Releasable To data are not sent to email distribution lists unless the nationality of all members of email distribution lists can be confirmed. |
|
|
|
Australia |
|
|
|
| AUISM |
569 |
Emails are routed via centralised email gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
571 |
When users send or receive emails, an authenticated and encrypted channel is used to route emails via their organisationís centralised email gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
570 |
Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway. |
|
|
|
Australia |
|
|
|
| AUISM |
567 |
Email servers only relay emails destined for or originating from their domains (including subdomains). |
|
|
|
Australia |
|
|
|
| AUISM |
572 |
Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
1589 |
MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers. |
|
|
|
Australia |
|
|
|
| AUISM |
574 |
SPF is used to specify authorised email servers (or lack thereof) for all domains (including subdomains). |
|
|
|
Australia |
|
|
|
| AUISM |
1183 |
A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for all domains (including subdomains). |
|
|
|
Australia |
|
|
|
| AUISM |
1151 |
SPF is used to verify the authenticity of incoming emails. |
|
|
|
Australia |
|
|
|
| AUISM |
861 |
DKIM signing is enabled on emails originating from an organisationís domains (including subdomains). |
|
|
|
Australia |
|
|
|
| AUISM |
1026 |
DKIM signatures on received emails are verified. |
|
|
|
Australia |
|
|
|
| AUISM |
1027 |
Email distribution list software used by external senders is configured such that it does not break the validity of the senderís DKIM signature. |
|
|
|
Australia |
|
|
|
| AUISM |
1540 |
DMARC records are configured for all domains (including subdomains) such that emails are rejected if they do not pass DMARC checks. |
|
|
|
Australia |
|
|
|
| AUISM |
1799 |
Incoming emails are rejected if they do not pass DMARC checks. |
|
|
|
Australia |
|
|
|
| AUISM |
1234 |
Email content filtering is implemented to filter potentially harmful content in email bodies and attachments. |
|
|
|
Australia |
|
|
|
| AUISM |
1502 |
Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway. |
|
|
|
Australia |
|
|
|
| AUISM |
1024 |
Notifications of undeliverable emails are only sent to senders that can be verified via SPF or other trusted means. |
|
|
|
Australia |
|
|
|
| AUISM |
518 |
Network documentation is developed, implemented, maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
516 |
Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances. |
|
|
|
Australia |
|
|
|
| AUISM |
1178 |
Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services. |
|
|
|
Australia |
|
|
|
| AUISM |
1781 |
All data communicated over network infrastructure is encrypted. |
|
|
|
Australia |
|
|
|
| AUISM |
1181 |
Networks are segregated into multiple network zones according to the criticality of servers, services and data. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1577 |
An organisationís networks are segregated from their service providersí networks. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1532 |
VLANs are not used to separate network traffic between an organisationís networks and public network infrastructure. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
529 |
VLANs are not used to separate network traffic between networks belonging to different security domains. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
530 |
Network devices managing VLANs are administered from the most trusted security domain. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
535 |
Network devices managing VLANs belonging to different security domains do not share VLAN trunks. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1364 |
Network devices managing VLANs terminate VLANs belonging to different security domains on separate physical network interfaces. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
521 |
IPv6 functionality is disabled in dual-stack network devices unless it is being used. |
|
|
|
Australia |
|
|
|
| AUISM |
1186 |
IPv6 capable network security appliances are used on IPv6 and dual-stack networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1428 |
Unless explicitly required, IPv6 tunnelling is disabled on all network devices. |
|
|
|
Australia |
|
|
|
| AUISM |
1429 |
IPv6 tunnelling is blocked by network security appliances at externally-connected network boundaries. |
|
|
|
Australia |
|
|
|
| AUISM |
1430 |
Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility. |
|
|
|
Australia |
|
|
|
| AUISM |
520 |
Network access controls are implemented on networks to prevent the connection of unauthorised network devices. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1182 |
Network access controls are implemented to limit network traffic within and between network segments to only those required for business purposes. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
385 |
Servers maintain effective functional separation with other servers allowing them to operate independently. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1479 |
Servers minimise communications with other servers at both the network and file system level. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1006 |
Security measures are implemented to prevent unauthorised access to network management traffic. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1311 |
SNMP version 1 and SNMP version 2 are not used on networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1312 |
All default SNMP community strings on network devices are changed and write access is disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1028 |
A NIDS or NIPS is deployed in gateways between an organisationís networks and other networks they do not manage. |
|
|
|
Australia |
|
|
|
| AUISM |
1030 |
A NIDS or NIPS is located immediately inside the outermost firewall for gateways and configured to generate event logs and alerts for network traffic that contravenes any rule in a firewall ruleset. |
|
|
|
Australia |
|
|
|
| AUISM |
1627 |
Inbound network connections from anonymity networks to internet-facing services are blocked. |
|
|
|
Australia |
|
|
|
| AUISM |
1628 |
Outbound network connections to anonymity networks are blocked. |
|
|
|
Australia |
|
|
|
| AUISM |
1782 |
A protective DNS service is used to block access to known malicious domain names. |
|
|
|
Australia |
|
|
|
| AUISM |
1800 |
Network devices are flashed with trusted firmware before they are used for the first time. |
|
|
|
Australia |
|
|
|
| AUISM |
1304 |
Default accounts or credentials for network devices including for any pre-configured accounts, are changed. |
|
|
|
Australia |
|
|
|
| AUISM |
534 |
Unused physical ports on network devices are disabled. |
|
|
|
Australia |
|
|
|
| AUISM |
1801 |
Network devices are restarted on at least a monthly basis. |
|
|
|
Australia |
|
|
|
| AUISM |
1314 |
All wireless devices are Wi-Fi Alliance certified. |
|
|
|
Australia |
|
|
|
| AUISM |
536 |
Public wireless networks provided for general public use are segregated from all other organisation networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1315 |
The administrative interface on wireless access points is disabled for wireless network connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1710 |
Configuration settings for wireless access points are hardened. |
|
|
|
Australia |
|
|
|
| AUISM |
1316 |
Default SSIDs of wireless access points are changed. |
|
|
|
Australia |
|
|
|
| AUISM |
1317 |
SSIDs of non-public wireless networks are not readily associated with an organisation, the location of their premises or the functionality of wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1318 |
SSID broadcasting is not disabled on wireless access points. |
|
|
|
Australia |
|
|
|
| AUISM |
1320 |
MAC address filtering is not used to restrict which devices can connect to wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1319 |
Static addressing is not used for assigning IP addresses on wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1332 |
WPA3-Enterprise 192-bit mode is used to protect the confidentiality and integrity of all wireless network traffic. |
|
|
|
Australia |
|
|
|
| AUISM |
1321 |
802.1X authentication with EAP-TLS, using X.509 certificates, is used for mutual authentication; with all other EAP methods disabled on supplications and authentication servers. |
|
|
|
Australia |
|
|
|
| AUISM |
1711 |
User identity confidentiality is used if available with EAP-TLS implementations. |
|
|
|
Australia |
|
|
|
| AUISM |
1322 |
Evaluated supplicants, authenticators, wireless access points and authentication servers are used in wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1324 |
Certificates are generated using an evaluated certificate authority or hardware security module. |
|
|
|
Australia |
|
|
|
| AUISM |
1323 |
Certificates are required for both devices and users accessing wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1327 |
Certificates are protected by encryption, user authentication, and both logical and physical access controls. |
|
|
|
Australia |
|
|
|
| AUISM |
1330 |
The PMK caching period is not set to greater than 1440 minutes (24 hours). |
|
|
|
Australia |
|
|
|
| AUISM |
1712 |
The use of FT (802.11r) is disabled unless authenticator-to-authenticator communications are secured by an ASD-Approved Cryptographic Protocol. |
|
|
|
Australia |
|
|
|
| AUISM |
1454 |
Communications between authenticators and a RADIUS server are encapsulated with an additional layer of encryption using RADIUS over Internet Protocol Security or RADIUS over Transport Layer Security. |
|
|
|
Australia |
|
|
|
| AUISM |
1334 |
Wireless networks implement sufficient frequency separation from other wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1335 |
Wireless access points enable the use of the 802.11w amendment to protect management frames. |
|
|
|
Australia |
|
|
|
| AUISM |
1338 |
Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power are deployed to achieve the desired footprint for wireless networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1013 |
The effective range of wireless communications outside an organisationís area of control is limited by implementing RF shielding on facilities in which SECRET or TOP SECRET wireless networks are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1437 |
Cloud service providers are used for hosting online services. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1578 |
An organisation is notified by cloud service providers of any change to configured regions or availability zones for online services. |
Are customers notified of any relocation or expansion (i.e. change of country) of:
• the cloud infrastructure, including system components, user data and related data; and
• any person (vendor or cloud infrastructure staff, external contractors or associates) with access to unencrypted customer data or any person with a means of accessing or extracting unencrypted data (e.g., those with access to encryption keys and encrypted customer data),
prior to relocation? |
|
Security - Hosting and Location |
Australia |
|
Y |
|
| AUISM |
1579 |
Cloud service providersí ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes for online services. |
|
|
|
Australia |
|
|
|
| AUISM |
1580 |
Where a high availability requirement exists for online services, the services are architected to automatically transition between availability zones. |
|
|
|
Australia |
|
|
|
| AUISM |
1441 |
Where a requirement for high availability exists for online services, a denial of service mitigation service is used. |
|
|
|
Australia |
|
|
|
| AUISM |
1581 |
Continuous real-time monitoring of the availability of online services is performed. |
|
|
|
Australia |
|
|
|
| AUISM |
1438 |
Where a high availability requirement exists for website hosting, CDNs that cache websites are used. |
|
|
|
Australia |
|
|
|
| AUISM |
1439 |
If using CDNs, disclosing the IP addresses of web servers under an organisationís control (referred to as origin servers) is avoided and access to the origin servers is restricted to the CDNs and authorised management networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1431 |
Denial-of-service attack mitigation strategies are discussed with cloud service providers, specifically:[ul][li]their capacity to withstand denial-of-service attacks[/li][li]any costs likely to be incurred as a result of denial-of-service attacks[/li][li]thresholds for notification of denial-of-service attacks[/li][li]thresholds for turning off online services during denial-of-service attacks[/li][li]pre-approved actions that can be undertaken during denial-of-service attacks[/li][li]any arrangements with upstream service providers to block malicious network traffic as far upstream as possible.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1458 |
The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented. |
|
|
|
Australia |
|
|
|
| AUISM |
1432 |
Domain names for online services are protected via registrar locking and confirming domain registration details are correct. |
|
|
|
Australia |
|
|
|
| AUISM |
1435 |
Availability monitoring with real-time alerting is implemented for online services to detect denial-of-service attacks and measure their impact. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
1436 |
Critical online services are segregated from other online services that are more likely to be targeted. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1518 |
A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack. |
|
|
|
Australia |
|
|
|
| AUISM |
1802 |
HACE does not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD. |
|
|
|
Australia |
|
|
|
| AUISM |
499 |
All communications security and equipment-specific doctrine produced by the ACSC for the management and use of ASD-approved HACE is complied with. |
|
|
|
Australia |
|
|
|
| AUISM |
507 |
Cryptographic key management processes, and supporting cryptographic key management procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1080 |
An ASD-Approved Cryptographic Algorithm (AACA) or high assurance cryptographic algorithm is used when encrypting media. |
|
|
|
Australia |
|
|
|
| AUISM |
457 |
Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used when encrypting media that contains OFFICIAL: Sensitive or PROTECTED data. |
|
|
|
Australia |
|
|
|
| AUISM |
460 |
ASD-approved HACE is used when encrypting media that contains SECRET or TOP SECRET data. |
|
|
|
Australia |
|
|
|
| AUISM |
459 |
Full disk encryption, or partial encryption where access controls will only allow writing to the encrypted partition, is implemented when encrypting data at rest. |
|
|
|
Australia |
|
|
|
| AUISM |
469 |
An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
465 |
Cryptographic equipment or software that has completed a Common Criteria evaluation against a Protection Profile is used to protect OFFICIAL: Sensitive or PROTECTED data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
467 |
ASD-approved HACE is used to protect SECRET and TOP SECRET data when communicated over insufficiently secure networks, outside of appropriately secure areas or via public network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
455 |
Where practical, cryptographic equipment and software provides a means of data recovery to allow for circumstances where the encryption key is unavailable due to loss, damage or failure. |
|
|
|
Australia |
|
|
|
| AUISM |
462 |
When a user authenticates to the encryption functionality of ICT equipment or media, it is treated in accordance with its original sensitivity or classification until the user deauthenticates from the encryption functionality. |
|
|
|
Australia |
|
|
|
| AUISM |
501 |
Keyed cryptographic equipment is transported based on the sensitivity or classification of its keying material. |
|
|
|
Australia |
|
|
|
| AUISM |
142 |
The compromise or suspected compromise of cryptographic equipment or associated keying material is reported to an organisationís Chief Information Security Officer, or one of their delegates, as soon as possible after it occurs. |
|
|
|
Australia |
|
|
|
| AUISM |
1091 |
Keying material is changed when compromised or suspected of being compromised. |
|
|
|
Australia |
|
|
|
| AUISM |
471 |
Only AACAs or high assurance cryptographic algorithms are used by cryptographic equipment and software. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
994 |
ECDH and ECDSA are used in preference to DH and DSA. |
What are the minimum encryption algorithms applied to protect all data in transit over networks, including encryption of data that is communicated between the user, web applications and system components (e.g., database systems)? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
472 |
When using DH for agreeing on encryption session keys, a modulus of at least 2048 bits is used, preferably 3072 bits. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1759 |
When using DH for agreeing on encryption session keys, a modulus of at least 3072 bits is used, preferably 3072 bits. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1629 |
When using DH for agreeing on encryption session keys, a modulus and associated parameters are selected according to NIST SP 800-56A Rev. 3. |
|
|
|
Australia |
|
|
|
| AUISM |
473 |
When using DSA for digital signatures, a modulus of at least 2048 bits is used. |
|
|
|
Australia |
|
|
|
| AUISM |
1630 |
When using DSA for digital signatures, a modulus and associated parameters are generated according to FIPS 186-4. |
|
|
|
Australia |
|
|
|
| AUISM |
1760 |
DSA is not used for digital signatures. |
|
|
|
Australia |
|
|
|
| AUISM |
1446 |
When using elliptic curve cryptography, a curve from FIPS 186-4 is used. |
|
|
|
Australia |
|
|
|
| AUISM |
474 |
When using ECDH for agreeing on encryption session keys, a base point order and key size of at least 224 bits is used, preferably the NIST P-384 curve. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1761 |
When using ECDH for agreeing on encryption session keys, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1762 |
When using ECDH for agreeing on encryption session keys, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve. |
|
|
|
Australia |
|
|
|
| AUISM |
475 |
When using ECDSA for digital signatures, a base point order and key size of at least 224 bits is used, preferably the P-384 curve. |
|
|
|
Australia |
|
|
|
| AUISM |
1763 |
When using ECDSA for digital signatures, NIST P-256, P-384 or P-521 curves are used, preferably the NIST P-384 curve. |
|
|
|
Australia |
|
|
|
| AUISM |
1764 |
When using ECDSA for digital signatures, NIST P-384 or P-521 curves are used, preferably the NIST P-384 curve. |
|
|
|
Australia |
|
|
|
| AUISM |
476 |
When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 2048 bits is used, preferably 3072 bits. |
|
|
|
Australia |
|
|
|
| AUISM |
1765 |
When using RSA for digital signatures, and passing encryption session keys or similar keys, a modulus of at least 3072 bits is used, preferably 3072 bits. |
|
|
|
Australia |
|
|
|
| AUISM |
477 |
When using RSA for digital signatures, and for passing encryption session keys or similar keys, a different key pair is used for digital signatures and passing encrypted session keys. |
|
|
|
Australia |
|
|
|
| AUISM |
1766 |
When using SHA-2 for hashing, an output size of at least 224 bits is used, preferably SHA-384. |
|
|
|
Australia |
|
|
|
| AUISM |
1767 |
When using SHA-2 for hashing, an output size of at least 256 bits is used, preferably SHA-384. |
|
|
|
Australia |
|
|
|
| AUISM |
1768 |
When using SHA-2 for hashing, an output size of at least 384 bits is used, preferably SHA-384. |
|
|
|
Australia |
|
|
|
| AUISM |
1769 |
When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256. |
|
|
|
Australia |
|
|
|
| AUISM |
1770 |
When using AES for encryption, AES-192 or AES-256 is used, preferably AES-256. |
|
|
|
Australia |
|
|
|
| AUISM |
479 |
Symmetric cryptographic algorithms are not used in Electronic Codebook Mode. |
|
|
|
Australia |
|
|
|
| AUISM |
481 |
Only AACPs or high assurance cryptographic protocols are used by cryptographic equipment and software. |
|
|
|
Australia |
|
|
|
| AUISM |
1139 |
Only the latest version of TLS is used for TLS connections. |
If customer data is uploaded to the service using a mechanism such as encrypted USB, SFTP, Secure API, etc., what are the minimum encryption methodologies applied? |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
1369 |
AES-GCM is used for encryption of TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1370 |
Only server-initiated secure renegotiation is used for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1372 |
DH or ECDH is used for key establishment of TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1448 |
When using DH or ECDH for key establishment of TLS connections, the ephemeral variant is used. |
|
|
|
Australia |
|
|
|
| AUISM |
1373 |
Anonymous DH is not used for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1374 |
SHA-2-based certificates are used for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1375 |
SHA-2 is used for the Hash-based Message Authentication Code (HMAC) and pseudorandom function (PRF) for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1553 |
TLS compression is disabled for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1453 |
Perfect Forward Secrecy (PFS) is used for TLS connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1506 |
The use of SSH version 1 is disabled for SSH connections. |
|
|
|
Australia |
|
|
|
| AUISM |
484 |
The SSH daemon is configured to:[ul][li]only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx)[/li][li]have a suitable login banner (Banner x)[/li][li]have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60)[/li][li]disable host-based authentication (HostbasedAuthentication no)[/li][li]disable rhosts-based authentication (IgnoreRhosts yes)[/li][li]disable the ability to login directly as root (PermitRootLogin no)[/li][li]disable empty passwords (PermitEmptyPasswords no)[/li][li]disable connection forwarding (AllowTCPForwarding no)[/li][li]disable gateway ports (GatewayPorts no)[/li][li]disable X11 forwarding (X11Forwarding no).[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
485 |
Public key-based authentication is used for SSH connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1449 |
SSH private keys are protected with a passphrase or a key encryption key. |
|
|
|
Australia |
|
|
|
| AUISM |
487 |
When using logins without a passphrase for SSH connections, the following are disabled:[ul][li]access from IP addresses that do not require access[/li][li]port forwarding[/li][li]agent credential forwarding[/li][li]X11 display remoting[/li][li]console access.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
488 |
If using remote access without the use of a passphrase for SSH connections, the ëforced commandí option is used to specify what command is executed and parameter checking is enabled. |
|
|
|
Australia |
|
|
|
| AUISM |
489 |
When SSH-agent or similar key caching programs are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity. |
|
|
|
Australia |
|
|
|
| AUISM |
490 |
Versions of S/MIME earlier than S/MIME version 3.0 are not used for S/MIME connections. |
|
|
|
Australia |
|
|
|
| AUISM |
494 |
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. |
|
|
|
Australia |
|
|
|
| AUISM |
496 |
The ESP protocol is used for authentication and encryption of IPsec connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1233 |
IKE version 2 is used for key exchange when establishing IPsec connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1771 |
AES is used for encrypting IPsec connections, preferably ENCR_AES_GCM_16. |
|
|
|
Australia |
|
|
|
| AUISM |
1772 |
PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512. |
|
|
|
Australia |
|
|
|
| AUISM |
998 |
AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_384_192, AUTH_HMAC_SHA2_512_256 or NONE (only with AES-GCM) is used for authenticating IPsec connections, preferably NONE. |
|
|
|
Australia |
|
|
|
| AUISM |
999 |
DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group. |
|
|
|
Australia |
|
|
|
| AUISM |
498 |
A security association lifetime of less than four hours (14400 seconds) is used for IPsec connections. |
|
|
|
Australia |
|
|
|
| AUISM |
1000 |
PFS is used for IPsec connections. |
|
|
|
Australia |
|
|
|
| AUISM |
628 |
Gateways are implemented between networks belonging to different security domains. |
Are internet facing components (e.g., web servers) separated from other online components (e.g. databases) using the following controls:
Secure communication between network segments (e.g., using firewalls), including filtering between network segments
DMZ for internet-facing components and separate trusted zones for other components
Virtual (e.g., VLAN) or physical network segregation |
|
Security - Technical |
Australia |
|
|
|
| AUISM |
637 |
Gateways implement a demilitarised zone if external parties require access to an organisationís services. |
|
|
|
Australia |
|
|
|
| AUISM |
631 |
Gateways only allow explicitly authorised data flows. |
|
|
|
Australia |
|
|
|
| AUISM |
1192 |
Gateways inspect and filter data flows at the transport and above network layers. |
|
|
|
Australia |
|
|
|
| AUISM |
1427 |
Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing. |
|
|
|
Australia |
|
|
|
| AUISM |
1520 |
System administrators for gateways undergo appropriate employment screening and, where necessary, hold an appropriate security clearance based on the sensitivity or classification of gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
613 |
System administrators for gateways that connect to Australian Eyes Only or Releasable To networks are Australian nationals. |
|
|
|
Australia |
|
|
|
| AUISM |
1773 |
System administrators for gateways that connect to Australian Government Access Only networks are Australian nationals or seconded foreign nationals. |
|
|
|
Australia |
|
|
|
| AUISM |
611 |
System administrators for gateways are assigned the minimum privileges required to perform their duties. |
|
|
|
Australia |
|
|
|
| AUISM |
616 |
Separation of duties is implemented in performing administrative activities for gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
612 |
System administrators for gateways are formally trained on the operation and management of gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
1774 |
Gateways are managed via a secure path isolated from all connected networks. |
|
|
|
Australia |
|
|
|
| AUISM |
629 |
For gateways between networks belonging to different security domains, any shared components are managed by system administrators for the higher security domain or by system administrators from a mutually-agreed third party. |
|
|
|
Australia |
|
|
|
| AUISM |
619 |
Users authenticate to other networks accessed via gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
622 |
ICT equipment authenticates to other networks accessed via gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
1783 |
Public IP addresses controlled by, or used by, an organisation are signed by valid ROA records. |
|
|
|
Australia |
|
|
|
| AUISM |
634 |
The following events are logged for gateways:[ul][li]data packets and data flows permitted through gateways[/li][li]data packets and data flows attempting to leave gateways[/li][li]real-time alerts for attempted intrusions.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1775 |
Gateway event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1037 |
Gateways undergo testing following configuration changes, and at regular intervals no more than six months apart, to validate they conform to expected security configurations. |
|
|
|
Australia |
|
|
|
| AUISM |
100 |
Gateways undergo a security assessment by an IRAP assessor at least every 24 months. |
|
|
|
Australia |
|
|
|
| AUISM |
626 |
CDSs are implemented between SECRET or TOP SECRET networks and any other networks belonging to different security domains. |
|
|
|
Australia |
|
|
|
| AUISM |
597 |
When planning, designing, implementing or introducing additional connectivity to CDSs, the ACSC is consulted and any directions provided by the ACSC are complied with. |
|
|
|
Australia |
|
|
|
| AUISM |
635 |
CDSs implement isolated upward and downward network paths. |
|
|
|
Australia |
|
|
|
| AUISM |
1522 |
CDSs implement independent security-enforcing functions for upward and downward network paths. |
|
|
|
Australia |
|
|
|
| AUISM |
1521 |
CDSs implement protocol breaks at each network layer. |
|
|
|
Australia |
|
|
|
| AUISM |
670 |
All security-relevant events generated by CDSs are logged. |
|
|
|
Australia |
|
|
|
| AUISM |
1776 |
CDS event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
1523 |
A sample of security-relevant events relating to data transfer policies are taken at least every 3 months and assessed against security policies for CDSs to identify any operational failures. |
|
|
|
Australia |
|
|
|
| AUISM |
610 |
Users are trained on the secure use of CDSs before access is granted. |
|
|
|
Australia |
|
|
|
| AUISM |
1528 |
Evaluated firewalls are used between an organisationís networks and public network infrastructure. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
|
Security - Technical |
Australia |
|
Y |
|
| AUISM |
639 |
Evaluated firewalls are used between networks belonging to different security domains. |
|
|
|
Australia |
|
|
|
| AUISM |
643 |
Evaluated diodes are used for controlling the data flow of unidirectional gateways between an organisationís networks and public network infrastructure. |
|
|
|
Australia |
|
|
|
| AUISM |
645 |
Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and public network infrastructure complete a high assurance evaluation. |
|
|
|
Australia |
|
|
|
| AUISM |
1157 |
Evaluated diodes are used for controlling the data flow of unidirectional gateways between networks. |
|
|
|
Australia |
|
|
|
| AUISM |
1158 |
Evaluated diodes used for controlling the data flow of unidirectional gateways between SECRET or TOP SECRET networks and any other networks complete a high assurance evaluation. |
|
|
|
Australia |
|
|
|
| AUISM |
258 |
A web usage policy is developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
260 |
All web access, including that by internal servers, is conducted through web proxies. |
|
|
|
Australia |
|
|
|
| AUISM |
261 |
The following details are logged for websites accessed via web proxies:[ul][li]address[/li][li]date and time[/li][li]user[/li][li]amount of data uploaded and downloaded[/li][li]internal and external IP addresses.[/li] |
|
|
|
Australia |
|
|
|
| AUISM |
1777 |
Web proxy event logs are stored centrally. |
|
|
|
Australia |
|
|
|
| AUISM |
963 |
Web content filtering is implemented to filter potentially harmful web-based content. |
|
|
|
Australia |
|
|
|
| AUISM |
961 |
Client-side active content is restricted by web content filters to an organisation-approved list of domain names. |
|
|
|
Australia |
|
|
|
| AUISM |
1237 |
Web content filtering is applied to outbound web traffic where appropriate. |
|
|
|
Australia |
|
|
|
| AUISM |
263 |
TLS traffic communicated through gateways is decrypted and inspected. |
|
|
|
Australia |
|
|
|
| AUISM |
958 |
An organisation-approved list of domain names, or list of website categories, is implemented for all Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure traffic communicated through gateways. |
|
|
|
Australia |
|
|
|
| AUISM |
1236 |
Malicious domain names, dynamic domain names and domain names that can be registered anonymously for free are blocked by web content filters. |
|
|
|
Australia |
|
|
|
| AUISM |
1171 |
Attempts to access websites through their IP addresses instead of their domain names are blocked by web content filters. |
|
|
|
Australia |
|
|
|
| AUISM |
659 |
Files imported or exported via gateways or CDSs undergo content filtering checks. |
|
|
|
Australia |
|
|
|
| AUISM |
651 |
Files identified by content filtering checks as malicious, or that cannot be inspected, are blocked. |
|
|
|
Australia |
|
|
|
| AUISM |
652 |
Files identified by content filtering checks as suspicious are quarantined until reviewed and subsequently approved or not approved for release. |
|
|
|
Australia |
|
|
|
| AUISM |
1524 |
Content filters used by CDSs undergo rigorous security testing to ensure they perform as expected and cannot be bypassed. |
|
|
|
Australia |
|
|
|
| AUISM |
1293 |
Encrypted files imported or exported via gateways or CDSs are decrypted in order to undergo content filtering checks. |
|
|
|
Australia |
|
|
|
| AUISM |
1289 |
Archive files imported or exported via gateways or CDSs are unpacked in order to undergo content filtering checks. |
|
|
|
Australia |
|
|
|
| AUISM |
1290 |
Archive files are unpacked in a controlled manner to ensure content filter performance or availability is not adversely affected. |
|
|
|
Australia |
|
|
|
| AUISM |
1288 |
Files imported or exported via gateways or CDSs undergo antivirus scanning using multiple different scanning engines. |
|
|
|
Australia |
|
|
|
| AUISM |
1389 |
Executable files imported via gateways or CDSs are automatically executed in a sandbox to detect any suspicious behaviour. |
|
|
|
Australia |
|
|
|
| AUISM |
649 |
Files imported or exported via gateways or CDSs are filtered for allowed file types. |
|
|
|
Australia |
|
|
|
| AUISM |
1284 |
Files imported or exported via gateways or CDSs undergo content validation. |
|
|
|
Australia |
|
|
|
| AUISM |
1286 |
Files imported or exported via gateways or CDSs undergo content conversion. |
|
|
|
Australia |
|
|
|
| AUISM |
1287 |
Files imported or exported via gateways or CDSs undergo content sanitisation. |
|
|
|
Australia |
|
|
|
| AUISM |
677 |
Files imported or exported via gateways or CDSs that have a digital signature or checksum are validated. |
|
|
|
Australia |
|
|
|
| AUISM |
591 |
Evaluated peripheral switches are used when sharing peripherals between systems. |
|
|
|
Australia |
|
|
|
| AUISM |
1457 |
Evaluated peripheral switches used for sharing peripherals between SECRET and TOP SECRET systems, or between SECRET or TOP SECRET systems belonging to different security domains, preferably complete a high assurance evaluation. |
|
|
|
Australia |
|
|
|
| AUISM |
1480 |
Evaluated peripheral switches used for sharing peripherals between SECRET or TOP SECRET systems and any non-SECRET or TOP SECRET systems complete a high assurance evaluation. |
|
|
|
Australia |
|
|
|
| AUISM |
663 |
Data transfer processes, and supporting data transfer procedures, are developed, implemented and maintained. |
|
|
|
Australia |
|
|
|
| AUISM |
1535 |
Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems. |
From what countries do vendor staff, including support, administration, development and testing, and external contractors or associates, access user data and any related data (e.g., metadata, logs) collected or used by the service (including backups and recovery)? |
|
Security - Hosting and Location |
Australia |
|
Y |
|
| AUISM |
661 |
Users transferring data to and from systems are held accountable for data transfers they perform. |
|
|
|
Australia |
|
|
|
| AUISM |
657 |
When manually importing data to systems, the data is scanned for malicious and active content. |
At a minimum, are the following features built into the file upload functionality available within the service?
- All files are scanned for Malware/Viruses during upload
- All files are scanned for Malware/Viruses while at rest
- All files found to contain Malware/Viruses are quarantined or deleted
|
|
Privacy - Functionality |
Australia |
|
Y |
|
| AUISM |
1778 |
When manually importing data to systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release. |
|
|
|
Australia |
|
|
|
| AUISM |
664 |
Data exported from SECRET and TOP SECRET systems is reviewed and authorised by a trusted source beforehand. |
|
|
|
Australia |
|
|
|
| AUISM |
675 |
Data authorised for export from SECRET and TOP SECRET systems is digitally signed by a trusted source. |
|
|
|
Australia |
|
|
|
| AUISM |
665 |
Trusted sources for SECRET and TOP SECRET systems are limited to people and services that have been authorised as such by an organisationís Chief Information Security Officer. |
|
|
|
Australia |
|
|
|
| AUISM |
1187 |
When manually exporting data from systems, the data is checked for unsuitable protective markings. |
|
|
|
Australia |
|
|
|
| AUISM |
669 |
When manually exporting data from SECRET and TOP SECRET systems, digital signatures are validated and keyword checks are performed within all textual data. |
|
|
|
Australia |
|
|
|
| AUISM |
1779 |
When manually exporting data from systems, all data that fails security checks is quarantined until reviewed and subsequently approved or not approved for release. |
|
|
|
Australia |
|
|
|
| AUISM |
1586 |
Data transfer logs are used to record all data imports and exports from systems. |
|
|
|
Australia |
|
|
|
| AUISM |
1294 |
Data transfer logs for systems are partially verified at least monthly. |
|
|
|
Australia |
|
|
|
| AUISM |
660 |
Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly. |
|
|
|
Australia |
|
|
|
| CIS |
1.1 |
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices,†MDM type tools can support this process, where appropriate. This inventory includes assets†connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterpriseís network infrastructure, even if they are†not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
Devices |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
1.2 |
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
Devices |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
1.3 |
Utilize an active discovery tool to identify assets connected to the enterpriseís network. Configure the active discovery tool to execute daily, or more frequently. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
1.4 |
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpriseís asset inventory. Review and use logs to update the enterpriseís asset inventory weekly, or more frequently. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
1.5 |
Use a passive discovery tool to identify assets connected to the enterpriseís network. Review and use scans to update the enterpriseís asset inventory at least weekly, or more frequently. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
2.1 |
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
Applications |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
2.2 |
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterpriseís mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum:
- management direction and support for maintenance;
- requirement to comply with applicable laws and regulations;
- governs the development of a maintenance plan for the organisation's software, hardware, and firmware;
- ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance;
- ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise;
- is the policy reviewed regularly and in response to security incidents?
|
Applications |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
2.3 |
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. |
Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum:
- management direction and support for maintenance;
- requirement to comply with applicable laws and regulations;
- governs the development of a maintenance plan for the organisation's software, hardware, and firmware;
- ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance;
- ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise;
- is the policy reviewed regularly and in response to security incidents?
|
Applications |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
2.4 |
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
2.5 |
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess†bi-annually, or more frequently. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
2.6 |
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
2.7 |
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess†bi-annually, or more frequently. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
3.1 |
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a documented and implemented data management policy that outlines the following at a minimum:
- Identification of data assets;
- recording of data assets in a data inventory;
- data asset ownership;
- tracking of data sensitivity;
- handling of data;
- data retention limits;
- disposal requirements informed by data sensitivity and retention standards; and
- is reviewed and updated annually with a priority on sensitive data?
|
Data |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
3.2 |
Establish and maintain a data inventory, based on the enterpriseís data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. |
Does your organisation have a documented and implemented data management policy that outlines the following at a minimum:
- Identification of data assets;
- recording of data assets in a data inventory;
- data asset ownership;
- tracking of data sensitivity;
- handling of data;
- data retention limits;
- disposal requirements informed by data sensitivity and retention standards; and
- is reviewed and updated annually with a priority on sensitive data?
|
Data |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
3.3 |
Configure data access control lists based on a userís need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. |
In your organisation, are data access control lists:
- Implemented;
- configured based on a user's need to know; and
- are these controls applied to local and remote file systems, databases and applications? |
Data |
Security - Access |
United States |
|
|
1 |
| CIS |
3.4 |
Retain data according to the enterpriseís data management process. Data retention must include both minimum and maximum timelines. |
Does the service have a documented and implemented data retention policy including:
- Minimum data retention period;
- Maximum data retention period; and
- The deletion of identifying or sensitive data which is no longer required?
|
Data |
Security - Data Deletion and Retention |
United States |
|
|
1 |
| CIS |
3.5 |
Securely dispose of data as outlined in the enterpriseís data management process. Ensure the disposal process and method are commensurate with the data sensitivity. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
Data |
Security - Data Deletion and Retention |
United States |
|
|
1 |
| CIS |
3.6 |
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. |
Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including
•use of a Mobile Device Management solution applied to all mobile devices and
• encryption of any sensitive information transferred to mobile devices? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
3.8 |
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterpriseís data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Data |
|
United States |
|
|
1 |
| CIS |
3.9 |
Encrypt data on removable media. |
|
Data |
|
United States |
|
|
1 |
| CIS |
3.1 |
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). |
Does your organisation have a documented and implemented data management policy that outlines the following at a minimum:
- Identification of data assets;
- recording of data assets in a data inventory;
- data asset ownership;
- tracking of data sensitivity;
- handling of data;
- data retention limits;
- disposal requirements informed by data sensitivity and retention standards; and
- is reviewed and updated annually with a priority on sensitive data?
|
Data |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
3.11 |
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |
|
Data |
|
United States |
|
|
1 |
| CIS |
3.12 |
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. |
|
Network |
|
United States |
|
|
1 |
| CIS |
3.13 |
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory. |
|
Data |
|
United States |
|
|
1 |
| CIS |
3.14 |
Log sensitive data access, including modification and disposal. |
|
Data |
|
United States |
|
|
1 |
| CIS |
4.1 |
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Applications |
Security - Technical |
United States |
|
|
1 |
| CIS |
4.2 |
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
Network |
Security - Technical |
United States |
|
|
1 |
| CIS |
4.3 |
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. |
Are all internal organisation systems (including operating systems) configured with a session or screen lock that:
- activates after a maximum of 15 minutes of user inactivity or if manually activated by the user;
- activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices;
- completely conceals all information on the screen;
- ensures that the screen does not enter a power saving state before the screen or session lock is activated;
- requires the user to reauthenticate to unlock the system; and
- denies users the ability to disable the session or screen locking mechanism?
- does not display any secure information of its own |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
4.4 |
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
4.5 |
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
4.6 |
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
Within your organisation, does the secure management of enterprise assets and software occur via one or more of the following:
• Version controlled infrastructure as code; or
• Accessing administrative interfaces securely via SSH or HTTPS? |
Network |
Security - Access |
United States |
|
|
1 |
| CIS |
4.7 |
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. |
|
Users |
|
United States |
|
|
1 |
| CIS |
4.8 |
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
4.9 |
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
4.1 |
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft_ InTune Device Lock and Apple_ Configuration Profile maxFailedAttempts. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
4.11 |
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
5.1 |
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the personís name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. |
Across the organisation is there an inventory of all user, administrator and service accounts, which includes details of the person's name (if applicable), username/identifier, start/stop dates, and department (if an employee), and is this inventory of accounts validated at least every 3 months? |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
5.2 |
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. |
At a minimum, are the following password requirements enforced for vendor staff, external contractors or associates with access to the organisation's systems and the service:
if using single factor authentication, passwords are a minimum of 14 characters with controls that limit predictability (inc. complexity)
if using multi-factor authentication, passwords are a minimum of eight characters |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
5.3 |
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. |
Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
5.4 |
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the userís primary, non-privileged account. |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
5.5 |
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. |
|
Users |
|
United States |
|
|
1 |
| CIS |
5.6 |
Centralize account management through a directory or identity service. |
|
Users |
|
United States |
|
|
1 |
| CIS |
6.1 |
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. |
Is there a documented and implemented process to grant access to systems, applications and data repositories for new personnel (vendor staff, external contractors and associates) or when a user changes roles? |
Users |
Security - HR |
United States |
|
|
1 |
| CIS |
6.2 |
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. |
|
Users |
|
United States |
|
|
1 |
| CIS |
6.3 |
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. |
Across your organisation, are all externally exposed enterprise or third-party applications required to enforce multi-factor authentication? |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
6.4 |
Require MFA for remote network access. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
6.5 |
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
Users |
Security - Access |
United States |
|
|
1 |
| CIS |
6.6 |
Establish and maintain an inventory of the enterpriseís authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. |
|
Users |
|
United States |
|
|
1 |
| CIS |
6.7 |
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. |
|
Users |
|
United States |
|
|
1 |
| CIS |
6.8 |
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |
|
Data |
|
United States |
|
|
1 |
| CIS |
7.1 |
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Applications |
Security - Processes and Testing |
United States |
|
|
1 |
| CIS |
7.2 |
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
Applications |
Security - Processes and Testing |
United States |
|
|
1 |
| CIS |
7.3 |
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
Applications |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
7.4 |
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. |
Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? |
Applications |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
7.5 |
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
7.6 |
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
7.7 |
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
8.1 |
Establish and maintain an audit log management process that defines the enterpriseís logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
Network |
Security - Logging |
United States |
|
|
1 |
| CIS |
8.2 |
Collect audit logs. Ensure that logging, per the enterpriseís audit log management process, has been enabled across enterprise assets. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.3 |
Ensure that logging destinations maintain adequate storage to comply with the enterpriseís audit log management process. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
Network |
Security - Logging |
United States |
|
|
1 |
| CIS |
8.4 |
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.5 |
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.6 |
Collect DNS query audit logs on enterprise assets, where appropriate and supported. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.7 |
Collect URL request audit logs on enterprise assets, where appropriate and supported. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.8 |
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
8.9 |
Centralize, to the extent possible, audit log collection and retention across enterprise assets. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.1 |
Retain audit logs across enterprise assets for a minimum of 90 days. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
Network |
Security - Logging |
United States |
|
|
1 |
| CIS |
8.11 |
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. |
|
Network |
|
United States |
|
|
1 |
| CIS |
8.12 |
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events. |
|
Data |
|
United States |
|
|
1 |
| CIS |
9.1 |
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. |
Does your organisation have a documented and implemented maintenance policy that outlines the following at a minimum:
- management direction and support for maintenance;
- requirement to comply with applicable laws and regulations;
- governs the development of a maintenance plan for the organisation's software, hardware, and firmware;
- ensures that any software no longer supported with updates is either removed as unauthorised, or else documented as an exception with mitigating controls and risk acceptance;
- ensures that only fully supported web browsers and email clients are allowed to execute in the enterprise;
- is the policy reviewed regularly and in response to security incidents?
|
Applications |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
4.9 |
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
9.3 |
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets. |
|
Network |
|
United States |
|
|
1 |
| CIS |
4.11 |
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
9.5 |
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards. |
|
Network |
|
United States |
|
|
1 |
| CIS |
9.6 |
Block unnecessary file types attempting to enter the enterprise’s email gateway. |
|
Network |
|
United States |
|
|
1 |
| CIS |
9.7 |
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing. |
|
Network |
|
United States |
|
|
1 |
| CIS |
10.1 |
Deploy and maintain anti-malware software on all enterprise assets. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
10.2 |
Configure automatic updates for anti-malware signature files on all enterprise assets. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
10.3 |
Disable autorun and autoplay auto-execute functionality for removable media. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
10.4 |
Configure anti-malware software to automatically scan removable media. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
10.6 |
Centrally manage anti-malware software. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
10.7 |
Use behavior-based anti-malware software. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
Devices |
Security - Technical |
United States |
|
|
1 |
| CIS |
11.1 |
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering:
- Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected);
- Restoration strategies (e.g., disaster recovery), including prioritization;
- Preservation strategies;
And considers the security of backed up data?
|
Data |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
11.2 |
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. |
Does your organisation have a documented and implemented Business Continuity Plan for the service, which is updated annually or when significant changes occur, covering:
- Backup strategies (including automated backups at least weekly or more frequently as required and backups that are stored disconnected);
- Restoration strategies (e.g., disaster recovery), including prioritization;
- Preservation strategies;
And considers the security of backed up data?
|
Data |
Security - Plans and Quality |
United States |
|
|
1 |
| CIS |
11.3 |
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. |
|
Data |
|
United States |
|
|
1 |
| CIS |
11.4 |
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. |
|
Data |
|
United States |
|
|
1 |
| CIS |
11.5 |
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets. |
|
Data |
|
United States |
|
|
1 |
| CIS |
12.1 |
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. |
Are patches, updates or vendor mitigations for security vulnerabilities in:
- internet facing services (including operating systems of internet-facing services);
- workstation, server and network device operating systems;
- operating systems of other ICT equipment; and
- drivers and firmware;
applied within two weeks of release, or within 48 hours if an exploit exists?
|
Network |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
12.2 |
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. |
|
Network |
|
United States |
|
|
1 |
| CIS |
12.3 |
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS. |
|
Network |
|
United States |
|
|
1 |
| CIS |
12.4 |
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Network |
|
United States |
|
|
1 |
| CIS |
12.5 |
Centralize network AAA. |
|
Network |
|
United States |
|
|
1 |
| CIS |
12.6 |
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater). |
|
Network |
|
United States |
|
|
1 |
| CIS |
12.7 |
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
12.8 |
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
13.1 |
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.2 |
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
13.3 |
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.4 |
Perform traffic filtering between network segments, where appropriate. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.5 |
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
13.6 |
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.7 |
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
13.8 |
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.9 |
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication. |
|
Devices |
|
United States |
|
|
1 |
| CIS |
13.1 |
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway. |
|
Network |
|
United States |
|
|
1 |
| CIS |
13.11 |
Tune security event alerting thresholds monthly, or more frequently. |
|
Network |
|
United States |
|
|
1 |
| CIS |
14.1 |
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.2 |
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.Ü |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.3 |
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.4 |
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.5 |
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.6 |
Train workforce members to be able to recognize a potential incident and be able to report such an incident.Ü |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.7 |
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.8 |
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| CIS |
14.9 |
Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP_ Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
15.1 |
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. |
With regards to any third-party providers that make up the solution, or provide service to you, does your organisation:
- have an inventory of all third-party service providers;
- regularly assess and manage the risks associated with these third-party providers;
- have contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies;
- ensure that the contractual agreements include notification of the transfer or termination of any personnel authorised to use your organisation's systems;
- monitor third party providers for compliance; and
- have defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance
- have a classification system for these third party providers; and
- have a designated internal organisation contact for each provider? |
NULL |
Security - Product Information |
United States |
|
|
1 |
| CIS |
15.2 |
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
15.3 |
Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
15.4 |
Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
15.5 |
Assess service providers consistent with theenterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
15.6 |
Monitor service providers consistent with theenterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring. |
|
Data |
|
United States |
|
|
1 |
| CIS |
15.7 |
Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems. |
|
Data |
|
United States |
|
|
1 |
| CIS |
16.1 |
Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? |
Applications |
Security - Access |
United States |
|
|
1 |
| CIS |
16.2 |
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report.ÜThe process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.ÜAs part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities.ÜReview and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.3 |
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.4 |
Establish and manage an updated inventory of third-party components used in development, often referred to as a bill of materials, as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.5 |
Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security.ÜAcquire these components from trusted sources or evaluate the software for vulnerabilities before use. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.6 |
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.7 |
Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.8 |
Maintain separate environments for production and non-production systems. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.9 |
Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.12 |
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.13 |
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.ÜPenetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.Ü |
|
Applications |
|
United States |
|
|
1 |
| CIS |
16.14 |
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
17.1 |
Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
As part of your organisation's incident handling process does your organisation:
- have one key person and at least one backup tasked with managing the organisation's incident handling process; and
- have contact information for all parties that need to be informed of security incidents (e.g. staff, third party vendors, law enforcement, insurance providers, government agencies etc); and
- contacts are updated annually?
|
NULL |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
17.2 |
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
17.3 |
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
United States |
|
|
1 |
| CIS |
17.4 |
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
17.5 |
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
17.6 |
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
17.7 |
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
17.8 |
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
17.9 |
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
18.1 |
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| CIS |
18.2 |
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box. |
|
Network |
|
United States |
|
|
1 |
| CIS |
18.3 |
Remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization. |
|
Network |
|
United States |
|
|
1 |
| CIS |
18.4 |
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. |
|
Network |
|
United States |
|
|
1 |
| CIS |
18.5 |
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
9.2 |
Use DNS filtering services on all enterprise assets to block access to known malicious domains. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Network |
Security - Technical |
United States |
|
|
1 |
| CIS |
9.4 |
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. |
|
Applications |
|
United States |
|
|
1 |
| CIS |
3.6 |
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. |
|
Devices |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
AC-2 |
a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: organization-defined time period] when accounts are no longer required; 2. [Assignment: organization-defined time period] when users are terminated or transferred; and 3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(1) |
Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(2) |
Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(3) |
Disable accounts within [Assignment: organization-defined time period] when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(4) |
Automatically audit account creation, modification, enabling, disabling, and removal actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(5) |
Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(6) |
Implement [Assignment: organization-defined dynamic privilege management capabilities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(7) |
(a) Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];
(b) Monitor privileged role or attribute assignments;
(c) Monitor changes to roles or attributes; and
(d) Revoke access when privileged role or attribute assignments are no longer appropriate. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(8) |
Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(9) |
Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-13 |
[Withdrawn: Incorporated into AC-2 and AU-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(11) |
Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(12) |
(a) Monitor system accounts for [Assignment: organization-defined atypical usage]; and
(b) Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(13) |
Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-14(1) |
[Withdrawn: Incorporated into AC-14.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(2) |
Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(3) |
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
(a) Is uniformly enforced across the covered subjects and objects within the system;
(b) Specifies that a subject that has been granted access to information is constrained from doing any of the following;
(1) Passing the information to unauthorized subjects or objects;
(2) Granting its privileges to other subjects;
(3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
(4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
(5) Changing the rules governing access control; and
(c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(4) |
Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
(a) Pass the information to any other subjects or objects;
(b) Grant its privileges to other subjects;
(c) Change security attributes on subjects, objects, the system, or the system’s components;
(d) Choose the security attributes to be associated with newly created or revised objects; or
(e) Change the rules governing access control. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(5) |
Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-15 |
[Withdrawn: Incorporated into MP-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(7) |
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(8) |
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(9) |
Release information outside of the system only if:
(a) The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
(b) [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(10) |
Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(11) |
Restrict access to data repositories containing [Assignment: organization-defined information types]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(12) |
(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];
(b) Provide an enforcement mechanism to prevent unauthorized access; and
(c) Approve access changes after initial installation of the application. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(13) |
Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(14) |
Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(15) |
(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4 |
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(1) |
Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(2) |
Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(3) |
Enforce [Assignment: organization-defined information flow control policies]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(4) |
Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(5) |
Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(6) |
Enforce information flow control based on [Assignment: organization-defined metadata]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(7) |
Enforce one-way information flows through hardware-based flow control mechanisms. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(8) |
(a) Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
(b) [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(9) |
Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(10) |
Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(11) |
Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(12) |
When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(13) |
When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(14) |
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(15) |
When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(5) |
[Withdrawn: Incorporated into SI-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(17) |
Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(7) |
[Withdrawn: Incorporated into AC-3(10).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(19) |
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(20) |
Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(21) |
Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(22) |
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(23) |
When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(24) |
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(25) |
When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(26) |
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(27) |
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(28) |
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(29) |
When transferring information between different security domains, employ content filter orchestration engines to ensure that:
(a) Content filtering mechanisms successfully complete execution without errors; and
(b) Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(30) |
When transferring information between different security domains, implement content filtering mechanisms using multiple processes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(31) |
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(32) |
When transferring information between different security domains, the process that transfers information between filter pipelines:
(a) Does not filter message content;
(b) Validates filtering metadata;
(c) Ensures the content associated with the filtering metadata has successfully completed filtering; and
(d) Transfers the content to the destination filter pipeline. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-5 |
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6 |
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(1) |
Authorize access for [Assignment: organization-defined individuals or roles] to:
(a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
(b) [Assignment: organization-defined security-relevant information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(2) |
Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(3) |
Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(4) |
Provide separate processing domains to enable finer-grained allocation of user privileges. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(5) |
Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(6) |
Prohibit privileged access to the system by non-organizational users. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(7) |
(a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
(b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(8) |
Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(9) |
Log the execution of privileged functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-6(10) |
Prevent non-privileged users from executing privileged functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-7 |
a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(8) |
[Withdrawn: Incorporated into CM-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-7(2) |
Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-7(3) |
Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-7(4) |
(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
(b) Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-8 |
a. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
1. Users are accessing a U.S. Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4. Use of the system indicates consent to monitoring and recording;
b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
c. For publicly accessible systems:
1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;
2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Include a description of the authorized uses of the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-9 |
Notify the user, upon successful logon to the system, of the date and time of the last logon. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-9(1) |
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-9(2) |
Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-9(3) |
Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-9(4) |
Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-10 |
Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-11 |
a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-11(1) |
Conceal, via the device lock, information previously visible on the display with a publicly viewable image. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-12 |
Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-12(1) |
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-12(2) |
Display an explicit logout message to users indicating the termination of authenticated communications sessions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-12(3) |
Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18(2) |
[Withdrawn: Incorporated into SI-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-14 |
a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19(1) |
[Withdrawn: Incorporated into MP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19(2) |
[Withdrawn: Incorporated into MP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16 |
a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
b. Ensure that the attribute associations are made and retained with the information;
c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
d. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];
e. Audit changes to attributes; and
f. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(1) |
Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(2) |
Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(3) |
Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(4) |
Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(5) |
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(6) |
Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(7) |
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(8) |
Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(9) |
Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-16(10) |
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17 |
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(1) |
Employ automated mechanisms to monitor and control remote access methods. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(2) |
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(3) |
Route remote accesses through authorized and managed network access control points. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(4) |
(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and
(b) Document the rationale for remote access in the security plan for the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19(3) |
[Withdrawn: Incorporated into MP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(6) |
Protect information about remote access mechanisms from unauthorized use and disclosure. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-2(10) |
[Withdrawn: Incorporated into AC-2k.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(1) |
[Withdrawn: Incorporated into AC-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(9) |
Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-17(10) |
Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18 |
a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
b. Authorize each type of wireless access to the system prior to allowing such connections. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18(1) |
Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-3(6) |
[Withdrawn: Incorporated into MP-4 and SC-28.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18(3) |
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18(4) |
Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-18(5) |
Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19 |
a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
b. Authorize the connection of mobile devices to organizational systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(16) |
[Withdrawn: Incorporated into AC-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-4(18) |
[Withdrawn: Incorporated into AC-16.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-7(1) |
[Withdrawn: Incorporated into AC-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19(4) |
(a) Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
(b) Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
(1) Connection of unclassified mobile devices to classified systems is prohibited;
(2) Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
(3) Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
(4) Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
(c) Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-19(5) |
Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20 |
a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
1. Access the system from external systems; and
2. Process, store, or transmit organization-controlled information using external systems; or
b. Prohibit the use of [Assignment: organizationally-defined types of external systems]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20(1) |
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
(a) Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
(b) Retention of approved system connection or processing agreements with the organizational entity hosting the external system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20(2) |
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20(3) |
Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20(4) |
Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-20(5) |
Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-21 |
a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-21(1) |
Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-21(2) |
Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-22 |
a. Designate individuals authorized to make information publicly accessible;
b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
d. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-23 |
Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-24 |
[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-24(1) |
Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-24(2) |
Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AC-25 |
Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented security training and awareness policy that outlines the following at a minimum:
management direction and support for information security;
requirement to comply with applicable laws and regulations;
security training and awareness processes to be adopted;
requirement for communication to management to ensure they maintain an awareness of, and focus on, addressing privacy and security issues?
requirement for communication to management to ensure they maintain an awareness of, and focus on, addressing privacy and security issues? [moved from Q7]
Is the policy reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
AT-2 |
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and
2. When required by system changes or following [Assignment: organization-defined events];
b. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
c. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(1) |
Provide practical exercises in literacy training that simulate events and incidents. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(2) |
Provide literacy training on recognizing and reporting potential indicators of insider threat. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(3) |
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(4) |
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(5) |
Provide literacy training on the advanced persistent threat. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-2(6) |
(a) Provide literacy training on the cyber threat environment; and
(b) Reflect current cyber threat information in system operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3 |
a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and
2. When required by system changes;
b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3(1) |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3(2) |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3(3) |
Provide practical exercises in security and privacy training that reinforce training objectives. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3(4) |
[Withdrawn: Moved to AT-2(4)]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-3(5) |
Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-4 |
a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
b. Retain individual training records for [Assignment: organization-defined time period]. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
United States |
|
|
1 |
| NIST 800-53 |
AT-5 |
[Withdrawn: Incorporated into PM-15.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AT-6 |
Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
c. Review and update the current audit and accountability:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
AU-2 |
a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. |
Does your organisation have a documented and implemented logging procedure, covering collection, review and retention, which is reviewed annually and which requires all systems in your organisation (e.g., servers, storage, network, applications, etc.) to log the following and synchronise logs to a consistent time source:
- Authentication logs (e.g., successful login, unsuccessful login, logoff)
- Privileged operations logs (e.g., access to logs, changes to configurations or policy, failed attempts to access data and resources)
- User administration logs (e.g., addition/ removal of users, changes to accounts, password changes)
- System logs (e.g., system shutdown/ restarts, application crashes and error messages)
- Used or ascribed a unique identifier of the user who has performed the activity being logged |
NULL |
Security - Logging |
United States |
|
|
1 |
| NIST 800-53 |
AU-10(5) |
[Withdrawn: Incorporated into SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-14(2) |
[Withdrawn: Incorporated into AU-14.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-15 |
[Withdrawn: Moved to AU-5(5).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-2(1) |
[Withdrawn: Incorporated into AU-12.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-3 |
Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-3(1) |
Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-2(2) |
[Withdrawn: Incorporated into AU-12.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-3(3) |
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-4 |
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-4(1) |
Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5 |
a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and
b. Take the following additional actions: [Assignment: organization-defined additional actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5(1) |
Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5(2) |
Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5(3) |
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5(4) |
Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-5(5) |
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6 |
a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
b. Report findings to [Assignment: organization-defined personnel or roles]; and
c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. |
Does your organisation have a documented and implemented event log auditing procedure which outlines, at a minimum:
• Schedule of audits (annual or real-time for sensitive data);
• Definitions of security violations;
• Actions to be taken when violations are detected; and
• Reporting requirements? |
NULL |
Security - Logging |
United States |
|
|
1 |
| NIST 800-53 |
AU-6(1) |
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-2(3) |
[Withdrawn: Incorporated into AU-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(3) |
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(4) |
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(5) |
Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(6) |
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(7) |
Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(8) |
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(9) |
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-2(4) |
[Withdrawn: Incorporated into AC-6(9).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-7 |
Provide and implement an audit record reduction and report generation capability that:
a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
b. Does not alter the original content or time ordering of audit records. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-7(1) |
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-3(2) |
[Withdrawn: Incorporated into PL-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-8 |
a. Use internal system clocks to generate time stamps for audit records; and
b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(10) |
[Withdrawn: Incorporated into AU-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-6(2) |
[Withdrawn: Incorporated into SI-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9 |
a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(1) |
Write audit trails to hardware-enforced, write-once media. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(2) |
Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(3) |
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(4) |
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(5) |
Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(6) |
Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-9(7) |
Store audit information on a component running a different operating system than the system or component being audited. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-10 |
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-10(1) |
(a) Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
(b) Provide the means for authorized individuals to determine the identity of the producer of the information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-10(2) |
(a) Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
(b) Perform [Assignment: organization-defined actions] in the event of a validation error. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-10(3) |
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-10(4) |
(a) Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and
(b) Perform [Assignment: organization-defined actions] in the event of a validation error. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-7(2) |
[Withdrawn: Incorporated into AU-7(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-11 |
Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-11(1) |
Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-12 |
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-12(1) |
Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-12(2) |
Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-12(3) |
Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-12(4) |
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-13 |
a. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and
b. If an information disclosure is discovered:
1. Notify [Assignment: organization-defined personnel or roles]; and
2. Take the following additional actions: [Assignment: organization-defined additional actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-13(1) |
Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-13(2) |
Review the list of open-source information sites being monitored [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-13(3) |
Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-14 |
a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and
b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-14(1) |
Initiate session audits automatically at system start-up. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-8(1) |
[Withdrawn: Moved to SC-45(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-14(3) |
Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-8(2) |
[Withdrawn: Moved to SC-45(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-16 |
Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-16(1) |
Preserve the identity of individuals in cross-organizational audit trails. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-16(2) |
Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
AU-16(3) |
Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
c. Review and update the current assessment, authorization, and monitoring:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CA-2 |
a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
b. Develop a control assessment plan that describes the scope of the assessment including:
1. Controls and control enhancements under assessment;
2. Assessment procedures to be used to determine control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
e. Produce a control assessment report that document the results of the assessment; and
f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-2(1) |
Employ independent assessors or assessment teams to conduct control assessments. |
Select the privacy related compliance certifications or assessments that have been completed for the service and your organisation, or another organisation contracted by you to perform the development, maintenance and/or support of your solution (excluding the infrastructure provider e.g., AWS, Azure, Sendgrid) |
NULL |
Security - Compliance Controls |
United States |
|
|
1 |
| NIST 800-53 |
CA-2(2) |
Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-2(3) |
Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3 |
a. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];
b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
c. Review and update the agreements [Assignment: organization-defined frequency]. |
Which security and privacy compliance certifications do recipient third party systems hold? |
NULL |
Privacy - Functionality |
United States |
|
|
1 |
| NIST 800-53 |
CA-3(1) |
[Withdrawn: Moved to SC-7(25).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(2) |
[Withdrawn: Moved to SC-7(26).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(3) |
[Withdrawn: Moved to SC-7(27).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(4) |
[Withdrawn: Moved to SC-7(28).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(5) |
[Withdrawn: Moved to SC-7(5).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(6) |
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-3(7) |
(a) Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and
(b) Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-4 |
[Withdrawn: Incorporated into CA-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-5 |
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-5(1) |
Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-6 |
a. Assign a senior official as the authorizing official for the system;
b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
c. Ensure that the authorizing official for the system, before commencing operations:
1. Accepts the use of common controls inherited by the system; and
2. Authorizes the system to operate;
d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
e. Update the authorizations [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-6(1) |
Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-6(2) |
Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-7 |
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring information; and
g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
CA-7(1) |
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. |
Select the privacy related compliance certifications or assessments that have been completed for the service and your organisation, or another organisation contracted by you to perform the development, maintenance and/or support of your solution (excluding the infrastructure provider e.g., AWS, Azure, Sendgrid) |
NULL |
Security - Compliance Controls |
United States |
|
|
1 |
| NIST 800-53 |
CA-7(2) |
[Withdrawn: Incorporated into CA-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-7(3) |
Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-7(4) |
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
(a) Effectiveness monitoring;
(b) Compliance monitoring; and
(c) Change monitoring. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-7(5) |
Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-7(6) |
Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-8 |
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
CA-8(1) |
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-8(2) |
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-8(3) |
Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CA-9 |
a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system;
b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
c. Terminate internal system connections after [Assignment: organization-defined conditions]; and
d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
CA-9(1) |
Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
c. Review and update the current configuration management:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CM-2 |
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: organization-defined circumstances]; and
3. When system components are installed or upgraded. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-11(1) |
[Withdrawn: Incorporated into CM-8(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(2) |
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(3) |
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(1) |
[Withdrawn: Incorporated into CM-2.] |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
CM-2(4) |
[Withdrawn: Incorporated into CM-7(4).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(6) |
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(7) |
(a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls]. |
Does your organisation enforce enhanced security configurations for organisation systems and components moving:
Physically to high-risk areas; and
Off-site for maintenance; |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
CM-3 |
a. Determine and document the types of changes to the system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
c. Document configuration change decisions associated with the system;
d. Implement approved configuration-controlled changes to the system;
e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
f. Monitor and review activities associated with configuration-controlled changes to the system; and
g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(1) |
Use [Assignment: organization-defined automated mechanisms] to:
(a) Document proposed changes to the system;
(b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
(c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
(d) Prohibit changes to the system until designated approvals are received;
(e) Document all changes to the system; and
(f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(2) |
Test, validate, and document changes to the system before finalizing the implementation of the changes. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CM-3(3) |
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(4) |
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(5) |
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(6) |
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(7) |
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-3(8) |
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-4 |
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-4(1) |
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-4(2) |
After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5 |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(1) |
(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
(b) Automatically generate audit records of the enforcement actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-2(5) |
[Withdrawn: Incorporated into CM-7(5).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-5 |
Track and document incidents. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-5(1) |
Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-6(1) |
(a) Limit privileges to change system components and system-related information within a production or operational environment; and
(b) Review and reevaluate privileges [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(6) |
Limit privileges to change software resident within software libraries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-6(3) |
[Withdrawn: Moved to CM-14.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-7 |
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-7(1) |
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-7(2) |
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-8 |
[Withdrawn: Incorporated into SI-7.] |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
United States |
|
|
1 |
| NIST 800-53 |
IR-8(1) |
[Withdrawn: Incorporated into SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-9 |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-10 |
[Withdrawn: Moved to IR-4(11).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-9(2) |
Provide information spillage response training [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(3) |
Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(4) |
(a) Identify [Assignment: organization-defined software programs not authorized to execute on the system];
(b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
(c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(5) |
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];
(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(6) |
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(7) |
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:
(a) Obtained from sources with limited or no warranty; and/or
(b) Without the provision of source code. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(8) |
(a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
(b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(9) |
(a) Identify [Assignment: organization-defined hardware components authorized for system use];
(b) Prohibit the use or connection of unauthorized hardware components;
(c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8 |
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency]. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CM-8(1) |
Update the inventory of system components as part of component installations, removals, and system updates. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(2) |
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(3) |
(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
(b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(4) |
Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-6(4) |
[Withdrawn: Incorporated into CM-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(6) |
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(7) |
Provide a centralized repository for the inventory of system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(8) |
Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MA-3(2) |
(a) Assign system components to a system; and
(b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-9 |
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration management;
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CM-9(1) |
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-10 |
a. Use software and associated documentation in accordance with contract agreements and copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-10(1) |
Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-11 |
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(5) |
[Withdrawn: Incorporated into CM-8.] |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
CM-11(2) |
Allow user installation of software only with explicit privileged status. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-11(3) |
Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-12 |
a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
c. Document changes to the location (i.e., system or system components) where the information is processed and stored. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-12(1) |
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-13 |
Develop and document a map of system data actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-14 |
Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
c. Review and update the current contingency planning:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2 |
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
h. Protect the contingency plan from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(1) |
Coordinate contingency plan development with organizational elements responsible for related plans. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(2) |
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(3) |
Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(1) |
[Withdrawn: Incorporated into CP-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(5) |
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(6) |
Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(7) |
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(8) |
Identify critical system assets supporting [Selection: all; essential] mission and business functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-3 |
a. Provide contingency training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-3(1) |
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-3(2) |
Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4 |
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(1) |
Coordinate contingency plan testing with organizational elements responsible for related plans. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(2) |
Test the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(3) |
Test the contingency plan using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(4) |
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(5) |
Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(3) |
[Withdrawn: Addressed through tailoring.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6 |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6(1) |
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6(2) |
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6(3) |
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7 |
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
c. Provide controls at the alternate processing site that are equivalent to those at the primary site. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(1) |
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(2) |
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(3) |
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(4) |
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(5) |
[Withdrawn: Incorporated into SI-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(6) |
Plan and prepare for circumstances that preclude returning to the primary processing site. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8 |
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(1) |
(a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
(b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(2) |
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(3) |
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(4) |
(a) Require primary and alternate telecommunications service providers to have contingency plans;
(b) Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
(c) Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(5) |
Test alternate telecommunication services [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9 |
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(1) |
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(2) |
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(3) |
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(4) |
[Withdrawn: Incorporated into CP-2(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(5) |
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(6) |
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(7) |
Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(8) |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10 |
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-5 |
[Withdrawn: Incorporated into CP-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(2) |
Implement transaction recovery for systems that are transaction-based. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(5) |
Withdrawn: Incorporated into CP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(4) |
Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(4) |
[Withdrawn: Incorporated into CP-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(6) |
Protect system components used for recovery and reconstitution. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-11 |
Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-12 |
When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-13 |
Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] identification and authentication policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and
c. Review and update the current identification and authentication:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented identification and authentication policy that outlines the following at a minimum:
- management direction and support for identification and authentication;
- requirement to comply with applicable laws and regulations;
- policy on user identifiers;
- policy on passwords and password updates;
- policy on one-factor and multi-factor authentication security and usage; and
- is the policy reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
IA-2 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(1) |
Implement multi-factor authentication for access to privileged accounts. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(2) |
Implement multi-factor authentication for access to non-privileged accounts. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(11) |
[Withdrawn: Incorporated into IA-2(6).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(3) |
[Withdrawn: Incorporated into IA-2(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(5) |
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(6) |
Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that:
(a) One of the factors is provided by a device separate from the system gaining access; and
(b) The device meets [Assignment: organization-defined strength of mechanism requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(4) |
[Withdrawn: Incorporated into IA-2(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(8) |
Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(7) |
[Withdrawn: Incorporated into IA-2(6).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(10) |
Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(9) |
[Withdrawn: Incorporated into IA-2(8).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(12) |
Accept and electronically verify Personal Identity Verification-compliant credentials. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(13) |
Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3 |
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(1) |
Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(2) |
Withdrawn: Incorporated into IA-3(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(3) |
(a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audit lease information when assigned to a device. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(4) |
Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4 |
Manage system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, service, or device;
c. Assigning the identifier to the intended individual, group, role, service, or device; and
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(1) |
Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(2) |
[Withdrawn: Incorporated into IA-12(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(3) |
[Withdrawn: Incorporated into IA-12(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(4) |
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(5) |
Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(6) |
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(7) |
[Withdrawn: Incorporated into IA-12(4).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(8) |
Generate pairwise pseudonymous identifiers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(9) |
Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5 |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(1) |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(2) |
(a) For public key-based authentication:
(1) Enforce authorized access to the corresponding private key; and
(2) Map the authenticated identity to the account of the individual or group; and
(b) When public key infrastructure (PKI) is used:
(1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and
(2) Implement a local cache of revocation data to support path discovery and validation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(11) |
[Withdrawn: Incorporated into IA-2(1) and IA-2(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(3) |
[Withdrawn: Incorporated into IA-12(4).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(5) |
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(6) |
Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(7) |
Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(8) |
Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(9) |
Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(10) |
Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(4) |
[Withdrawn: Incorporated into IA-5(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(12) |
For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(13) |
Prohibit the use of cached authenticators after [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(14) |
For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(15) |
Use only General Services Administration-approved products and services for identity, credential, and access management. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(16) |
Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(17) |
Employ presentation attack detection mechanisms for biometric-based authentication. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(18) |
(a) Employ [Assignment: organization-defined password managers] to generate and manage passwords; and
(b) Protect the passwords using [Assignment: organization-defined controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-6 |
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-7 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8 |
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(1) |
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(2) |
(a) Accept only external authenticators that are NIST-compliant; and
(b) Document and maintain a list of accepted external authenticators. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(3) |
[Withdrawn: Incorporated into IA-8(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(4) |
Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(5) |
Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(6) |
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-9 |
Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-10 |
[Withdrawn: Incorporated into IA-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-9(2) |
[Withdrawn: Incorporated into IA-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-10 |
Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-11 |
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12 |
a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;
b. Resolve user identities to a unique individual; and
c. Collect, validate, and verify identity evidence. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(1) |
Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(2) |
Require evidence of individual identification be presented to the registration authority. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(3) |
Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(4) |
Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(5) |
Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-12(6) |
Accept externally-proofed identities at [Assignment: organization-defined identity assurance level]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
c. Review and update the current incident response:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
IR-2 |
a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2(1) |
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2(2) |
Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2(3) |
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-3 |
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-3(1) |
Test the incident response capability using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-3(2) |
Coordinate incident response testing with organizational elements responsible for related plans. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-3(3) |
Use qualitative and quantitative data from testing to:
(a) Determine the effectiveness of incident response processes;
(b) Continuously improve incident response processes; and
(c) Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4 |
a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinate incident handling activities with contingency planning activities;
c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(1) |
Support the incident handling process using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(2) |
Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(3) |
Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(4) |
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(5) |
Implement a configurable capability to automatically disable the system if [Assignment: organization-defined security violations] are detected. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(6) |
Implement an incident handling capability for incidents involving insider threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(7) |
Coordinate an incident handling capability for insider threats that includes the following organizational entities [Assignment: organization-defined entities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(8) |
Coordinate with [Assignment: organization-defined external organizations] to correlate and share [Assignment: organization-defined incident information] to achieve a cross-organization perspective on incident awareness and more effective incident responses. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(9) |
Employ [Assignment: organization-defined dynamic response capabilities] to respond to incidents. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(10) |
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(11) |
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(12) |
Analyze malicious code and/or other residual artifacts remaining in the system after the incident. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(1) |
Analyze anomalous or suspected adversarial behavior in or related to [Assignment: organization-defined environments or resources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(14) |
Establish and maintain a security operations center. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-4(15) |
(a) Manage public relations associated with an incident; and
(b) Employ measures to repair the reputation of the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(4) |
Track and document incidents. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-5(1) |
Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(5) |
(a) Limit privileges to change system components and system-related information within a production or operational environment; and
(b) Review and reevaluate privileges [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(6) |
Limit privileges to change software resident within software libraries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(3) |
[Withdrawn: Moved to CM-14.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-6 |
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-6(1) |
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-6(2) |
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-5(7) |
[Withdrawn: Incorporated into SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-6(3) |
[Withdrawn: Incorporated into SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7 |
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(1) |
(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
(b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(2) |
Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(3) |
Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(5) |
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];
(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(7) |
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:
(a) Obtained from sources with limited or no warranty; and/or
(b) Without the provision of source code. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-7(8) |
(a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
(b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8 |
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(2) |
Update the inventory of system components as part of component installations, removals, and system updates. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(4) |
(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
(b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(6) |
[Withdrawn: Incorporated into CM-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(8) |
Provide a centralized repository for the inventory of system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-8(9) |
(a) Assign system components to a system; and
(b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-9 |
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration management;
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-9(1) |
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-10 |
a. Use software and associated documentation in accordance with contract agreements and copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-10(1) |
Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-11 |
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MA-4 |
a. Approve and monitor nonlocal maintenance and diagnostic activities;
b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;
c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-11(2) |
Allow user installation of software only with explicit privileged status. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-12 |
[Withdrawn: Incorporated into MA-1 and MA-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-12(1) |
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-13 |
Develop and document a map of system data actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CM-14 |
Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
c. Review and update the current contingency planning:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2 |
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
h. Protect the contingency plan from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(1) |
Coordinate contingency plan development with organizational elements responsible for related plans. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(2) |
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(1) |
Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(5) |
Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-2(7) |
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-3 |
Identify critical system assets supporting [Selection: all; essential] mission and business functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-3(2) |
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4 |
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(2) |
Test the contingency plan at the alternate processing site:
(a) To familiarize contingency personnel with the facility and available resources; and
(b) To evaluate the capabilities of the alternate processing site to support contingency operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(4) |
Test the contingency plan using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-4(5) |
Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6 |
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-6(2) |
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7 |
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
c. Provide controls at the alternate processing site that are equivalent to those at the primary site. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(2) |
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-7(3) |
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-10(5) |
[Withdrawn: Incorporated into SI-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8 |
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(2) |
(a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
(b) Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(3) |
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-8(5) |
Test alternate telecommunication services [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(1) |
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(3) |
Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(5) |
Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
CP-9(7) |
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(1) |
Review, approve, track, document, and verify media sanitization and disposal actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(2) |
Test sanitization equipment and procedures [Assignment: organization-defined frequency] to ensure that the intended sanitization is being achieved. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(3) |
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(4) |
[Withdrawn: Incorporated into MP-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(5) |
[Withdrawn: Incorporated into MP-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(6) |
[Withdrawn: Incorporated into MP-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(7) |
Enforce dual authorization for the sanitization of [Assignment: organization-defined system media]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-6(8) |
Provide the capability to purge or wipe information from [Assignment: organization-defined systems or system components] [Selection: remotely; under the following conditions: [Assignment: organization-defined conditions]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-7 |
a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignment: organization-defined systems or system components] using [Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-7(1) |
[Withdrawn: Incorporated into MP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-7(2) |
Prohibit the use of sanitization-resistant media in organizational systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-8 |
a. Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;
b. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identify [Assignment: organization-defined system media requiring downgrading]; and
d. Downgrade the identified system media using the established process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-8(1) |
Document system media downgrading actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-8(2) |
Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-8(3) |
Downgrade system media containing controlled unclassified information prior to public release. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
MP-8(4) |
Downgrade system media containing classified information prior to release to individuals without required access authorizations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(5) |
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(4) |
[Withdrawn: Incorporated into IA-2(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(7) |
Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(10) |
Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-2(12) |
Accept and electronically verify Personal Identity Verification-compliant credentials. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3 |
Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(1) |
Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(3) |
(a) Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
(b) Audit lease information when assigned to a device. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-3(4) |
Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(1) |
Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(3) |
[Withdrawn: Incorporated into IA-12(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(4) |
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(7) |
Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-4(8) |
Generate pairwise pseudonymous identifiers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5 |
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Changing default authenticators prior to first use;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
g. Protecting authenticator content from unauthorized disclosure and modification;
h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
i. Changing authenticators for group or role accounts when membership to those accounts changes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(2) |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(11) |
[Withdrawn: Incorporated into IA-2(1) and IA-2(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(6) |
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(7) |
Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(9) |
Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(4) |
[Withdrawn: Incorporated into IA-5(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(13) |
For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(15) |
For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(17) |
Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-5(18) |
[Withdrawn: Incorporated into CA-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-7 |
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(1) |
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(3) |
(a) Accept only external authenticators that are NIST-compliant; and
(b) Document and maintain a list of accepted external authenticators. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(4) |
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-8(5) |
Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-9 |
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IA-9(1) |
[Withdrawn: Incorporated into IA-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-10 |
a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations;
b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and
c. Protect emergency power shutoff capability from unauthorized activation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-5(3) |
[Withdrawn: Incorporated into PE-22.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-11 |
Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-11(1) |
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that can maintain minimally required operational capability in the event of an extended loss of the primary power source. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-11(2) |
Provide an alternate power supply for the system that is activated [Selection: manually; automatically] and that is:
(a) Self-contained;
(b) Not reliant on external power generation; and
(c) Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-12 |
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-12(1) |
Provide emergency lighting for all areas within the facility supporting essential mission and business functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-13 |
Employ and maintain fire detection and suppression systems that are supported by an independent energy source. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-13(1) |
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-13(2) |
(a) Employ fire suppression systems that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]; and
(b) Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-7 |
[Withdrawn: Incorporated into PE-2 and PE-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-13(4) |
Ensure that the facility undergoes [Assignment: organization-defined frequency] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-14 |
a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitor environmental control levels [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-14(1) |
Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [Assignment: organization-defined automatic environmental controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-14(2) |
Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PE-15 |
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2 |
a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2(1) |
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
IR-2(2) |
Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(24) |
Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-5 |
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6 |
Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(8) |
[Withdrawn: Incorporated into SI-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6(3) |
Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(1) |
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(3) |
Employ centrally managed integrity verification tools. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(5) |
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-2 |
a. Develop security and privacy plans for the system that:
1. Are consistent with the organization’s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of mission and business processes;
4. Identify the individuals that fulfill system roles and responsibilities;
5. Identify the information types processed, stored, and transmitted by the system;
6. Provide the security categorization of the system, including supporting rationale;
7. Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
10. Provide an overview of the security and privacy requirements for the system;
11. Identify any relevant control baselines or overlays, if applicable;
12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
13. Include risk determinations for security and privacy architecture and design decisions;
14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
c. Review the plans [Assignment: organization-defined frequency];
d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
e. Protect the plans from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-2(1) |
[Withdrawn: Incorporated into PL-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-2(2) |
[Withdrawn: Incorporated into PL-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-2(3) |
[Withdrawn: Incorporated into PL-2.] |
Does your organisation have a documented and implemented systems and services acquisition policy that outlines the following at a minimum:
- management direction and support for planning around systems and services acquisition;
- requirement to comply with applicable laws and regulations;
- policy that governs the acquisition of resources, including: security and privacy requirements and acceptance criteria;
- requiring the developer of the system or service to provide: a description of the functional properties of any security controls; relevant design and implementation information for -security controls; a listing of all functions, ports, protocols and services in use; conformance with NIST FIPS-201-3 for any Personal Identity Verification functionality (smart card or equivalent for access to premises)
- requirement for administrator documentation covering addressing in configuration, use and maintenance, and known vulnerabilities;
- requirement for user documentation covering security and privacy functionality they can access, secure user interaction, and user responsibilities;
- logging of attempts to obtain documentation that have been unsuccessful; and
- is the policy reviewed regularly and in response to security incidents? |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
PL-3 |
[Withdrawn: Incorporated into PL-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-4 |
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined frequency]; when the rules are revised or updated]. |
Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? |
NULL |
Security - HR |
United States |
|
|
1 |
| NIST 800-53 |
PL-4(1) |
Include in the rules of behavior, restrictions on:
(a) Use of social media, social networking sites, and external sites/applications;
(b) Posting organizational information on public websites; and
(c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. |
Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? |
NULL |
Security - HR |
United States |
|
|
1 |
| NIST 800-53 |
PL-5 |
[Withdrawn: Incorporated into RA-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-6 |
[Withdrawn: Incorporated into PL-2.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-7 |
a. Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and
b. Review and update the CONOPS [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-8 |
a. Develop security and privacy architectures for the system that:
1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
3. Describe how the architectures are integrated into and support the enterprise architecture; and
4. Describe any assumptions about, and dependencies on, external systems and services;
b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. |
Does the service's application development have the following characteristics:-
Environments are separated into at least development, testing and production environments;
-
Development and modification of software only takes place in development environments;
-
Unauthorised access to the authoritative software source is prevented;
-
Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
-
Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
-
Privacy-by-design principles;
-
Threat modelling is used in support of application development; and
-
Alignment to a security and privacy architecture that has been drawn up for the system?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
PL-8(1) |
Design the security and privacy architectures for the system using a defense-in-depth approach that:
(a) Allocates [Assignment: organization-defined controls] to [Assignment: organization-defined locations and architectural layers]; and
(b) Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-8(2) |
Require that [Assignment: organization-defined controls] allocated to [Assignment: organization-defined locations and architectural layers] are obtained from different suppliers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-9 |
Centrally manage [Assignment: organization-defined controls and related processes]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-10 |
Select a control baseline for the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PL-11 |
Tailor the selected control baseline by applying specified tailoring actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-1 |
a. Develop and disseminate an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects the coordination among organizational entities responsible for information security; and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Review and update the organization-wide information security program plan [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
c. Protect the information security program plan from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-2 |
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-3 |
a. Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;
b. Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and
c. Make available for expenditure, the planned information security and privacy resources. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-4 |
a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:
1. Are developed and maintained;
2. Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with established reporting requirements.
b. Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-5 |
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-5(1) |
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applications, and projects that process personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-6 |
Develop, monitor, and report on the results of information security and privacy measures of performance. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-7 |
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-7(1) |
Offload [Assignment: organization-defined non-essential functions or services] to other systems, system components, or an external provider. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-8 |
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-9 |
a. Develops a comprehensive strategy to manage:
1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and
2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;
b. Implement the risk management strategy consistently across the organization; and
c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-10 |
a. Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;
b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Integrate the authorization processes into an organization-wide risk management program. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-11 |
a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and
c. Review and revise the mission and business processes [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-12 |
Implement an insider threat program that includes a cross-discipline insider threat incident handling team. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-13 |
Establish a security and privacy workforce development and improvement program. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-14 |
a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:
1. Are developed and maintained; and
2. Continue to be executed; and
b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-15 |
Establish and institutionalize contact with selected groups and associations within the security and privacy communities:
a. To facilitate ongoing security and privacy education and training for organizational personnel;
b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and
c. To share current security and privacy information, including threats, vulnerabilities, and incidents. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-16 |
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-16(1) |
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-17 |
a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and
b. Review and update the policy and procedures [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-18 |
a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:
1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;
2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;
3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;
4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;
5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and
6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-19 |
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-20 |
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:
a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;
b. Ensures that organizational privacy practices and reports are publicly available; and
c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-20(1) |
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:
(a) Are written in plain language and organized in a way that is easy to understand and navigate;
(b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and
(c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-21 |
a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
1. Date, nature, and purpose of each disclosure; and
2. Name and address, or other contact information of the individual or organization to which the disclosure was made;
b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and
c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-22 |
Develop and document organization-wide policies and procedures for:
a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;
b. Correcting or deleting inaccurate or outdated personally identifiable information;
c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and
d. Appeals of adverse decisions on correction or deletion requests. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-23 |
Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment: organization-defined responsibilities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-24 |
Establish a Data Integrity Board to:
a. Review proposals to conduct or participate in a matching program; and
b. Conduct an annual review of all matching programs in which the agency has participated. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-25 |
a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;
b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;
c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and
d. Review and update policies and procedures [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-26 |
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:
a. Mechanisms that are easy to use and readily accessible by the public;
b. All information necessary for successfully filing complaints;
c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period];
d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]; and
e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-27 |
a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and
2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program compliance; and
b. Review and update privacy reports [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-28 |
a. Identify and document:
1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
2. Constraints affecting risk assessments, risk responses, and risk monitoring;
3. Priorities and trade-offs considered by the organization for managing risk; and
4. Organizational risk tolerance;
b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
c. Review and update risk framing considerations [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-29 |
a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and
b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-30 |
a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
1. Implement the supply chain risk management strategy consistently across the organization; and
(a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required, to address organizational changes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-30(1) |
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-31 |
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring information; and
f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PM-32 |
Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personnel security policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personnel security policy and procedures; and
c. Review and update the current personnel security:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
PS-2 |
a. Assign a risk designation to all organizational positions;
b. Establish screening criteria for individuals filling those positions; and
c. Review and update position risk designations [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-3 |
a. Screen individuals prior to authorizing access to the system; and
b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-3(1) |
Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-3(2) |
Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-3(3) |
Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-3(4) |
Verify that individuals accessing a system processing, storing, or transmitting [Assignment: organization-defined information types] meet [Assignment: organization-defined citizenship requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-4 |
Upon termination of individual employment:
a. Disable system access within [Assignment: organization-defined time period];
b. Terminate or revoke any authenticators and credentials associated with the individual;
c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieve all security-related organizational system-related property; and
e. Retain access to organizational information and systems formerly controlled by terminated individual. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-4(1) |
(a) Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
(b) Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-4(2) |
Use [Assignment: organization-defined automated mechanisms] to [Selection (one or more): notify [Assignment: organization-defined personnel or roles] of individual termination actions; disable access to system resources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-5 |
a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-6 |
a. Develop and document access agreements for organizational systems;
b. Review and update the access agreements [Assignment: organization-defined frequency]; and
c. Verify that individuals requiring access to organizational information and systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
Within your organisation, please select the agreements that all vendor staff, external contractors and associates who have access to user data or user content required to sign? |
NULL |
Security - HR |
United States |
|
|
1 |
| NIST 800-53 |
PS-6(1) |
[Withdrawn: Incorporated into PS-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-6(2) |
Verify that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assigned official government duties;
(b) Satisfy associated personnel security criteria; and
(c) Have read, understood, and signed a nondisclosure agreement. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-6(3) |
(a) Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
(b) Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PS-7 |
a. Establish personnel security requirements, including security roles and responsibilities for external providers;
b. Require external providers to comply with personnel security policies and procedures established by the organization;
c. Document personnel security requirements;
d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-defined time period]; and
e. Monitor provider compliance with personnel security requirements. |
With regards to any third-party providers that make up the solution, or provide service to you, does your organisation:
- have an inventory of all third-party service providers;
- regularly assess and manage the risks associated with these third-party providers;
- have contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies;
- ensure that the contractual agreements include notification of the transfer or termination of any personnel authorised to use your organisation's systems;
- monitor third party providers for compliance; and
- have defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance
- have a classification system for these third party providers; and
- have a designated internal organisation contact for each provider? |
NULL |
Security - Product Information |
United States |
|
|
1 |
| NIST 800-53 |
PS-8 |
a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
Within your organisation, where agreements are required to be signed by vendor staff, external contractors and associates who have access to user data or user content are:
- the individuals required to re-sign those agreements when they are updated; and
- do those agreements provide for sanctions for failure to comply; and
- is there formal notification given when a sanctions process is initiated?
|
NULL |
Security - HR |
United States |
|
|
1 |
| NIST 800-53 |
PS-9 |
Incorporate security and privacy roles and responsibilities into organizational position descriptions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personally identifiable information processing and transparency policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and
c. Review and update the current personally identifiable information processing and transparency:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-2 |
a. Determine and document the [Assignment: organization-defined authority] that permits the [Assignment: organization-defined processing] of personally identifiable information; and
b. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is authorized. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-2(1) |
Attach data tags containing [Assignment: organization-defined authorized processing] to [Assignment: organization-defined elements of personally identifiable information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-2(2) |
Manage enforcement of the authorized processing of personally identifiable information using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-3 |
a. Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable information;
b. Describe the purpose(s) in the public privacy notices and policies of the organization;
c. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which is compatible with the identified purpose(s); and
d. Monitor changes in processing personally identifiable information and implement [Assignment: organization-defined mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-3(1) |
Attach data tags containing the following purposes to [Assignment: organization-defined elements of personally identifiable information]: [Assignment: organization-defined processing purposes]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-3(2) |
Track processing purposes of personally identifiable information using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-4 |
Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-4(1) |
Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-4(2) |
Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined frequency] and in conjunction with [Assignment: organization-defined personally identifiable information processing]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-4(3) |
Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processing of their personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-5 |
Provide notice to individuals about the processing of personally identifiable information that:
a. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organization-defined frequency];
b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
c. Identifies the authority that authorizes the processing of personally identifiable information;
d. Identifies the purposes for which personally identifiable information is to be processed; and
e. Includes [Assignment: organization-defined information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-5(1) |
Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-5(2) |
Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-6 |
For systems that process information that will be maintained in a Privacy Act system of records:
a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;
b. Publish system of records notices in the Federal Register; and
c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-6(1) |
Review all routine uses published in the system of records notice at [Assignment: organization-defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-6(2) |
Review all Privacy Act exemptions claimed for the system of records at [Assignment: organization-defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-7 |
Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-7(1) |
When a system processes Social Security numbers:
(a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;
(b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and
(c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-7(2) |
Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
PT-8 |
When a system or organization processes information for the purpose of conducting a matching program:
a. Obtain approval from the Data Integrity Board to conduct the matching program;
b. Develop and enter into a computer matching agreement;
c. Publish a matching notice in the Federal Register;
d. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and
e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and
c. Review and update the current risk assessment:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
RA-2 |
a. Categorize the system and information it processes, stores, and transmits;
b. Document the security categorization results, including supporting rationale, in the security plan for the system; and
c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-2(1) |
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-3 |
a. Conduct a risk assessment, including:
1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;
c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment: organization-defined document]];
d. Review risk assessment results [Assignment: organization-defined frequency];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-3(1) |
(a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and system services]; and
(b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-3(2) |
Use all-source intelligence to assist in the analysis of risk. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-3(3) |
Determine the current cyber threat environment on an ongoing basis using [Assignment: organization-defined means]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-3(4) |
Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-4 |
[Withdrawn: Incorporated into RA-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5 |
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;
d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(1) |
[Withdrawn: Incorporated into RA-5.] |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
RA-5(2) |
Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
RA-5(3) |
Define the breadth and depth of vulnerability scanning coverage. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(4) |
Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(5) |
Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignment: organization-defined vulnerability scanning activities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(6) |
Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(7) |
[Withdrawn: Incorporated into CM-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(8) |
Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(9) |
[Withdrawn: Incorporated into CA-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(10) |
Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-5(11) |
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. |
Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
RA-6 |
Employ a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; when the following events or indicators occur: [Assignment: organization-defined events or indicators]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-7 |
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-8 |
Conduct privacy impact assessments for systems, programs, or other activities before:
a. Developing or procuring information technology that processes personally identifiable information; and
b. Initiating a new collection of personally identifiable information that:
1. Will be processed using information technology; and
2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-9 |
Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
RA-10 |
a. Establish and maintain a cyber threat hunting capability to:
1. Search for indicators of compromise in organizational systems; and
2. Detect, track, and disrupt threats that evade existing controls; and
b. Employ the threat hunting capability [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services acquisition policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and
c. Review and update the current system and services acquisition:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SA-2 |
a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;
b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and
c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation. |
Are security and privacy requirements factored into the organisation's planning and budget and is there a discrete line item in the budget for security and privacy? |
NULL |
Security - Governance |
United States |
|
|
1 |
| NIST 800-53 |
SA-3 |
a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations;
b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;
c. Identify individuals having information security and privacy roles and responsibilities; and
d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. |
Does the service's application development have the following characteristics:-
Environments are separated into at least development, testing and production environments;
-
Development and modification of software only takes place in development environments;
-
Unauthorised access to the authoritative software source is prevented;
-
Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
-
Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
-
Privacy-by-design principles;
-
Threat modelling is used in support of application development; and
-
Alignment to a security and privacy architecture that has been drawn up for the system?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SA-3(1) |
Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-3(2) |
(a) Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and
(b) Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-3(3) |
Plan for and implement a technology refresh schedule for the system throughout the system development life cycle. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4 |
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (one or more): standardized contract language; [Assignment: organization-defined contract language]] in the acquisition contract for the system, system component, or system service:
a. Security and privacy functional requirements;
b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
i. Acceptance criteria. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(1) |
Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(2) |
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and implementation information]] at [Assignment: organization-defined level of detail]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(3) |
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:
(a) [Assignment: organization-defined systems engineering methods];
(b) organization-defined [Selection (one or more): systems security; privacy<#:assign> engineering methods]; and
(c) [Assignment: organization-defined software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12 |
[Withdrawn: Incorporated into SR Family.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(5) |
Require the developer of the system, system component, or system service to:
(a) Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
(b) Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(6) |
(a) Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
(b) Ensure that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(7) |
(a) Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and
(b) Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(8) |
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(9) |
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(10) |
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(11) |
Include [Assignment: organization-defined Privacy Act requirements] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(12) |
(a) Include organizational data ownership requirements in the acquisition contract; and
(b) Require all data to be removed from the contractor’s system and returned to the organization within [Assignment: organization-defined time frame]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5 |
a. Obtain or develop administrator documentation for the system, system component, or system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security and privacy functions and mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
b. Obtain or develop user documentation for the system, system component, or system service that describes:
1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and
d. Distribute documentation to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(1) |
[Withdrawn: Moved to SR-5.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(10) |
[Withdrawn: Moved to SR-4(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(11) |
[Withdrawn: Moved to SR-6(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(12) |
[Withdrawn: Moved to SR-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(13) |
[Withdrawn: Incorporated into MA-6 and RA-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(14) |
[Withdrawn: Moved to SR-4(1) and SR-4(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(15) |
[Withdrawn: Incorporated into SR-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8 |
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [Assignment: organization-defined systems security and privacy engineering principles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(1) |
Implement the security design principle of clear abstractions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(2) |
Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(3) |
Implement the security design principles of modularity and layering in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(4) |
Implement the security design principle of partially ordered dependencies in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(5) |
Implement the security design principle of efficiently mediated access in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(6) |
Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(7) |
Implement the security design principle of reduced complexity in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(8) |
Implement the security design principle of secure evolvability in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(9) |
Implement the security design principle of trusted components in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(10) |
Implement the security design principle of hierarchical trust in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(11) |
Implement the security design principle of inverse modification threshold in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(12) |
Implement the security design principle of hierarchical protection in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(13) |
Implement the security design principle of minimized security elements in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(14) |
Implement the security design principle of least privilege in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(15) |
Implement the security design principle of predicate permission in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(16) |
Implement the security design principle of self-reliant trustworthiness in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(17) |
Implement the security design principle of secure distributed composition in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(18) |
Implement the security design principle of trusted communications channels in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(19) |
Implement the security design principle of continuous protection in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(20) |
Implement the security design principle of secure metadata management in [Assignment: organization-defined systems or system components]. |
Does your organisation have a documented and implemented data management policy that outlines the following at a minimum:
- Identification of data assets;
- recording of data assets in a data inventory;
- data asset ownership;
- tracking of data sensitivity;
- handling of data;
- data retention limits;
- disposal requirements informed by data sensitivity and retention standards; and
- is reviewed and updated annually with a priority on sensitive data?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SA-8(21) |
Implement the security design principle of self-analysis in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(22) |
Implement the security design principle of accountability and traceability in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(23) |
Implement the security design principle of secure defaults in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(24) |
Implement the security design principle of secure failure and recovery in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(25) |
Implement the security design principle of economic security in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(26) |
Implement the security design principle of performance security in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(27) |
Implement the security design principle of human factored security in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(28) |
Implement the security design principle of acceptable security in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(29) |
Implement the security design principle of repeatable and documented procedures in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(30) |
Implement the security design principle of procedural rigor in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(31) |
Implement the security design principle of secure system modification in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(32) |
Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-8(33) |
Implement the privacy principle of minimization using [Assignment: organization-defined processes]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9 |
a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. |
With regards to any third-party providers that make up the solution, or provide service to you, does your organisation:
- have an inventory of all third-party service providers;
- regularly assess and manage the risks associated with these third-party providers;
- have contractual agreements in place to ensure third-party providers adhere to your information security and privacy policies;
- ensure that the contractual agreements include notification of the transfer or termination of any personnel authorised to use your organisation's systems;
- monitor third party providers for compliance; and
- have defined and documented roles and responsibilities with regard to third party providers, including oversight of compliance
- have a classification system for these third party providers; and
- have a designated internal organisation contact for each provider? |
NULL |
Security - Product Information |
United States |
|
|
1 |
| NIST 800-53 |
SA-9(1) |
(a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and
(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(2) |
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
SA-9(3) |
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [Assignment: organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(4) |
Take the following actions to verify that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(5) |
Restrict the location of [Selection (one or more): information processing; information or data; system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(6) |
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(7) |
Provide the capability to check the integrity of information while it resides in the external system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-9(8) |
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10 |
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SA-10(1) |
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(2) |
Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(3) |
Require the developer of the system, system component, or system service to enable integrity verification of hardware components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(4) |
Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(5) |
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(6) |
Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-10(7) |
Require [Assignment: organization-defined security and privacy representatives] to be included in the [Assignment: organization-defined configuration change management and control process]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11 |
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
a. Develop and implement a plan for ongoing security and privacy control assessments;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during testing and evaluation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(1) |
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(2) |
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:
(a) Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels];
(b) Employs the following tools and methods: [Assignment: organization-defined tools and methods];
(c) Conducts the modeling and analyses at the following level of rigor: [Assignment: organization-defined breadth and depth of modeling and analyses]; and
(d) Produces evidence that meets the following acceptance criteria: [Assignment: organization-defined acceptance criteria]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(3) |
(a) Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and
(b) Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(4) |
Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(5) |
Require the developer of the system, system component, or system service to perform penetration testing:
(a) At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and
(b) Under the following constraints: [Assignment: organization-defined constraints]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(6) |
Require the developer of the system, system component, or system service to perform attack surface reviews. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(7) |
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(8) |
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-11(9) |
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(2) |
[Withdrawn: Moved to SR-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(3) |
[Withdrawn: Incorporated into SR-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(4) |
[Withdrawn: Moved to SR-3(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(5) |
[Withdrawn: Moved to SR-3(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(6) |
[Withdrawn: Incorporated into SR-5(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(7) |
[Withdrawn: Moved to SR-5(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(8) |
[Withdrawn: Incorporated into RA-3(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-12(9) |
[Withdrawn: Moved to SR-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-13 |
[Withdrawn: Incorporated into SA-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-14 |
[Withdrawn: Incorporated into RA-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-14(1) |
[Withdrawn: Incorporated into SA-20.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(4) |
[Withdrawn: Incorporated into SA-11(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(9) |
[Withdrawn: Incorporated into SA-3(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-18 |
[Withdrawn: Moved to SR-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-18(1) |
[Withdrawn: Moved to SR-9(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-18(2) |
[Withdrawn: Moved to SR-10.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-19 |
[Withdrawn: Moved to SR-11.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-19(1) |
[Withdrawn: Moved to SR-11(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-19(2) |
[Withdrawn: Moved to SR-11(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15 |
a. Require the developer of the system, system component, or system service to follow a documented development process that:
1. Explicitly addresses security and privacy requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(1) |
Require the developer of the system, system component, or system service to:
(a) Define quality metrics at the beginning of the development process; and
(b) Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(2) |
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(3) |
Require the developer of the system, system component, or system service to perform a criticality analysis:
(a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and
(b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-19(3) |
[Withdrawn: Moved to SR-12.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(5) |
Require the developer of the system, system component, or system service to reduce attack surfaces to [Assignment: organization-defined thresholds]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(6) |
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(7) |
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to:
(a) Perform an automated vulnerability analysis using [Assignment: organization-defined tools];
(b) Determine the exploitation potential for discovered vulnerabilities;
(c) Determine potential risk mitigations for delivered vulnerabilities; and
(d) Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(8) |
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-19(4) |
[Withdrawn: Moved to SR-11(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(10) |
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(11) |
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-15(12) |
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-16 |
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: [Assignment: organization-defined training]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17 |
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:
a. Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;
b. Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and
c. Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(1) |
Require the developer of the system, system component, or system service to:
(a) Produce, as an integral part of the development process, a formal policy model describing the [Assignment: organization-defined elements of organizational security and privacy policy] to be enforced; and
(b) Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(2) |
Require the developer of the system, system component, or system service to:
(a) Define security-relevant hardware, software, and firmware; and
(b) Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(3) |
Require the developer of the system, system component, or system service to:
(a) Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(4) |
Require the developer of the system, system component, or system service to:
(a) Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;
(b) Show via [Selection: informal demonstration; convincing argument with formal methods as feasible] that the descriptive top-level specification is consistent with the formal policy model;
(c) Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
(d) Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and
(e) Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(5) |
Require the developer of the system, system component, or system service to:
(a) Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
(b) Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(6) |
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(7) |
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(8) |
Design [Assignment: organization-defined critical systems or system components] with coordinated behavior to implement the following capabilities: [Assignment: organization-defined capabilities, by system or component]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-17(9) |
Use different designs for [Assignment: organization-defined critical systems or system components] to satisfy a common set of requirements or to provide equivalent functionality. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-21(1) |
[Withdrawn: Incorporated into SA-21.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-22(1) |
[Withdrawn: Incorporated into SA-22.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-4(4) |
[Withdrawn: Incorporated into CM-8(9).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5(1) |
[Withdrawn: Incorporated into SA-4(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5(2) |
[Withdrawn: Incorporated into SA-4(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5(3) |
[Withdrawn: Incorporated into SA-4(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5(4) |
[Withdrawn: Incorporated into SA-4(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-5(5) |
[Withdrawn: Incorporated into SA-4(2).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-20 |
Reimplement or custom develop the following critical system components: [Assignment: organization-defined critical system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-21 |
Require that the developer of [Assignment: organization-defined system, system component, or system service]:
a. Has appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
b. Satisfies the following additional personnel screening criteria: [Assignment: organization-defined additional personnel screening criteria]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-6 |
[Withdrawn: Incorporated into CM-10 and SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-22 |
a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
b. Provide the following options for alternative sources for continued support for unsupported components [Selection (one or more): in-house support; [Assignment: organization-defined support from external providers]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-7 |
[Withdrawn: Incorporated into CM-11 and SI-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SA-23 |
Employ [Selection (one or more): design; modification; augmentation; reconfiguration] on [Assignment: organization-defined systems or system components] supporting mission essential services or functions to increase the trustworthiness in those systems or components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and communications protection policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and
c. Review and update the current system and communications protection:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SC-2 |
Separate user functionality, including user interface services, from system management functionality. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-2(1) |
Prevent the presentation of system management functionality at interfaces to non-privileged users. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-2(2) |
Store state information from applications and software separately. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3 |
Isolate security functions from nonsecurity functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3(1) |
Employ hardware separation mechanisms to implement security function isolation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3(2) |
Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3(3) |
Minimize the number of nonsecurity functions included within the isolation boundary containing security functions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3(4) |
Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-3(5) |
Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-4 |
Prevent unauthorized and unintended information transfer via shared system resources. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(4) |
[Withdrawn: Incorporated into SC-12(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-4(2) |
Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-5 |
a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and
b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-5(1) |
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-5(2) |
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-5(3) |
(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and
(b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-6 |
Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7 |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(5) |
[Withdrawn: Incorporated into SC-12(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-13(1) |
[Withdrawn: Incorporated into SC-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(3) |
Limit the number of external network connections to the system. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-7(4) |
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-7(5) |
Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-13(2) |
[Withdrawn: Incorporated into SC-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(7) |
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(8) |
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(9) |
(a) Detect and deny outgoing communications traffic posing a threat to external systems; and
(b) Audit the identity of internal users associated with denied communications. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(10) |
(a) Prevent the exfiltration of information; and
(b) Conduct exfiltration tests [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(11) |
Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(12) |
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(13) |
Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(14) |
Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(15) |
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(16) |
Prevent the discovery of specific system components that represent a managed interface. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(17) |
Enforce adherence to protocol formats. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(18) |
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(19) |
Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(20) |
Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(21) |
Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(22) |
Implement separate network addresses to connect to systems in different security domains. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(23) |
Disable feedback to senders on protocol format validation failure. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(24) |
For systems that process personally identifiable information:
(a) Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];
(b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
(c) Document each processing exception; and
(d) Review and remove exceptions that are no longer supported. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(25) |
Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(26) |
Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(27) |
Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(28) |
Prohibit the direct connection of [Assignment: organization-defined system] to a public network. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(29) |
Implement [Selection: physically; logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8 |
Protect the [Selection (one or more): confidentiality; integrity] of transmitted information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8(1) |
Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8(2) |
Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8(3) |
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8(4) |
Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-8(5) |
Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-13(3) |
[Withdrawn: Incorporated into SC-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-10 |
Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-11 |
a. Provide a [Selection: physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system; and
b. Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-11(1) |
(a) Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and
(b) Initiate the trusted communications path for communications between the [Assignment: organization-defined security functions] of the system and the user. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12 |
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(1) |
Maintain availability of information in the event of the loss of cryptographic keys by users. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(2) |
Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(3) |
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-13(4) |
[Withdrawn: Incorporated into SC-13.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-14 |
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, and SI-10.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-12(6) |
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-13 |
a. Determine the [Assignment: organization-defined cryptographic uses]; and
b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-15(2) |
[Withdrawn: Incorporated into SC-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-19 |
[Withdrawn: Technology-specific; addressed as any other technology or protocol.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-20(1) |
[Withdrawn: Incorporated into SC-20.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-21(1) |
[Withdrawn: Incorporated into SC-21.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-23(2) |
[Withdrawn: Incorporated into AC-12(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-15 |
a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provide an explicit indication of use to users physically present at the devices. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-15(1) |
Provide [Selection (one or more): physical; logical] disconnect of collaborative computing devices in a manner that supports ease of use. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-23(4) |
[Withdrawn: Incorporated into SC-23(3).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-15(3) |
Disable or remove collaborative computing devices and applications from [Assignment: organization-defined systems or system components] in [Assignment: organization-defined secure work areas]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-15(4) |
Provide an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-16 |
Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-16(1) |
Verify the integrity of transmitted security and privacy attributes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-16(2) |
Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-16(3) |
Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-17 |
a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and
b. Include only approved trust anchors in trust stores or certificate stores managed by the organization. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18 |
a. Define acceptable and unacceptable mobile code and mobile code technologies; and
b. Authorize, monitor, and control the use of mobile code within the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18(1) |
Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18(2) |
Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18(3) |
Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18(4) |
Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-18(5) |
Allow execution of permitted mobile code only in confined virtual machine environments. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-26(1) |
[Withdrawn: Incorporated into SC-35.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-20 |
a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-30(1) |
[Withdrawn: Incorporated into SC-29(1).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-20(2) |
Provide data origin and integrity protection artifacts for internal name/address resolution queries. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-21 |
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-33 |
[Withdrawn: Incorporated into SC-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-22 |
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-23 |
Protect the authenticity of communications sessions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-23(1) |
Invalidate session identifiers upon user logout or other session termination. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-34(3) |
[Withdrawn: Moved to SC-51.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-23(3) |
Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-4(1) |
[Withdrawn: Incorporated into SC-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-23(5) |
Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-24 |
Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-25 |
Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-26 |
Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42(3) |
[Withdrawn: Incorporated into SC-42.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-27 |
Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-28 |
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-28(1) |
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-28(2) |
Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-28(3) |
Provide protected storage for cryptographic keys [Selection: [Assignment: organization-defined safeguards]; hardware-protected key store]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-29 |
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-29(1) |
Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-30 |
Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(1) |
[Withdrawn: Incorporated into SC-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-30(2) |
Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-30(3) |
Change the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-30(4) |
Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-30(5) |
Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-31 |
a. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
b. Estimate the maximum bandwidth of those channels. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-31(1) |
Test a subset of the identified covert channels to determine the channels that are exploitable. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-31(2) |
Reduce the maximum bandwidth for identified covert [Selection (one or more): storage; timing] channels to [Assignment: organization-defined values]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-31(3) |
Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-32 |
Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-32(1) |
Partition privileged functions into separate physical domains. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(2) |
[Withdrawn: Incorporated into SC-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-34 |
For [Assignment: organization-defined system components], load and execute:
a. The operating environment from hardware-enforced, read-only media; and
b. The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-34(1) |
Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-34(2) |
Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-7(6) |
[Withdrawn: Incorporated into SC-7(18).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-35 |
Include system components that proactively seek to identify network-based malicious code or malicious websites. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-36 |
Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-36(1) |
(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]; and
(b) Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-36(2) |
Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-37 |
Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-37(1) |
Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: [Assignment: organization-defined information, system components, or devices]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-38 |
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-39 |
Maintain a separate execution domain for each executing system process. |
For the service, is a separate, sandboxed execution domain maintained for each executing system process? |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SC-39(1) |
Implement hardware separation mechanisms to facilitate process isolation. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-39(2) |
Maintain a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-40 |
Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-40(1) |
Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-40(2) |
Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-40(3) |
Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-40(4) |
Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-41 |
[Selection: Physically; Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42 |
a. Prohibit [Selection (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]]; and
b. Provide an explicit indication of sensor use to [Assignment: organization-defined group of users]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42(1) |
Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42(2) |
Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes: [Assignment: organization-defined measures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-9 |
[Withdrawn: Incorporated into SC-8.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42(4) |
Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-42(5) |
Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-43 |
a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and
b. Authorize, monitor, and control the use of such components within the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-44 |
Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-45 |
Synchronize system clocks within and between systems and system components. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-45(1) |
(a) Compare the internal system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
(b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-45(2) |
(a) Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and
(b) Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-46 |
Implement a policy enforcement mechanism [Selection: physically; logically] between the physical and/or network interfaces for the connecting security domains. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-47 |
Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-48 |
Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-48(1) |
Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-49 |
Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-50 |
Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SC-51 |
a. Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and
b. Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and
c. Review and update the current system and information integrity:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SI-2 |
a. Identify, report, and correct system flaws;
b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporate flaw remediation into the organizational configuration management process. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13(2) |
[Withdrawn: Incorporated into SI-7(16).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(2) |
Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(3) |
(a) Measure the time between flaw identification and flaw remediation; and
(b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(4) |
Employ automated patch management tools to facilitate flaw remediation to the following system components: [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(5) |
Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(6) |
Remove previous versions of [Assignment: organization-defined software and firmware components] after updated versions have been installed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3 |
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-2(1) |
[Withdrawn: Incorporated into PL-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(1) |
[Withdrawn: Incorporated into PL-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(2) |
[Withdrawn: Incorporated into SI-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(4) |
Update malicious code protection mechanisms only when directed by a privileged user. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(3) |
[Withdrawn: Incorporated into AC-6(10).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(6) |
(a) Test malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing known benign code into the system; and
(b) Verify that the detection of the code and the associated incident reporting occur. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(5) |
[Withdrawn: Incorporated into MP-7.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(8) |
(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and
(b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(7) |
[Withdrawn: Incorporated into SI-3.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-3(10) |
(a) Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [Assignment: organization-defined tools and techniques]; and
(b) Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4 |
a. Monitor the system to detect:
1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
c. Invoke internal monitoring capabilities or deploy monitoring devices:
1. Strategically within the system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Analyze detected events and anomalies;
e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
f. Obtain legal opinion regarding system monitoring activities; and
g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(1) |
Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(2) |
Employ automated tools and mechanisms to support near real-time analysis of events. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(3) |
Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(4) |
(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(5) |
Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United States |
|
|
1 |
| NIST 800-53 |
SI-3(9) |
[Withdrawn: Moved to AC-17(10).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(7) |
(a) Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and
(b) Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(6) |
[Withdrawn: Incorporated into AC-6(10).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(9) |
Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(10) |
Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(11) |
Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(12) |
Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(13) |
(a) Analyze communications traffic and event patterns for the system;
(b) Develop profiles representing common traffic and event patterns; and
(c) Use the traffic and event profiles in tuning system-monitoring devices. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(14) |
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(15) |
Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(16) |
Correlate information from monitoring tools and mechanisms employed throughout the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(17) |
Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(18) |
Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(19) |
Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(20) |
Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(21) |
Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(22) |
(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and
(b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(23) |
Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(24) |
Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(25) |
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-5 |
a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
b. Generate internal security alerts, advisories, and directives as deemed necessary;
c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-5(1) |
Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6 |
a. Verify the correct operation of [Assignment: organization-defined security and privacy functions];
b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and
d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-4(8) |
[Withdrawn: Incorporated into SI-4.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6(2) |
Implement automated mechanisms to support the management of distributed security and privacy function testing. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6(3) |
Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7 |
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and
b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(1) |
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(2) |
Employ automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(3) |
Employ centrally managed integrity verification tools. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-6(1) |
[Withdrawn: Incorporated into SI-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(5) |
Automatically [Selection (one or more): shut the system down; restart the system; implement [Assignment: organization-defined controls]] when integrity violations are discovered. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(6) |
Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(7) |
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(8) |
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(9) |
Verify the integrity of the boot process of the following system components: [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(10) |
Implement the following mechanisms to protect the integrity of boot firmware in [Assignment: organization-defined system components]: [Assignment: organization-defined mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(11) |
[Withdrawn: Moved to CM-7(6).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(12) |
Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(13) |
[Withdrawn: Moved to CM-7(7).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(14) |
[Withdrawn: Moved to CM-7(8).] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(15) |
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(16) |
Prohibit processes from executing without supervision for more than [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(17) |
Implement [Assignment: organization-defined controls] for application self-protection at runtime. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-8 |
a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-7(4) |
[Withdrawn: Incorporated into SR-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-8(2) |
Automatically update spam protection mechanisms [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-8(3) |
Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-8(1) |
[Withdrawn: Incorporated into PL-9.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10 |
Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(1) |
(a) Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)];
(b) Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
(c) Audit the use of the manual override capability. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(2) |
Review and resolve input validation errors within [Assignment: organization-defined time period]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(3) |
Verify that the system behaves in a predictable and documented manner when invalid inputs are received. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(4) |
Account for timing interactions among system components in determining appropriate responses for invalid inputs. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(5) |
Restrict the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-10(6) |
Prevent untrusted data injections. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-11 |
a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and
b. Reveal error messages only to [Assignment: organization-defined personnel or roles]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-12 |
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-12(1) |
Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: [Assignment: organization-defined elements of personally identifiable information]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-12(2) |
Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [Assignment: organization-defined techniques]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-12(3) |
Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13 |
a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and
b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13(1) |
Take system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-9 |
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, and AC-6.] |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13(3) |
Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13(4) |
If system component failures are detected:
(a) Ensure that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
(b) [Selection (one or more): Activate [Assignment: organization-defined alarm]; Automatically shut down the system; [Assignment: organization-defined action]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-13(5) |
Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-14 |
Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-14(1) |
Obtain software and data employed during system component and service refreshes from the following trusted sources: [Assignment: organization-defined trusted sources]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-14(2) |
(a) [Selection: Refresh [Assignment: organization-defined information][Assignment: organization-defined frequency]; Generate [Assignment: organization-defined information] on demand]; and
(b) Delete information when no longer needed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-14(3) |
Establish connections to the system on demand and terminate connections after [Selection: completion of a request; a period of non-use]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-15 |
Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [Assignment: organization-defined software programs and/or applications]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-16 |
Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. |
For the service, is system memory protected from unauthorised code execution (e.g. data execution prevention, address space layout randomisation)? |
NULL |
Security - Technical |
United States |
|
|
1 |
| NIST 800-53 |
SI-17 |
Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18 |
a. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and
b. Correct or delete inaccurate or outdated personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18(1) |
Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [Assignment: organization-defined automated mechanisms]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18(2) |
Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18(3) |
Collect personally identifiable information directly from the individual. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18(4) |
Correct or delete personally identifiable information upon request by individuals or their designated representatives. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-18(5) |
Notify [Assignment: organization-defined recipients of personally identifiable information] and individuals that the personally identifiable information has been corrected or deleted. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19 |
a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and
b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(1) |
De-identify the dataset upon collection by not collecting personally identifiable information. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(2) |
Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(3) |
Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(4) |
Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(5) |
Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(6) |
Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(7) |
Perform de-identification using validated algorithms and software that is validated to implement the algorithms. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-19(8) |
Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-20 |
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-21 |
Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-22 |
a. Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and
b. Use an alternative information source for the execution of essential functions or services on [Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SI-23 |
Based on [Assignment: organization-defined circumstances]:
a. Fragment the following information: [Assignment: organization-defined information]; and
b. Distribute the fragmented information across the following systems or system components: [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-1 |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] supply chain risk management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and
c. Review and update the current supply chain risk management:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-2 |
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: [Assignment: organization-defined systems, system components, or system services];
b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as required, to address threat, organizational or environmental changes; and
c. Protect the supply chain risk management plan from unauthorized disclosure and modification. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-2(1) |
Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-3 |
a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [Assignment: organization-defined system or system component] in coordination with [Assignment: organization-defined supply chain personnel];
b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls]; and
c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy plans; supply chain risk management plan; [Assignment: organization-defined document]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-3(1) |
Employ a diverse set of sources for the following system components and services: [Assignment: organization-defined system components and services]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-3(2) |
Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [Assignment: organization-defined controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-3(3) |
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-4 |
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [Assignment: organization-defined systems, system components, and associated data]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-4(1) |
Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [Assignment: organization-defined supply chain elements, processes, and personnel associated with organization-defined systems and critical system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-4(2) |
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [Assignment: organization-defined systems and critical system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-4(3) |
Employ the following controls to validate that the system or system component received is genuine and has not been altered: [Assignment: organization-defined controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-4(4) |
Employ [Assignment: organization-defined controls] and conduct [Assignment: organization-defined analysis] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-5 |
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-5(1) |
Employ the following controls to ensure an adequate supply of [Assignment: organization-defined critical system components]: [Assignment: organization-defined controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-5(2) |
Assess the system, system component, or system service prior to selection, acceptance, modification, or update. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-6 |
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-6(1) |
Employ [Selection (one or more): organizational analysis; independent third-party analysis; organizational testing; independent third-party testing] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [Assignment: organization-defined supply chain elements, processes, and actors]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-7 |
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [Assignment: organization-defined Operations Security (OPSEC) controls]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-8 |
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-9 |
Implement a tamper protection program for the system, system component, or system service. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-9(1) |
Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-10 |
Inspect the following systems or system components [Selection (one or more): at random; at [Assignment: organization-defined frequency], upon [Assignment: organization-defined indications of need for inspection]] to detect tampering: [Assignment: organization-defined systems or system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-11 |
a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and
b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-11(1) |
Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hardware, software, and firmware). |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-11(2) |
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-11(3) |
Scan for counterfeit system components [Assignment: organization-defined frequency]. |
|
NULL |
|
United States |
|
|
1 |
| NIST 800-53 |
SR-12 |
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods]. |
|
NULL |
|
United States |
|
|
1 |
| CIS |
9.2 |
Use DNS filtering services on all enterprise assets to block access to known malicious domains. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
Devices |
Security - Technical |
United States |
|
|
1 |
| AUISM |
585 |
For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the ICT equipment involved are recorded. |
|
NULL |
|
Australia |
|
|
|
| UKCE |
A1.1 |
What is your organisation's name (for companies: as registered with Companies House)? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.2 |
What type of organisation are you? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.3 |
What is your organisations registration number (if you have one)? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.4 |
What is your organisations address (for companies: as registered with Companies House)? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.5 |
What is your main business? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.6 |
What is your website address? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.7 |
Is this application a renewal of an existing certification or is it the first time you have applied for certification? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.8 |
What is your primary reason for applying for certification? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.8.1 |
What is your secondary reason for applying for certification? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.9 |
Have you read the 'Cyber Essentials Requirements for IT Infrastructure' document? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A1.10 |
Can IASME and their expert partners contact you if you experience a cyber breach? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A2.1 |
Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free cyber insurance if your assessment covers your whole company, if you answer "No" to this question you will not be invited to apply for insurance. " |
From what countries do vendor staff, including support, administration, development and testing, and external contractors or associates, access user data and any related data (e.g., metadata, logs) collected or used by the service (including backups and recovery)? |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A2.2 |
If it is not the whole organisation, then what scope description would you like to appear on your certificate and website? |
From what countries do vendor staff, including support, administration, development and testing, and external contractors or associates, access user data and any related data (e.g., metadata, logs) collected or used by the service (including backups and recovery)? |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A2.3 |
Please describe the geographical locations of your business which are in the scope of this assessment. |
From what countries do vendor staff, including support, administration, development and testing, and external contractors or associates, access user data and any related data (e.g., metadata, logs) collected or used by the service (including backups and recovery)? |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A2.4.1 |
Please list the quantity of thin clients within scope of this assessment. Please include make and operating systems. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A2.5 |
Please list the quantity of servers, virtual servers and virtual server hosts (hypervisor). You must include the operating system. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A2.6 |
Please list the quantities of tablets and mobile devices within the scope of this assessment.
Please Note: You must include make and operating system versions for all devices. All user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device.
Devices that are connecting to cloud services must be included.
A scope that does not include end user devices is not acceptable. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A2.7 |
Please provide a list of your networks that will be in the scope for this assessment. |
Is production data used in non-production (e.g., test and development) environments? |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A2.7.1 |
How many staff are home workers? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A2.8 |
Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A2.9 |
Please list all of your cloud services that are in use by your organisation and provided by a third party.
Please note cloud services cannot be excluded from the scope of CE. |
If the service includes outsourced cloud-based services, are those cloud-based services IRAP assessed?
See https://www.cyber.gov.au/irap for information about IRAP assessment. |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A2.10 |
Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A3.2 |
If you have answered "yes" to the last question then your organisation is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here. " |
Does your organisation have a current insurance policy of at least $1M with claims for data breach/loss? |
NULL |
Security - Product Information |
United Kingdom |
|
|
|
| UKCE |
A3.4 |
What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance. |
Does your organisation have a current insurance policy of at least $1M with claims for data breach/loss? |
NULL |
Security - Product Information |
United Kingdom |
|
|
|
| UKCE |
A4.1.1 |
When your devices (including computers used by homeworkers) are being used away from your workplace (for example, when they are not connected to your internal network), how do you ensure they are protected? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A4.2 |
When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.2.1 |
Please describe the process for changing your firewall password?
Home routers not supplied by your organisation are not included in this requirement. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A4.4 |
Do you change your firewall password when you know or suspect it has been compromised? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.5 |
Do you have any services enabled that can be accessed externally through your internet router, hardware firewall or software firewall? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.5.1 |
Do you have a documented business case for all of these services? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A4.6 |
If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? A description of the process is required. |
Within the organisation, are all accounts disabled after 45 days of inactivity and are user identifiers blocked from reassignment to new users for a defined period of time? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.7 |
Have you configured your boundary firewalls so that they block all other services from being advertised to the internet? |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A4.8 |
Are your boundary firewalls configured to allow access to their configuration settings over the internet? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.9 |
If you answered yes in question A4.8, is there a documented business requirement for this access? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.10 |
If you answered yes in question A4.8, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings? |
Are all users (including administrators, system accounts, and devices), uniquely identifiable within the service (i.e., via unique usernames and passwords)? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A4.11 |
Do you have software firewalls enabled on all of your computers, laptops and servers? |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A4.12 |
If you answered no to question A4.11, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A5.1 |
Where you are able to do so, have you removed or disabled all the software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services? Describe how you achieve this. |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A5.2 |
Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business? |
Has your organisation documented and implemented a security policy governing the management and use of externally owned systems and devices, such as personally owned computers, [NIST 800-171 3.1.20] portable storage devices and removable media (including media used for system maintenance)? and does this policy include:
• physically controlling and securely storing all media (paper and digital) containing sensitive data;
• restricting access to media containing sensitive data to authorised staff;
• encrypting any sensitive data on media that is moved outside secure areas (including external work sites and work from home);
• logging any transport of media outside secure areas;
• marking media containing sensitive data with applicable distribution limitations;
• requiring all removable portable storage devices to have an identifiable owner
• disabling all autorun and auto-play functionality on removable media? |
NULL |
Security - Technical |
United Kingdom |
Y |
|
|
| UKCE |
A5.3 |
Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones that follow the Password-based authentication requirements of Cyber Essentials? |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A5.4 |
Do you run external services that provides access to data (that shouldn't be made public) to users across the internet? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A5.5 |
If yes to question A5.4, which option of password-based authentication do you use?
A. Multi-factor authentication, with a minimum password length 8 characters and no maximum length
B. Automatic blocking of common passwords, with a minimum password length 8 characters and no maximum length
C. A password minimum length of 12 characters and no maximum length
D. None of the above, please describe |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A5.6 |
Describe the process in place for changing passwords on your external services when you believe they have been compromised. |
When a password reset is requested by the user or enforced by the service, are:
• the newly assigned passwords (e.g., temporary initial passwords) randomly generated;
• users required to provide verification of their identity (e.g., answering a set of challenge-response questions);
• new passwords provided via a secure communication channel or split into parts; and
• users required to change their assigned temporary password on first use? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A5.7 |
When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?
A. Throttling the rate of attempts
B. Locking accounts after 10 unsuccessful attempts
C. None of the above, please describe |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A5.8 |
Is "auto-run"" or ""auto-play"" disabled on all of your systems?" |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A5.9 |
When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed? |
For the service, are user log-in sessions automatically terminated after a period of inactivity, or in response to a security incident? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A5.10 |
Which method do you use to unlock the devices? |
Are all internal organisation systems (including operating systems) configured with a session or screen lock that:
- activates after a maximum of 15 minutes of user inactivity or if manually activated by the user;
- activates after a maximum of 2 minutes of user inactivity or if manually activated by the user for mobile end-user devices;
- completely conceals all information on the screen;
- ensures that the screen does not enter a power saving state before the screen or session lock is activated;
- requires the user to reauthenticate to unlock the system; and
- denies users the ability to disable the session or screen locking mechanism?
- does not display any secure information of its own |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A6.1 |
Are all operating systems on your devices supported by a vendor that produces regular security updates?
If you have included firewall or router devices in your scope, the firmware of these devices is considered to be an operating system and needs to meet this requirement. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.2 |
Is all the software on your devices supported by a supplier that produces regular fixes for any security problems? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.2.1 |
Please list your internet browser(s)
The version is required. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.2.2 |
Please list your malware Protection software
The version is required. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.2.3 |
Please list your email applications installed on end user devices and server.
The version is required. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.2.4 |
Please list all office applications that are used to create organisational data.
The version is required. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.4 |
Are all high-risk or critical security updates for operating systems and router and firewall firmware installed within 14 days of release? |
Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? |
NULL |
Security - Processess and Testing |
United Kingdom |
|
|
|
| UKCE |
A6.4.1 |
Are all updates applied for operating systems by enabling auto updates ? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.4.2 |
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all operating systems and firmware on firewalls and routers are applied within 14 days of release? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.5 |
Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader and .Net.) installed within 14 days of release? |
Are patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software and security products applied within two weeks of release, or within 48 hours if an exploit exists? |
NULL |
Security - Processess and Testing |
United Kingdom |
|
|
|
| UKCE |
A6.5.1 |
Are all updates applied on your applications by enabling auto updates? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.5.2 |
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.6 |
Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates for security problems? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A6.7 |
Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment? Please explain how you achieve this. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A7.1 |
Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. |
Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.2 |
Are all user and administrative accounts accessed by entering a unique username and password? |
Does the service provide functionality that allows school-based administrator accounts to control role-based access for school users (e.g., staff or students) in order to restrict access to stored information and/or functionality within the system? |
NULL |
Privacy - Functionality |
United Kingdom |
|
|
|
| UKCE |
A7.3 |
How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation? |
Does the service provide functionality that allows school-based administrator accounts to control role-based access for school users (e.g., staff or students) in order to restrict access to stored information and/or functionality within the system? |
NULL |
Privacy - Functionality |
United Kingdom |
|
|
|
| UKCE |
A7.4 |
Do you ensure that staff only have the privileges that they need to do their current job? How do you do this? |
Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.6 |
How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)? |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.7 |
How does your organisation prevent administrator accounts from being used to carry out every day tasks like browsing the web or accessing email? |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.8 |
Do you formally track which users have administrator accounts in your organisation? |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.9 |
Do you review who should have administrative access on a regular basis? |
In your organisation, is the use of privileged accounts (administrators/super-users) restricted by policy to only those functions that require privileged access, and for the duration of those functions? (This includes external maintenance operations.) |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.10 |
Describe how you protect accounts from brute-force password guessing in your organisation? |
For the service, when a new password is selected by a user, is there a restriction on:
• How similar the new password is to the previous password;
• The time duration or number of password changes before a previous password can be reused by a user? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.11 |
Which technical controls are used to manage the quality of your passwords within your organisation? |
For the service, when a new password is selected by a user, is there a restriction on:
• How similar the new password is to the previous password;
• The time duration or number of password changes before a previous password can be reused by a user? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.12 |
Please explain how you encourage people to use unique and strong passwords. |
For the service, when a new password is selected by a user, is there a restriction on:
• How similar the new password is to the previous password;
• The time duration or number of password changes before a previous password can be reused by a user? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.13 |
Do you have a documented password policy that includes a process for when you believe that passwords or accounts have been compromised? |
Does the service limit unsuccessful logon attempts, e.g. by resetting the user password after several such attempts? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.14 |
Do all of your cloud services have multi-factor authentication(MFA) available as part of the service? |
Within the service, do you offer multi-factor authentication forend-users? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.16 |
Has MFA been applied to all administrators of your cloud services? |
Across your organisation, are all externally exposed enterprise or third-party applications required to enforce multi-factor authentication? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A7.17 |
Has MFA been applied to all users of your cloud services? |
Within the service, do you offer multi-factor authentication forend-users? |
NULL |
Security - Access |
United Kingdom |
|
|
|
| UKCE |
A8.1 |
Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either:
A - Having anti-malware software installed
and/or
B - Limiting installation of applications by application allow listing (For example, using an app store and a list of approved applications, using a Mobile Device Management(MDM solution))
or
C - None of the above, please describe |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United Kingdom |
|
|
|
| UKCE |
A8.2 |
If Option A has been selected: Where you have anti-malware software installed, is it set to update in line with the vendor's guidelines and prevent malware from running on detection? |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United Kingdom |
|
|
|
| UKCE |
A8.3 |
If Option A has been selected: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites? |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United Kingdom |
|
|
|
| UKCE |
A8.4 |
If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications? |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United Kingdom |
|
|
|
| UKCE |
A8.5 |
If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications? |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
United Kingdom |
|
|
|
| UKCE |
A2.4 |
Please list the quantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment.
Please Note: You must include make and operating system versions for all devices. All user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device.
Devices that are connecting to cloud services must be included.
A scope that does not include end user devices is not acceptable. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A3.1 |
What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance. |
Does your organisation have a current insurance policy of at least $1M with claims for data breach/loss? |
|
Security - Product Information |
United Kingdom |
|
|
|
| UKCE |
A3.3 |
What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance. |
Does your organisation have a current insurance policy of at least $1M with claims for data breach/loss? |
|
Security - Product Information |
United Kingdom |
|
|
|
| UKCE |
A4.1 |
Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops, servers and the internet? |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A4.1.1 |
When your devices (including computers used by homeworkers) are being used away from your workplace (for example, when they are not connected to your internal network), how do you ensure they are protected? |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A4.2 |
When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices? |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NULL |
Security - Hosting and Location |
United Kingdom |
|
|
|
| UKCE |
A4.2.1 |
Please describe the process for changing your firewall password?
Home routers not supplied by your organisation are not included in this requirement. |
|
NULL |
|
United Kingdom |
|
|
|
| UKCE |
A4.3 |
Is your new firewall password configured to meet the ‘Password-based authentication’ requirements?
Please select the option being used
A. Multi-factor authentication, with a minimum password length 8 characters and no maximum length
B. Automatic blocking of common passwords, with a minimum password length 8 characters and no maximum length
C. A password minimum length of 12 characters and no maximum length
D. None of the above, please describe |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
United Kingdom |
|
|
|
| UKCE |
A6.3 |
Is all software licensed in accordance with the publisher’s recommendations? |
|
NULL |
|
United Kingdom |
|
|
|
| NZISM |
1.1 |
The New Zealand Information Security Manual details processes and controls essential for the protection of all New Zealand Government information and systems. Controls and processes representing good practice are also provided to enhance the baseline controls. Baseline controls are minimum acceptable levels of controls and are often described as 'systems hygiene'. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
1.2 |
Agencies understand and follow the requirements of the New Zealand Information Security Manual. Protection of government information and systems is a core accountability. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
2.1 |
Agency security personnel and senior management are aware of and utilise information security services offered by the New Zealand Government. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
2.2 |
Non-government organisations handling classified information implement the same information security and protective measures as government agencies. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
2.4 |
Agencies are prepared for the impacts that widespread availability of quantum computing will have on information security. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
3.1 |
The agency head is accountable for information security within their agency. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
3.2 |
The Chief Information Security Officer (CISO) sets the strategic direction for information security within their agency. |
Is there a nominated role within the organisation responsible for information security (i.e., CIO, CTO, CISO)? |
NULL |
Security - Governance |
New Zealand |
|
Y |
3.6 |
| NZISM |
3.3 |
Information Technology Security Managers (ITSM) provide information security leadership and management within their agency. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
3.4 |
All systems are allocated a system owner who has responsibility for the overall operation, including obtaining and maintaining any certification and accreditation, of the allocated system(s). |
Has responsibility for and ownership and accountability of critical system assets been assigned to individual/s in the organisation? |
NULL |
Security - Governance |
New Zealand |
|
|
3.6 |
| NZISM |
3.5 |
System users comply with information security policies and procedures within their agency. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
4.1 |
Executivesand Security Practitioners understand and enforce the use of the Certification and Accreditation (C&A) process and its role in information security governance and assurance. |
Does your organisation have a documented and implemented security, privacy and online safety risk management framework and supporting processes, which outlines at a minimum:
- Scope and categorisation of information assets and systems;
- Periodic or continuous assessment of risks/ threats, including those relating to the supply chain (e.g. from outsourced services that the solution relies on);
- Selected and implemented controls to manage risks with the following details recorded in a risk register:
o Identified security risks, categories and risk ratings;
o Risk owner(s);
o Mitigation actions;
o Accepted risks (where applicable) and;
o Residual risk ratings after implementing mitigation actions
Proactive monitoring and testing of information assets and systems to maintain the security posture on an ongoing basis
the framework is to be reviewed regularly and in response to security incidents?
|
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
4.2 |
The security posture of the organisation has been incorporated into its system security design, controls are correctly implemented, are performing as intended and that changes and modifications are reviewed for any security impact or implications. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
4.3 |
The effectivenessof information security measures for systems is periodically reviewed and validated. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
4.4 |
Accreditation is the formal authority for a system to operate, and an important element in fundamental information system governance. Accreditation requires risk identification and assessment, selection and implementation of baseline and other appropriate controls and the recognition and acceptance of residual risks relating to the operation of a system including any outsourced services such as Telecommunications or Cloud. Accreditation relies on the completion of system certification procedures. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
4.5 |
As a governance good practice, systems are accredited before they are used operationally. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
5.1 |
Informationsecurity documentation is produced for systems, to support and demonstrate good governance. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
5.2 |
Information security policies (SecPol) set the strategic direction for information security. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
5.3 |
Security Risk Management Plans (SRMP) identify security risks and appropriate treatment measures for systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
5.4 |
System Security Plans (SSPs) specify the information security measures for systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
5.5 |
Standard Operating Procedures (SOPs) ensure security procedures are followed in an appropriate and repeatable manner. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
5.6 |
Incident Response Plans (IRP) outline actions to take in response to an information security incident. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
5.7 |
Classified information and systems are secured before personnel evacuate a facility in the event of an emergency. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
5.8 |
To provide assurance to System Owners, Certifiers, Practitioners and Accreditors and to assist system designers, enterprise and security architects where assurance reviews cannot be directly undertaken on serviceproviders. |
If the solution processes electronic payments or holds credit card data is it Payment Card Industry Data Security Standards (PCI DSS) compliant? |
NULL |
Security - Compliance Controls |
New Zealand |
|
Y |
3.6 |
| NZISM |
5.9 |
Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency's public-facing systems and applications and receive feedback on such reports. |
Does your organization have a vulnerability disclosure program providing authorization for security researchers to test for and report vulnerabilities? |
NULL |
Security - Processes and Testing |
New Zealand |
|
|
3.6 |
| NZISM |
6.1 |
Information security reviews maintain the security of agency systems and detect gaps and deficiencies. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
6.2 |
Exploitable information system weaknesses can be identified by vulnerability analyses and inform assessmentsand controls selection. |
Does your organisation have an implemented continuous monitoring plan for all organisational systems and infrastructure that includes:
- conducting vulnerability scans for systems at least monthly
- conductingpenetration tests for systems after a major change or at least annually
- analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
- using a risk-based approach to prioritise the implementation of identified mitigations with at least monthly review
- conducting vulnerability scans for systems when significant new vulnerabilities affecting those systems are identified; conducting vulnerability scans using tools that can be and are readily updated for new vulnerabilities to be scanned monitoring of compliance by third party providers
a listing of all functions, ports and services in use updating vulnerability scans in response to security alerts as they are published, including updated anti-virus and anti-malware signatures Reviewing and updating the plan annually or when significant changes occur |
NULL |
Security - Processes and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
6.3 |
To ensure information security is an integral part of the change management process, it should be incorporated into the agency's IT maintenance governance and management activities. |
Does your organisation have a documented and implemented IT Change management process and supporting procedures which includes the following at a minimum:
- Applicable criteria for entry to and exit from the change management process
- Categorisation of IT change (e.g., Standard, Pre-Approved, Emergency, etc.);
- Approval requirements for each category of IT change;
- Assessment of potential security impacts;
- Prerequisites for the IT change (e.g., the IT change has been tested in a non-production environment);
- Documentation requirements in regard to the change (e.g., completion of a template in an IT change management tool, completion of a rollback plan, etc.);
- Documentation that needs to be updated as a result of the change (e.g., as-built documentation, IT Disaster Recovery Plans, etc.);
- IT change communication processes (e.g., notifications to users); and
- Validations are required for all changes to systems before they are finalised
|
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
6.4 |
To ensure business continuity and disaster recovery processes are established to assist in meeting the agency's business requirements, minimise any disruption to the availability of information and systems, and assist recoverability. |
Is the partial restoration of backups tested on a quarterly or more frequent basis? |
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
7.1 |
Toensure that appropriate tools, processes and procedures are implemented to detect information security incidents, in order to minimise the impact of such incidents and as part of the suite of good IT governance activities. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
7.2 |
To ensure reporting information security incidents is incorporated as an essential part of incident management, whether the reporting is within an agency or reports are provided to another government agency. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
7.3 |
To identify and implement processes for incident identification, management and analysis of information security incidents, including selection of appropriate remedies which will assist in preventing or reducing the impact offuture information security incidents. |
Does your organisation have a formal, documented and implemented incident response plan which requires security, privacy and online safety incidents to be:
- Identified, following a clear definition;
- Reported by staff (if internal);
- Proactively monitored;
- Contained;
- Investigated;
- Remediated;
- Tracked with metrics, to measure response effectiveness; and
Recorded in a register with the following information at a minimum:
o Date incident occurred;
o Date incident discovered;
o Description of the incident;
o Actions taken in response to the incident; and
o Name of person to whom the incident was reported?
|
NULL |
Security - Processess and Testing |
New Zealand |
|
|
3.6 |
| NZISM |
8.1 |
Physical security measures are applied to facilities in order to protect systemsand their infrastructure. |
At a minimum, are the following physical access controls in place at the locations where data is stored:
• No public access;
• Visitor access only for visitors with a need to know and with a close escort;
• Restricted access for authorised personnel with appropriate security clearance;
• Physical controls on the facility and its support infrastructure (e.g. locked wiring closets, wiretapping sensors);
• Single factor authentication for access control using secure swipe card, biometrics, coded access, other;
•Control and management of any physical access control devices, such as secure swipe cards
Security alarm system;
• Physical surveillance (e.g. video cameras);
• Logging of visitors and of any visitor activity, with reporting of any identified anomalies;
• Logging of any physical access to locations where data is stored; and
• Logging of any delivery and removal of physical system components |
NULL |
Security - Hosting and Location |
New Zealand |
|
Y |
3.6 |
| NZISM |
8.2 |
Secured server and communicationsrooms provide appropriate physical security for servers and network devices. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
8.3 |
Network infrastructure is protected by secure facilities and the use of encryption technologies. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
8.4 |
IT equipment is secured outside of normal working hours, is non-operational or when work areas are unoccupied. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
8.5 |
Tamper evident seals and associated auditing processes identify attempts to bypass the physical security of systems and their infrastructure. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
9.1 |
A security cultureis fostered through induction training and ongoing security education tailored to roles, responsibilities, changing threat environment and sensitivity of information, systems and operations. |
Does your organisation run, based on the staff member's role, a customised security, privacy and online safety awareness/education program which addresses the following at a minimum:
o Identification of who the awareness training needs to be delivered to, with records kept of training for each individual;
o Identification, documentation and monitoring of when awareness training needs to be delivered (e.g., during induction, annually, etc.);
o Identification of how the awareness training is to be delivered (e.g., classroom training, online course, security awareness posters, emails, etc.);
o The content to be delivered for each awareness session such as:
o Basic understanding of the need for information security, privacy and online safety, including causes of unintentional data exposure;
o Actions to maintain security, privacy and online safety, including practical office/desktop practices;
o Actions to respond to suspected security, privacy and online safety incidents;
o Applicable policies and laws;
o Practical security, privacy and online safety awareness exercises;
o Data identification and storage, including the safe transfer of data, archival and destruction;
o Disciplinary actions for significant security and privacy breaches by staff;
o How to recognise and report indicators of potential insider threats to security by staff.;
o Covers recognizing social engineering attacks such as phishing, pre-texting and tailgating; and
o Covers authentication best practices including MFA, password composition and managing credentials;
o Covers verifications and reporting of out-of-date software patches and any failure in automated processes and tools; and
o Covers the dangers of connecting to, and transmitting data over insecure networks for business activities, with specific training for remote workers regarding safe configuration of home networks. |
NULL |
Security - HR |
New Zealand |
|
Y |
3.6 |
| NZISM |
9.2 |
Only appropriately authorised, cleared and briefed personnel are allowed access to systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
9.3 |
Personnel use Internet services in a responsible and security conscious manner, consistent with agency policies. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
9.4 |
Uncleared personnel are escorted within secure areas. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.1 |
Cable management systems are designed to support the integration of systems across government facilities, assist maintenance and engineering changes, as well as minimise the opportunity for tampering or unauthorised changes tocable systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.2 |
Cable managementsystems in non-shared government facilities are implemented in a secure and easily inspectable and maintainable way. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.3 |
Cable managementsystems in shared government facilities are implemented in a secure and easily inspectable and maintainable way. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.4 |
Cable management systems are implemented in shared non-government facilities to minimise risks todata and information. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.5 |
To facilitate cable management, and identify unauthorised additions or tampering. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.6 |
Cable termination, patch panels, patch cables and racks are designed to prevent emanations, cross-connecting or cross-patching systems of differing classifications as well as following good engineering practice. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.7 |
In order to minimise compromising emanations or the opportunity for a technical attack, a threat assessment is used to determine appropriate countermeasures. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
10.8 |
IP Address architecture, allocation and addressing schemes enable and support system security and data protection. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
11.1 |
To maintain the integrity of secure areas, only approved radio frequency (RF) and infrared devices (IR) are brought into secure areas. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.2 |
Fax machines, multifunction devices (MFD's) and network printers are used in a secure manner. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.3 |
Telephone systems are prevented from communicating unauthorised classified information. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.4 |
Mobile telephone systems and devices are prevented from communicating unauthorised classified information. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.5 |
Wearabledevices are prevented from unauthorised communication or from compromising secure areas. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.6 |
To ensure Radio Frequency Identification (RFID) devices are used safely and securely in order to protect privacy, prevent unauthorised access and to prevent the compromise of secure spaces. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
11.7 |
To ensure Access Control Systems incorporating contactless RFID or smart cards are used safely and securely in order to protect privacy, prevent unauthorised access and to prevent the compromise of secure spaces. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
12.1 |
Products providing security functions for the protection of classified information are formally evaluated in order to provide a degree of assurance over the integrity and performance of the product. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
12.2 |
Evaluated products use evaluated configurations. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
12.3 |
IT equipment is classified and appropriately labelled. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
12.4 |
To ensure security patches are applied in a timely fashion to manage software and firmware corrections, vulnerabilities andperformance risks. |
Are patches, updates or vendor mitigations for security vulnerabilities in other applications applied within one month of release? |
NULL |
Security - Processess and Testing |
New Zealand |
|
Y |
3.6 |
| NZISM |
12.5 |
Products are repaired by cleared or appropriately escorted personnel. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
12.6 |
All IT equipment is sanitised and disposed of in an approved and secure manner. |
Does your organisation have a documented and implemented IT Asset management process including:
- A register of all components that make up the service, including software, databases, middleware, infrastructure etc (their version numbers, patch levels, configuration, network address (if static), hardware address, machine name, asset owner, asset department, approval for connecting to the organisation's network. For software the publisher, installation date, business purpose, URI, deployment mechanism, decommission date);
- An ICT equipment and media register that is maintained and regularly audited;
- A directive that ICT equipment and media are secured when not in use;
- The secure disposal of ICT equipment and media (including sanitising/removal of any data or secure destruction/shredding);
- A register of all baseline configurations associated with components, that is updated in line with the organisation's system hardening process, with each component tracked only once.
- Documentation of security and privacy impacts of asset changes; and
- Removal, denial of access or the quarantining of any identified unauthorized assets on a regular basis. |
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
12.7 |
Technologysupply chains are established and managed to ensure continuity of supply and protection of sensitive related information. |
Are customers notified of any relocation or expansion (i.e. change of country) of:
• the cloud infrastructure, including system components, user data and related data; and
• any person (vendor or cloud infrastructure staff, external contractors or associates) with access to unencrypted customer data or any person with a means of accessing or extracting unencrypted data (e.g., those with access to encryption keys and encrypted customer data),
prior to relocation? |
NULL |
Security - Hosting and Location |
New Zealand |
|
Y |
3.6 |
| NZISM |
13.1 |
To ensure systemsare safely decommissioned and that software, system logic and data are properly transitioned to new systems or archived in accordance with agency, legal and statutory requirements. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
13.2 |
Media is properly classified, labelled and registered in order to clearly indicate the required handling instructions and degree of protection to be applied. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
13.3 |
Media is used with systems in a controlled and accountable manner. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
13.4 |
Media and IT Equipment that is to be redeployed or is no longer required is sanitised. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
13.5 |
To ensure media and IT equipment that cannot be sanitised is safely destroyed before disposal in an environmentally responsible manner. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
13.6 |
Media and IT equipment is declassified and approved by the CISO, or delegate, for release before disposal into the public domain. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
14.1 |
Standard Operating Environments (SOE) are hardened in order to minimise attacks and compromise through known vulnerabilities and attack vectors. |
Are all of the organisation's desktop computers, laptops, tablets, mobile phones and other devices protected from viruses and malware by:
Having anti-virus and anti-malware installed;
Limiting the applications and services which can be installed to a documented approved set;
Anti-virus and anti-malware signatures are updated at least daily;
Anti-virus and anti-malware scan files automatically before access; and
Anti-virus and anti-malware scan web pages and provide warnings to users when malicious sites are accessed? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
14.2 |
Only approved applications are used on agency controlled systems. |
Within the vendor organisation, is application control:
- Implemented on all workstations;
- Implemented on internet-facing and non-internet facing servers;
- Enabled to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set;
- Enabled to restrict the execution of drivers to an organisation-approved set;
- Implemented using cryptographic hash rules, publisher certificate rules or path rules;
- Rulesets are validated on an annual or more frequent basis;
- When implementing application control using publisher certificate rules, both publisher names and product names are used; and
- Extended to tools and applications used in system and software maintenance; |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
14.3 |
Access to Web content is implemented in a secure and accountable manner. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
14.4 |
Secure programming methods and testing are used for application development in order to minimise the number of coding errors and introduction of security vulnerabilities. |
Does the service's application development have the following characteristics:-
Environments are separated into at least development, testing and production environments;
-
Development and modification of software only takes place in development environments;
-
Unauthorised access to the authoritative software source is prevented;
-
Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
-
Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
-
Privacy-by-design principles;
-
Threat modelling is used in support of application development; and
-
Alignment to a security and privacy architecture that has been drawn up for the system?
|
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
14.5 |
Security mechanisms are incorporated into all Web applications by design and implementation. |
Does the service's application development have the following characteristics:-
Environments are separated into at least development, testing and production environments;
-
Development and modification of software only takes place in development environments;
-
Unauthorised access to the authoritative software source is prevented;
-
Secure-by-design principles and secure programming practices are used as part of application development. (This includes: integrating the organisation's security and privacy risk management into application development; assigning responsibility for security and privacy as defined roles to individuals during application development);
-
Applies the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF) for all software development activities
-
Privacy-by-design principles;
-
Threat modelling is used in support of application development; and
-
Alignment to a security and privacy architecture that has been drawn up for the system?
|
NULL |
Security - Plans and Quality |
New Zealand |
|
Y |
3.6 |
| NZISM |
15.1 |
Email messages have appropriate protective markings to facilitate the application of handling instructions. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
15.2 |
Email infrastructure is hardened, email is secured and protective marking of email messages is enforced. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
16.1 |
Identificationand authentication requirements are implemented in order to provide a secure means of access to information and systems. |
Are all passwords used to access the service (i.e. user, system, and privileged account passwords) protected in line with the recommendations of at least one of: the Australia Cyber Security Centre Information Security Manual; New Zealand Information Security Manual and/or Open Web Application Security Program's Application Security Verification Standard V2.4 Credential Storage Requirements, including the recommendation for ensuring passwords are hashed, salted and stretched? |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.2 |
Access to information on systems is controlled in accordance with agency policy and this manual. |
Does your organisation provide access to systems based on roles (e.g., role-based access control (RBAC)), and is this process documented for all systems including the service? |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.3 |
Only trusted personnel are granted privileged access to systems. |
At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs):
- Validated and approved by appropriate personnel;
- Periodically reviewed (at least annually) and revalidated or revoked; and
- Reviewed and revalidated or revoked following changes to role, employment and/or inactivity?
- Provided appropriate security notices when they access the system |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.4 |
To ensure Privileged Access Management (PAM) is incorporated into IT Governance and that privileged accounts are managed in accordance with agency's PAM policy. |
Is there a documented and implemented process to remove access to systems, applications and data repositories for personnel (vendor staff, external contractors and associates) that:
no longer have a legitimate requirement for access (implemented on the same day); and
are detected undertaking malicious activities (implemented immediately)?
|
NULL |
Security - HR |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.5 |
Remote access to systems is minimised, secure, controlled, authorised and authenticated. |
At a minimum, are vendor staff, external contractors or associates with access to systems, applications and information (including audit logs):
- Validated and approved by appropriate personnel;
- Periodically reviewed (at least annually) and revalidated or revoked; and
- Reviewed and revalidated or revoked following changes to role, employment and/or inactivity?
- Provided appropriate security notices when they access the system |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.6 |
Information security related events are logged and audited for accountability, incident management, forensic andsystem monitoring purposes. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
NULL |
Security - Logging |
New Zealand |
|
Y |
3.6 |
| NZISM |
16.7 |
To ensure authentication systems incorporate Multi-Factor Authentication mechanisms to secure Privileged Accounts and in accordance with the Agency's Privileged Access Management (PAM) policy. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
17.1 |
Agencies use cryptographic products, algorithms and protocols that are approved by the GCSB and are implemented in accordance with this guidance. |
Are all of the service's web servers secured with digital certificates signed by a reputable trusted authority? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
17.2 |
Informationis protected by a properly implemented, Approved Cryptographic Algorithm. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
17.3 |
Classified information in transit is protected by an Approved Cryptographic Protocol implementing an Approved Cryptographic Algorithm. |
Does the service prevent unauthorized and unintended information transfer via unencrypted shared system resources, such as caches and hard disks? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
17.4 |
Transport Layer Security is implemented correctly as an approved protocol. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
17.5 |
Secure Shell (SSH) is implemented correctly as anApprovedCryptographic Protocol. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
17.6 |
Secure Multipurpose Internal Mail Extension (S/MIME) is implemented correctly as an approved cryptographic protocol. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
17.7 |
OpenPGP Message Format is implemented correctly as an Approved Cryptographic Protocol. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
17.8 |
Internet Protocol Security (IPSec) is correctly implemented. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
17.9 |
Cryptographic keying material is protected by key management procedures. |
Does your organisation have a documented and implemented key management process which describes at a minimum:
• Key generation;
• Key registration;
• Key storage;
• Key distribution and installation;
• Key use;
• Key rotation;
• Key backup;
• Key recovery;
• Key revocation;
• Key suspension; and
• Key destruction? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
17.1 |
Hardware Security Modules are used where additional security of cryptographic functions is desirable. |
Are all of the service's web servers secured with digital certificates signed by a reputable trusted authority? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
18.1 |
Any changeto the configuration of networks is authorised and controlled through appropriate change management processes to ensure security, functionality and capability is maintained. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
18.2 |
Wireless localarea networks are deployed in a secure manner that does not compromise the security of information and systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
18.3 |
Video & Telephony Conferencing (VTC), Internet Protocol Telephony (IPT) and Voice over Internet Protocol (VoIP) systems are implemented in a secure manner that does not compromise security, information or systems and that theyoperate securely. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
18.4 |
An intrusion detection and prevention strategy is implemented for systems in order to respond promptly to incidents and preserve availability, confidentiality and integrity of systems. |
Has your organisation implemented a centralised logging facility to store logs which:
Ensure logs cannot be tampered with;
Triggers an alert in case a logging transaction fails;
Supports audit reduction and report generation for analysis; and
Ensures adequate storage to comply with specified retention times? |
NULL |
Security - Logging |
New Zealand |
|
Y |
3.6 |
| NZISM |
18.5 |
IPv6 is disabled until it is ready to be deployed. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
18.6 |
An evaluated peripheral switch is used when sharing keyboards, monitors and mice or other user interface devices, between different systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
18.7 |
Agencies identify and effectively manage the risks and compensating controls involved in utilising inverse split tunnelling as part of remote access virtual private network (VPN) configurations. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
19.1 |
To ensure that gateways are properly configured to protect agency systems and information transferred between systems from different security domains. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
19.2 |
Cross-Domain Solutions secure transfers between systems of differing classifications or trust levels with high assurance over the security of systems and information. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
19.3 |
Agencies operating bi-directional gateways implement firewalls and traffic flow filters to provide a protective layer to their networks in both discrete and virtual environments. |
Has your organisation implemented the following perimeter controls:
• External firewall;
• Host based firewalls or port filtering on end-user devices with default-deny rules;
• IDS/IPS (Intrusion Detection System/Intrusion Prevention System);
• DMZ (Demilitarised Zone) for hosting external sites;
• Content filtering (including blocking of unnecessary file types);
• DoS/DDoS (Denial of Service/Distributed Denial of Service) defence;
• Web Application Firewall (WAF);
• Filtering and monitoring of outgoing traffic (spikes, unusual activity, malicious content);
• Packet inspection;
• Network segmentation;
• VPN required for remote access;
• Detection and monitoring of unauthorised devices on the network through both passive and active device discovery, resulting in updates to asset inventory on a regular basis;
• DNS filtering and network URL based filters; and
• Organisation assets are configured to use trusted DNS servers?
• explicit restrictions on information transfer to external systems based on data structures and content, as well as authorisation (for example, enforcing read-only access, filtering, message security tagging and reclassification of message security)
• Authorisation and encryption on the organization's wireless network?
• Restrictions on the use of portable storage devices to transfer information from organisation systems to external systems
• Blocking of split tunnelling
• Automatic termination of inactive network connections at the end of a session or after a defined period of inactivity
• Implemented traffic flow policy on each external telecommunications service used; Prevent unauthorised use of control plane traffic (e..g Border Gateway Protocol routing, Domain Name System)
• Data origin authentication and Integrity verification on name/address resolution services such as DNS, including child zone
• Fault tolerance on name/address resolution services such as DNS, including secondary server and internal/external server separation
• Periodic scan of organisational file storage and real-time scans of files from external sources |
NULL |
Security - Technical |
New Zealand |
|
|
3.6 |
| NZISM |
19.4 |
Networks connected to one-way (uni-directional) gateways implement diodes in order to protect the higher classified system. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
19.5 |
To ensurethe use of Session Border Controllers (SBCs) is integrated with the agency's security architecture and that use is consistent with other requirements for gateway security in this chapter. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
20.1 |
Data transfers between systems are controlled and accountable. |
Is production data used in non-production (e.g., test and development) environments? |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
20.2 |
Data istransferred through gateways in a controlled and accountable manner. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
20.3 |
The flowof data within gateways is examined and controls applied in accordance with the agency's security policy. To prevent unauthorised or malicious content crossing security domain boundaries. |
Does your organisation:
- disable the internal use of business productivity tool macros (e.g., Microsoft Office macros) and scripts (VB, java, PowerShell) for users that don't have a demonstrated business requirement;
- block macros in files originating from the internet;
- enable macro antivirus scanning; and
- ensure macro security settings can't be changed by users? |
NULL |
Security - Technical |
New Zealand |
|
|
3.6 |
| NZISM |
20.4 |
Database content is protected from personnel without a need-to-know. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
21.1 |
Informationon agency-owned mobile devices is protected from unauthorised disclosure. |
Has your organisation documented and implemented a security policy governing the management and connectivity of mobile devices, including
•use of a Mobile Device Management solution applied to all mobile devices and
• encryption of any sensitive information transferred to mobile devices? |
NULL |
Security - Technical |
New Zealand |
|
|
3.6 |
| NZISM |
21.2 |
Informationon mobile devices is not accessed from public or insecure locations. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
21.3 |
Personnelworking from home protect classified information in the same manner as in the office environment. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
21.4 |
Where an Agencypermits personnel to supply their own mobile devices (such as smartphones, tablets and laptops), Official Information and agency information systems are protected to a level equivalent to an agency provided and managed office environment. |
Does your organisation mandate multi-factor authentication for:
• Vendor staff, external contractors or associates accessing systems remotely (including access to cloud systems);
• System administrators;
• Support staff;
• Staff with privileged accounts? |
NULL |
Security - Access |
New Zealand |
|
Y |
3.6 |
| NZISM |
22.1 |
Cloud systems risks are identified and managed and that Official Information and agency information systems are protected in accordance with Cabinet Directives, the PSR, the New Zealand Government Security Classification System, the NZISM and with other government securityrequirements and guidance. |
Is deletion of data from the service:
- Performed securely commensurate with the data's sensitivity;
- And certified?
|
NULL |
Security - Data Deletion and Retention |
New Zealand |
|
Y |
3.6 |
| NZISM |
22.2 |
To identify virtualisation specific risks and apply mitigations to minimise risk and secure the virtual environment. |
Does your organisation have a documented and implemented system hardening process which:
Includes in scope operating systems, virtualization platforms, storage, network, software, applications, workstations and other end-user devices (including portable, mobile and IoT devices);
Includes the management of default user accounts and access levels and the uninstallation or disablement of the unnecessary services;
Ensures only required ports, protocols, services and authorisations are enabled, whether for internal or external connections (all others are restricted);
Is reviewed annually and when significant changes occur, including when system components are installed or upgraded; ;
Results in security configurations being established and enforced for organisation systems;
Ensures only required and authorised software is installed and used; |
NULL |
Security - Technical |
New Zealand |
|
Y |
3.6 |
| NZISM |
22.3 |
Virtual local area networks (VLANs) are deployed in a secure manner that does not compromise the security of information and systems. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
23.1 |
Agencies understand key concepts and implement controls related to securing their use of public cloud services. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
23.2 |
Agency cloud initiatives follow the risk management, assurance, governance, and control requirements in this manual. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
23.3 |
Identities used for public cloud services are managed, protected, and consistently used to form a secure basis for controlling access to resources. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
23.4 |
Data is protected throughout its lifecycle on public cloud platforms. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NZISM |
23.5 |
Security-related events are recorded from across an agency's public cloud platforms and are able to be analysed for timely notification of potential threats or incidents. |
|
NULL |
|
New Zealand |
|
|
3.6 |
| NIST 800-53 |
PE-1 |
Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. |
Does your organisation have a documented and implemented information security policy that outlines the following at a minimum:
- management direction and support for information security;
- requirement to comply with applicable laws and regulations;
- information security roles and corresponding responsibilities/accountabilities;- access controls for sensitive information aligned to the information security roles; - how long security logs are retained for
Is the policy reviewed regularly and in response to security incidents?
- which events are logged
- policies relating to incident response, including a roadmap for an incident response capability if not already implemented
- personnel security
- physical and environmental protections
- system boundaries, environments of operation, and relationships/connections to other systems; and
- policies relating to preserving system and information integrity, including system monitori |
|
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
MA-1 |
Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. |
Does your organisation have a documented and implemented security planning policy that outlines the following at a minimum:
- management direction and support for planning around security;
- requirement to comply with applicable laws and regulations;
- policy that governs the development of security-related plans in the organisation overall?
- requires coordination around the plans with other business units within the organisation as appropriate?; and
- is the policy reviewed regularly and in response to security incidents?
|
|
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
PL-1 |
Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. |
Does your organisation have a documented and implemented systems and services acquisition policy that outlines the following at a minimum:
- management direction and support for planning around systems and services acquisition;
- requirement to comply with applicable laws and regulations;
- policy that governs the acquisition of resources, including: security and privacy requirements and acceptance criteria;
- requiring the developer of the system or service to provide: a description of the functional properties of any security controls; relevant design and implementation information for -security controls; a listing of all functions, ports, protocols and services in use; conformance with NIST FIPS-201-3 for any Personal Identity Verification functionality (smart card or equivalent for access to premises)
- requirement for administrator documentation covering addressing in configuration, use and maintenance, and known vulnerabilities;
- requirement for user documentation covering security and privacy functionality they can access, secure user interaction, and user responsibilities;
- logging of attempts to obtain documentation that have been unsuccessful; and
- is the policy reviewed regularly and in response to security incidents? |
|
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
IA-1 |
Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure. |
Does your organisation have a documented and implemented identification and authentication policy that outlines the following at a minimum:
- management direction and support for identification and authentication;
- requirement to comply with applicable laws and regulations;
- policy on user identifiers;
- policy on passwords and password updates;
- policy on one-factor and multi-factor authentication security and usage; and
- is the policy reviewed regularly and in response to security incidents?
|
|
Security - Plans and Quality |
United States |
|
|
1 |
| NIST 800-53 |
SA-5 |
System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation. |
|
|
|
United States |
|
|
1 |
