From ae7d12d87bbec04dbfaf090124ed7e4f451f248f Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Fri, 5 Apr 2024 22:24:19 +0200 Subject: [PATCH 1/2] Adding CCB CyberFundamentals Framework - Essential (Full) --- .../library/libraries/ccb-cff-2023-03-01.yaml | 3377 +++++++++++++++++ tools/ccb/ccb-cyberfundamentals.yaml | 3377 +++++++++++++++++ tools/ccb/cff.xlsx | Bin 0 -> 52780 bytes 3 files changed, 6754 insertions(+) create mode 100644 backend/library/libraries/ccb-cff-2023-03-01.yaml create mode 100644 tools/ccb/ccb-cyberfundamentals.yaml create mode 100644 tools/ccb/cff.xlsx diff --git a/backend/library/libraries/ccb-cff-2023-03-01.yaml b/backend/library/libraries/ccb-cff-2023-03-01.yaml new file mode 100644 index 000000000..629c806a4 --- /dev/null +++ b/backend/library/libraries/ccb-cff-2023-03-01.yaml @@ -0,0 +1,3377 @@ +urn: urn:intuitem:risk:library:ccb-cff-2023-03-01 +locale: en +ref_id: CCB-CFF-2023-03-01 +name: CCB CyberFundamentals Framework +description: Centre For Cybersecurity Belgium - CyberFundamentals Framework +copyright: All texts, layouts, designs and other elements of any nature in this document + are subject to copyright law. +version: 1 +provider: CCB +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01 + ref_id: CCB-CFF-2023-03-01 + name: CCB CyberFundamentals Framework + description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY (ID) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.AM + name: Asset Management + description: "The data, personnel, devices, systems, and facilities that enable\ + \ the organization to achieve business purposes are identified and managed\ + \ consistent with their relative importance to organizational objectives and\ + \ the organization\u2019s risk strategy." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-1 + description: Physical devices and systems within the organization are inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: BASIC_ID.AM-1.1 + description: An inventory of assets associated with information and information + processing facilities within the organization shall be documented, reviewed, + and updated when changes occur. + annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\ + \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\ + \ robots, machine tools, firmware, network switches, routers, power supplies,\ + \ and other networked components or devices. \n\u2022\tThis inventory must\ + \ include all assets, whether or not they are connected to the organization's\ + \ network.\n\u2022\tThe use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.2 + description: "The inventory of assets associated with information and information\ + \ processing facilities shall reflect changes in the organization\u2019s\ + \ context and include all information necessary for effective accountability." + annotation: "\u2022\tInventory specifications include for example, manufacturer,\ + \ device type, model, serial number, machine names and network addresses,\ + \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\ + \ justify, and take responsibility for one's actions, it implies answerability\ + \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\ + \ of material." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.3 + description: When unauthorized hardware is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported hardware without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: ID.AM-1.4 + description: Mechanisms for detecting the presence of unauthorized hardware + and firmware components within the organization's network shall be identified. + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to address unauthorized assets on a frequently\ + \ basis; The organization may choose to remove the asset from the network,\ + \ deny the asset from connecting remotely to the network, or quarantine the\ + \ asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-2 + description: Software platforms and applications within the organization are + inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: BASIC_ID.AM-2.1 + description: An inventory that reflects what software platforms and applications + are being used in the organization shall be documented, reviewed, and updated + when changes occur. + annotation: "\u2022\tThis inventory includes software programs, software platforms\ + \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\ + \ should be part of the contractual agreements with the provider.\n\u2022\t\ + Information in the inventory should include for example: name, description,\ + \ version, number of users, data processed, etc.\n\u2022\tA distinction should\ + \ be made between unsupported software and unauthorized software.\n\u2022\t\ + The use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.2 + description: "The inventory of software platforms and applications associated\ + \ with information and information processing shall reflect changes in the\ + \ organization\u2019s context and include all information necessary for effective\ + \ accountability." + annotation: The inventory of software platforms and applications should include + the title, publisher, initial install/use date, and business purpose for each + entry; where appropriate, include the Uniform Resource Locator (URL), app + store(s), version(s), deployment mechanism, and decommission date. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.3 + description: Individuals who are responsible and who are accountable for administering + software platforms and applications within the organization shall be identified. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.4 + description: When unauthorized software is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported software without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: ID.AM-2.5 + description: "Mechanisms for detecting the presence of unauthorized software\ + \ within the organization\u2019s ICT/OT environment shall be identified. " + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to regularly address unauthorised assets;\ + \ The organization may choose to remove the asset from the network, deny the\ + \ asset from connecting remotely to the network, or quarantine the asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-3 + description: Organizational communication and data flows are mapped + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: BASIC_ID.AM-3.1 + description: Information that the organization stores and uses shall be identified. + annotation: "\u2022\tStart by listing all the types of information your business\ + \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\ + \ makes sense to your business. You may want to have your employees make a\ + \ list of all the information they use in their regular activities. List everything\ + \ you can think of, but you do not need to be too specific. For example, you\ + \ may keep customer names and email addresses, receipts for raw material,\ + \ your banking information, or other proprietary information.\n\u2022\tConsider\ + \ mapping this information with the associated assets identified in the inventories\ + \ of physical devices, systems, software platforms and applications used within\ + \ the organization (see ID.AM-1 & ID.AM-2)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: IMPORTANT_ID.AM-3.2 + description: All connections within the organization's ICT/OT environment, and + to other organization-internal platforms shall be mapped, documented, approved, + and updated as appropriate. + annotation: "\u2022\tConnection information includes, for example, the interface\ + \ characteristics, data characteristics, ports, protocols, addresses, description\ + \ of the data, security requirements, and the nature of the connection.\n\u2022\ + \tConfiguration management can be used as supporting asset.\n\u2022\tThis\ + \ documentation should not be stored only on the network it represents.\n\u2022\ + \tConsider keeping a copy of this documentation in a safe offline environment\ + \ (e.g. offline hard disk, paper hardcopy, \u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: ID.AM-3.3 + description: "The information flows/data flows within the organization\u2019\ + s ICT/OT environment, as well as to other organization-internal systems shall\ + \ be mapped, documented, authorized, and updated when changes occur." + annotation: "\u2022\tWith knowledge of the information/data flows within a system\ + \ and between systems, it is possible to determine where information can and\ + \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\ + \ to only authorized interfaces.\no\tHeightening system monitoring activity\ + \ whenever there is an indication of increased risk to organization's critical\ + \ operations and assets.\no\tProtecting the system from information leakage\ + \ due to electromagnetic signals emanations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-4 + description: External information systems are catalogued + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: IMPORTANT_ID.AM-4.1 + description: The organization shall map, document, authorize and when changes + occur, update, all external services and the connections made with them. + annotation: "\u2022\tOutsourcing of systems, software platforms and applications\ + \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\ + \ information systems are systems or components of systems for which organizations\ + \ typically have no direct supervision and authority over the application\ + \ of security requirements and controls, or the determination of the effectiveness\ + \ of implemented controls on those systems i.e., services that are run in\ + \ cloud, SaaS, hosting or other external environments, API (Application Programming\ + \ Interface)\u2026\n\u2022\tMapping external services and the connections\ + \ made to them and authorizing them in advance avoids wasting unnecessary\ + \ resources investigating a supposedly non-authenticated connection to external\ + \ systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: ID.AM-4.2 + description: The flow of information to/from external systems shall be mapped, + documented, authorized, and update when changes occur. + annotation: Consider requiring external service providers to identify and document + the functions, ports, protocols, and services necessary for the connection + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-5 + description: 'Resources (e.g., hardware, devices, data, time, personnel, and + software) are prioritized based on their classification, criticality, and + business value ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + ref_id: BASIC_ID.AM-5.1 + description: "The organization\u2019s resources (hardware, devices, data, time,\ + \ personnel, information, and software) shall be prioritized based on their\ + \ classification, criticality, and business value." + annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\ + \ devices, data, time, personnel, information, and software):\no\tWhat would\ + \ happen to my business if these resources were made public, damaged, lost\u2026\ + ?\no\tWhat would happen to my business when the integrity of resources is\ + \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\ + \ couldn\u2019t access these resources? And rank these resources based on\ + \ their classification, criticality, and business value.\n\u2022\tResources\ + \ should include enterprise assets. \u2022\tCreate a classification for sensitive\ + \ information by first determining categories, e.g.\no\tPublic - freely accessible\ + \ to all, even externally\no\tInternal - accessible only to members of your\ + \ organization\no\tConfidential - accessible only to those whose duties require\ + \ access.\n\u2022\tCommunicate these categories and identify what types of\ + \ data fall into these categories (HR data, financial data, legal data, personal\ + \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\ + \u2022\tData classification should apply to the three aspects: C-I-A. Consider\ + \ implementing an automated tool, such as a host-based Data Loss Prevention\ + \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\ + \ through enterprise assets, including those located onsite or at a remote\ + \ service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-6 + description: Cybersecurity roles, responsibilities, and authorities for the + entire workforce and third-party stakeholders are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: IMPORTANT_ID.AM-6.1 + description: Information security and cybersecurity roles, responsibilities + and authorities within the organization shall be documented, reviewed, authorized, + and updated and alignment with organization-internal roles and external partners. Key + Measure + annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\ + \ and authorities: who in your organization should be consulted, informed,\ + \ and held accountable for all or part of your assets.\n\u2022\tProvide security\ + \ roles, responsibilities, and authority for all key functions in information/cyber\ + \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\ + \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\ + \ partners) with physical or logical access to the organization\u2019s ICT/OT\ + \ environment." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: ID.AM-6.2 + description: The organization shall appoint an information security officer. + annotation: The information security officer should be responsible for monitoring + the implementation of the organization's information/cyber security strategy + and safeguards. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.BE + name: Business Environment + description: "The organization\u2019s mission, objectives, stakeholders, and\ + \ activities are understood and prioritized; this information is used to inform\ + \ cybersecurity roles, responsibilities, and risk management decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-1 + description: "The organization\u2019s role in the supply chain is identified\ + \ and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: IMPORTANT_ID.BE-1.1 + description: "The organization\u2019s role in the supply chain shall be identified,\ + \ documented, and communicated. " + annotation: "\u2022\tThe organisation should be able to clearly identify who\ + \ is upstream and downstream of the organisation and which suppliers provide\ + \ services, capabilities, products and items to the organisation.\n\u2022\t\ + The organisation should communicate its position to its upstream and downstream\ + \ so that it is understood where they sit in terms of critical importance\ + \ to the organisation's operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: ID.BE-1.2 + description: The organization shall protect its ICT/OT environment from supply + chain threats by applying security safeguards as part of a documented comprehensive + security strategy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-2 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector is identified and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + ref_id: IMPORTANT_ID.BE-2.1 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector shall be identified and communicated." + annotation: The organisation covered by NIS legislation has a responsibility + to know the other organisations in the same sector in order to work with them + to achieve the objectives set by NIS for that particular sector. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-3 + description: Priorities for organizational mission, objectives, and activities + are established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + ref_id: IMPORTANT_ID.BE-3.1 + description: Priorities for organizational mission, objectives, and activities + are established and communicated. + annotation: Information protection needs should be determined, and the related + processes revised as necessary. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-4 + description: Dependencies and critical functions for delivery of critical services + are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + ref_id: IMPORTANT_ID.BE-4.1 + description: Dependencies and mission-critical functions for the delivery of + critical services shall be identified, documented, and prioritized according + to their criticality as part of the risk assessment process. + annotation: Dependencies and business critical functions should include support + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-5 + description: Resilience requirements to support delivery of critical services + are established for all operating states (e.g. under duress/attack, during + recovery, normal operations) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: IMPORTANT_ID.BE-5.1 + description: To support cyber resilience and secure the delivery of critical + services, the necessary requirements are identified, documented and their + implementation tested and approved. + annotation: "\u2022\tConsider implementing resiliency mechanisms to support\ + \ normal and adverse operational situations (e.g., failsafe, load balancing,\ + \ hot swap).\n\u2022\tConsider aspects of business continuity management in\ + \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\ + \ Continuity Plan (BCP)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.2 + description: Information processing & supporting facilities shall implement + redundancy to meet availability requirements, as defined by the organization + and/or regulatory frameworks. + annotation: "\u2022\tConsider provisioning adequate data and network redundancy\ + \ (e.g. redundant network devices, servers with load balancing, raid arrays,\ + \ backup services, 2 separate datacentres, fail-over network connections,\ + \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\ + \ from power outages and other failures due to utility interruptions (e.g.\ + \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\ + \ redundant power cabling, 2 different power service providers...)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.3 + description: Recovery time and recovery point objectives for the resumption + of essential ICT/OT system processes shall be defined. + annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\ + \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\ + \ locations and one copy should be stored at an off-site location).\n\u2022\ + \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\ + \ to increase resilience." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.GV + name: Governance + description: "The policies, procedures, and processes to manage and monitor\ + \ the organization\u2019s regulatory, legal, risk, environmental, and operational\ + \ requirements are understood and inform the management of cybersecurity risk." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-1 + description: Organizational cybersecurity policy is established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: BASIC_ID.GV-1.1 + description: Policies and procedures for information security and cyber security + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\ + \ and expectations for business operations, can be used to train new employees\ + \ on your information security expectations, and can aid an investigation\ + \ in case of an incident. These policies and procedures should be readily\ + \ accessible to employees.\n\u2022\tPolicies and procedures for information-\ + \ and cybersecurity should clearly describe your expectations for protecting\ + \ the organization\u2019s information and systems, and how management expects\ + \ the company\u2019s resources to be used and protected by all employees.\n\ + \u2022\tPolicies and procedures should be reviewed and updated at least annually\ + \ and every time there are changes in the organization or technology. Whenever\ + \ the policies are changed, employees should be made aware of the changes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: IMPORTANT_ID.GV-1.2 + description: An organization-wide information security and cybersecurity policy + shall be established, documented, updated when changes occur, disseminated, + and approved by senior management. + annotation: "The policy should include, for example:\n\u2022\tThe identification\ + \ and assignment of roles, responsibilities, management commitment, coordination\ + \ among organizational entities, and compliance. Guidance on role profiles\ + \ along with their identified titles, missions, tasks, skills, knowledge,\ + \ competences is available in the \"European Cybersecurity Skills Framework\ + \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\ + \u2022\tThe coordination among organizational entities responsible for the\ + \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\ + \ information, access control, media protection, vulnerability management,\ + \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\ + \ the ICT/OT systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-3 + description: Legal and regulatory requirements regarding cybersecurity, including + privacy and civil liberties obligations, are understood and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: BASIC_ID.GV-3.1 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be understood and implemented. + annotation: There are no additional guidelines. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: IMPORTANT_ID.GV-3.2 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be managed. + annotation: "\u2022\tThere should be regular reviews to ensure the continuous\ + \ compliance with legal and regulatory requirements regarding information/cybersecurity,\ + \ including privacy obligations.\n\u2022\tThis requirement also applies to\ + \ contractors and service providers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-4 + description: Governance and risk management processes address cybersecurity + risks + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: BASIC_ID.GV-4.1 + description: As part of the company's overall risk management, a comprehensive + strategy to manage information security and cybersecurity risks shall be developed + and updated when changes occur. + annotation: This strategy should include determining and allocating the required + resources to protect the organisation's business-critical assets. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: IMPORTANT_ID.GV-4.2 + description: "Information security and cybersecurity risks shall be documented,\ + \ formally approved, and updated when changes occur.\t" + annotation: Consider using Risk Management tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RA + name: Risk Assessment + description: The organization understands the cybersecurity risk to organizational + operations (including mission, functions, image, or reputation), organizational + assets, and individuals. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-1 + description: Asset vulnerabilities are identified and documented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: BASIC_ID.RA-1.1 + description: Threats and vulnerabilities shall be identified. + annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\ + s hardware, software, or procedures. It is a gap through which a bad actor\ + \ can gain access to the organization\u2019s assets. A vulnerability exposes\ + \ an organization to threats.\n\u2022\tA threat is a malicious or negative\ + \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\ + \ potential for loss and damage when the threat does occur." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: IMPORTANT_ID.RA-1.2 + description: A process shall be established to monitor, identify, and document + vulnerabilities of the organisation's business critical systems in a continuous + manner. + annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\ + \ should be considered.\n\u2022\tThe organization should establish and maintain\ + \ a testing program appropriate to its size, complexity, and maturity." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: ID.RA-1.3 + description: "To ensure that organization's operations are not adversely impacted\ + \ by the testing process, performance/load testing and penetration testing\ + \ on the organization\u2019s systems shall be conducted with care." + annotation: Consider validating security measures after each penetration test. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-2 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: IMPORTANT_ID.RA-2.1 + description: ' A threat and vulnerability awareness program that includes a + cross-organization information-sharing capability shall be implemented. ' + annotation: A threat and vulnerability awareness program should include ongoing + contact with security groups and associations to receive security alerts and + advisories. (Security groups and associations include, for example, special + interest groups, forums, professional associations, news groups, and/or peer + groups of security professionals in similar organizations).This contact can + include the sharing of information about potential vulnerabilities and incidents. + This sharing capability should have an unclassified and classified information + sharing capability. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: ID.RA-2.2 + description: It shall be identified where automated mechanisms can be implemented + to make security alert and advisory information available to relevant organization + stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-5 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + determine risk + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: BASIC_ID.RA-5.1 + description: The organization shall conduct risk assessments in which risk is + determined by threats, vulnerabilities and impact on business processes and + assets. + annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\ + \tIdentify the consequences that losses of confidentiality, integrity and\ + \ availability may have on the assets and related business processes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: IMPORTANT_ID.RA-5.2 + description: The organization shall conduct and document risk assessments in + which risk is determined by threats, vulnerabilities, impact on business processes + and assets, and the likelihood of their occurrence. + annotation: "\u2022\tRisk assessment should include threats from insiders and\ + \ external parties.\n\u2022\tQualitative and/or quantitative risk analysis\ + \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\ + \ software tooling." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: ID.RA-5.3 + description: Risk assessment results shall be disseminated to relevant stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-6 + description: Risk responses are identified and prioritized + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + ref_id: IMPORTANT_ID.RA-6.1 + description: "A comprehensive strategy shall be developed and implemented to\ + \ manage risks to the organization\u2019s critical systems, that includes\ + \ the identification and prioritization of risk responses." + annotation: "\u2022\tManagement and employees should be involved in information-\ + \ and cybersecurity.\n\u2022\tIt should be identified what the most important\ + \ assets are, and how they are protected.\n\u2022\tIt should be clear what\ + \ impact will be if these assets are compromised.\n\u2022\tIt should be established\ + \ how the implementation of adequate mitigation measures will be organized." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RM + name: Risk Management Strategy + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support operational risk decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-1 + description: Risk management processes are established, managed, and agreed + to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + ref_id: IMPORTANT_ID.RM-1.1 + description: A cyber risk management process that identifies key internal and + external stakeholders and facilitates addressing risk-related issues and information + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: 'External stakeholders include customers, investors and shareholders, + suppliers, government agencies and the wider community. ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-2 + description: Organizational risk tolerance is determined and clearly expressed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + ref_id: IMPORTANT_ID.RM-2.1 + description: "The organization shall clearly determine it\u2019s risk appetite." + annotation: Determination and expression of risk tolerance (risk appetite) should + be in line with the policies on information security and cybersecurity, to + facilitate demonstration of coherence between policies, risk tolerance and + measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-3 + description: "The organization\u2019s determination of risk tolerance is informed\ + \ by its role in critical infrastructure and sector specific risk analysis" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + ref_id: IMPORTANT_ID.RM-3.1 + description: "The organization\u2019s role in critical infrastructure and its\ + \ sector shall determine the organization\u2019s risk appetite." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.SC + name: Supply Chain Risk Management + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support risk decisions associated\ + \ with managing supply chain risk. The organization has established and implemented\ + \ the processes to identify, assess and manage supply chain risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-1 + description: Cyber supply chain risk management processes are identified, established, + assessed, managed, and agreed to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + ref_id: ID.SC-1.1 + description: The organization shall document, review, approve, update when changes + occur, and implement a cyber supply chain risk management process that supports + the identification, assessment, and mitigation of the risks associated with + the distributed and interconnected nature of ICT/OT product and service supply + chains. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-2 + description: 'Suppliers and third party partners of information systems, components, + and services are identified, prioritized, and assessed using a cyber supply + chain risk assessment process ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: IMPORTANT_ID.SC-2.1 + description: "The organization shall conduct cyber supply chain risk assessments\ + \ at least annually or when a change to the organization\u2019s critical systems,\ + \ operational environment, or supply chain occurs; These assessments shall\ + \ be documented, and the results disseminated to relevant stakeholders including\ + \ those responsible for ICT/OT systems." + annotation: This assessment should identify and prioritize potential negative + impacts to the organization from the risks associated with the distributed + and interconnected nature of ICT/OT product and service supply chains. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: ID.SC-2.2 + description: "A documented list of all the organization\u2019s suppliers, vendors\ + \ and partners who may be involved in a major incident shall be established,\ + \ kept up-to-date and made available online and offline." + annotation: This list should include suppliers, vendors and partners contact + information and the services they provide, so they can be contacted for assistance + in the event of an outage or service degradation. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-3 + description: "Contracts with suppliers and third-party partners are used to\ + \ implement appropriate measures designed to meet the objectives of an organization\u2019\ + s cybersecurity program and Cyber Supply Chain Risk Management Plan." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: IMPORTANT_ID.SC-3.1 + description: Based on the results of the cyber supply chain risk assessment, + a contractual framework for suppliers and external partners shall be established + to address sharing of sensitive information and distributed and interconnected + ICT/OT products and services. + annotation: "\u2022\tEntities not subject to the NIS legislation should consider\ + \ business critical suppliers and third-party partners only.\n\u2022\tKeep\ + \ in mind that GDPR requirements need to be fulfilled when business information\ + \ contains personal data (applicable on all levels), i.e. security measures\ + \ need to be addressed in the contractual framework." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.2 + description: "Contractual information security and cybersecurity\u2019 requirements\ + \ for suppliers and third-party partners shall be implemented to ensure a\ + \ verifiable flaw remediation process, and to ensure the correction of flaws\ + \ identified during \u2018information security and cybersecurity\u2019 testing\ + \ and evaluation." + annotation: "\u2022\tInformation systems containing software (or firmware) affected\ + \ by recently announced software flaws (and potential vulnerabilities resulting\ + \ from those flaws) should be identified.\n\u2022\tNewly released security\ + \ relevant patches, service packs, and hot fixes should be installed, and\ + \ these patches, service packs, and hot fixes are tested for effectiveness\ + \ and potential side effects on the organization\u2019s information systems\ + \ before installation. Flaws discovered during security assessments, continuous\ + \ monitoring, incident response activities, or information system error handling\ + \ are also addressed expeditiously. Flaw remediation should be incorporated\ + \ into configuration management as an emergency change." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.3 + description: "The organization shall establish contractual requirements permitting\ + \ the organization to review the \u2018information security and cybersecurity\u2019\ + \ programs implemented by suppliers and third-party partners." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-4 + description: Suppliers and third-party partners are routinely assessed using + audits, test results, or other forms of evaluations to confirm they are meeting + their contractual obligations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: IMPORTANT_ID.SC-4.1 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing audits, test results, and other evaluations." + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: ID.SC-4.2 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing third-party independent audits, test results, and other evaluations." + annotation: The depth of the review should depend on the criticality of delivered + products and services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-5 + description: Response and recovery planning and testing are conducted with suppliers + and third-party providers + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: IMPORTANT_ID.SC-5.1 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in response + and recovery planning activities. + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: ID.SC-5.2 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in testing + and execution of the response and recovery plans. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT (PR) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AC + name: Identity Management, Authentication and Access Control + description: Access to physical and logical assets and associated facilities + is limited to authorized users, processes, and devices, and is managed consistent + with the assessed risk of unauthorized access to authorized activities and + transactions. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-1 + description: Identities and credentials are issued, managed, verified, revoked, + and audited for authorized devices, users and processes + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: BASIC_PR.AC-1.1 + description: 'Identities and credentials for authorized devices and users shall + be managed.' + annotation: "Identities and credentials for authorized devices and users could\ + \ be managed through a password policy. A password policy is a set of rules\ + \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ + (Not limitative list and measures to be considered as appropriate)\n\u2022\ + \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\ + \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\ + \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\ + \ must be longer than a state-of-the-art number of characters with a combination\ + \ of character types and changed periodically or when there is any suspicion\ + \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\ + \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\ + \ are managed by user groups." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: IMPORTANT_PR.AC-1.2 + description: Identities and credentials for authorized devices and users shall + be managed, where feasible through automated mechanisms. + annotation: "\u2022\tAutomated mechanisms can help to support the management\ + \ and auditing of information system credentials.\n\u2022\tConsider strong\ + \ user authentication, meaning an authentication based on the use of at least\ + \ two authentication factors from different categories of either knowledge\ + \ (something only the user knows), possession (something only the user possesses)\ + \ or inherence (something the user is) that are independent, in that the breach\ + \ of one does not compromise the reliability of the others, and is designed\ + \ in such a way to protect the confidentiality of the authentication data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.3 + description: System credentials shall be deactivated after a specified period + of inactivity unless it would compromise the safe operation of (critical) + processes. + annotation: "\u2022\tTo guarantee the safe operation, service accounts should\ + \ be used for running processes and services.\n\u2022\tConsider the use of\ + \ a formal access procedure for external parties." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.4 + description: "For transactions within the organization's critical systems, the\ + \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\ + \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\ + \ for system-to-system communications" + annotation: Consider the use of SSO (Single Sign On) in combination with MFA + for the organization's internal and external critical systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.5 + description: "The organization\u2019s critical systems shall be monitored for\ + \ atypical use of system credentials. Credentials associated with significant\ + \ risk shall be disabled." + annotation: "\u2022\tConsider limiting the number of failed login attempts by\ + \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\ + \ accessible until it has been reset or the account lockout duration elapses." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-2 + description: Physical access to assets is managed and protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: BASIC_PR.AC-2.1 + description: Physical access to the facility, servers and network components + shall be managed. + annotation: "\u2022\tConsider to strictly manage keys to access the premises\ + \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\ + \ an employee's keys or badges when they leave the company permanently.\n\ + o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\ + \ to external service providers (cleaning agents, etc.), unless it is possible\ + \ to trace these accesses and restrict them technically to given time slots.\n\ + \u2022\tConsider to not leaving internal network access outlets accessible\ + \ in public areas. These public places can be waiting rooms, corridors..." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: IMPORTANT_PR.AC-2.2 + description: The management of physical access shall include measures related + to access in emergency situations. + annotation: "\u2022\tPhysical access controls may include, for example: lists\ + \ of authorized individuals, identity credentials, escort requirements, guards,\ + \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\ + \u2022\tThe following measures should be considered:\no\tImplement a badge\ + \ system and create different security zones.\no\tLimit physical access to\ + \ servers and network components to authorized personnel.\no\tLog all access\ + \ to servers and network components.\n\u2022\tVisitor access records should\ + \ be maintained, reviewed and acted upon as required." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.3 + description: Physical access to critical zones shall be controlled in addition + to the physical access to the facility. + annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\ + \ (server rooms\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.4 + description: 'Assets related to critical zones shall be physically protected. ' + annotation: "\u2022\tConsider protecting power equipment, power cabling, network\ + \ cabling, and network access interfaces from accidental damage, disruption,\ + \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\ + \ separated power systems for organization\u2019s critical operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-3 + description: Remote access is managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.1 + description: The organisation's wireless access points shall be secured. + annotation: "Consider the following when wireless networking is used:\n\u2022\ + \tChange the administrative password upon installation of a wireless access\ + \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\ + \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\ + \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\ + \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\ + \ internet access to customers is separated from your business network.\n\u2022\ + \tConnecting to unknown or unsecured / guest wireless access points, should\ + \ be avoided, and if unavoidable done through an encrypted virtual private\ + \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\ + \ mobile) according to the organization's security policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.2 + description: The organization's networks when accessed remotely shall be secured, + including through multi-factor authentication (MFA). + annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, + remote desktop, and Virtual Private Network (VPNs). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: IMPORTANT_PR.AC-3.3 + description: "Usage restrictions, connection requirements, implementation guidance,\ + \ and authorizations for remote access to the organization\u2019s critical\ + \ systems environment shall be identified, documented and implemented. " + annotation: "Consider the following:\n\u2022\tRemote access methods include,\ + \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\ + \ mobile device connections, and communications through external networks.\n\ + \u2022\tLogin credentials should be in line with company's user authentication\ + \ policies.\n\u2022\tRemote access for support activities or maintenance of\ + \ organizational assets should be approved, logged, and performed in a manner\ + \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\ + \ of any remote connection to its device by a visual indication." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.4 + description: "Remote access to the organization\u2019s critical systems shall\ + \ be monitored and cryptographic mechanisms shall be implemented where determined\ + \ necessary." + annotation: This should include that only authorized use of privileged functions + from remote access is allowed. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.5 + description: The security for connections with external systems shall be verified + and framed by documented agreements. + annotation: Access from pre-defined IP addresses could be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-4 + description: Access permissions and authorizations are managed, incorporating + the principles of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.1 + description: "Access permissions for users to the organization\u2019s systems\ + \ shall be defined and managed." + annotation: "The following should be considered:\n\u2022\tDraw up and review\ + \ regularly access lists per system (files, servers, software, databases,\ + \ etc.), possibly through analysis of the Active Directory in Windows-based\ + \ systems, with the objective of determining who needs what kind of access\ + \ (privileged or not), to what, to perform their duties in the organization.\n\ + \u2022\tSet up a separate account for each user (including any contractors\ + \ needing access) and require that strong, unique passwords be used for each\ + \ account.\n\u2022\tEnsure that all employees use computer accounts without\ + \ administrative privileges to perform typical work functions. This includes\ + \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\ + \ consider using the minimal privileges (e.g. internet access only) as required\ + \ for your business needs.\n\u2022\tPermission management should be documented\ + \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\ + \ (SSO) when appropriate." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.2 + description: It shall be identified who should have access to the organization's + business's critical information and technology and the means to get access. + annotation: 'Means to get access may include: a key, password, code, or administrative + privilege.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.3 + description: 'Employee access to data and information shall be limited to the + systems and specific information they need to do their jobs (the principle + of Least Privilege).' + annotation: "The principle of Least Privilege should be understood as the principle\ + \ that a security architecture should be designed so that each employee is\ + \ granted the minimum system resources and authorizations that the employee\ + \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\ + \ to have access to all the business\u2019s information.\n\u2022\tLimit the\ + \ number of Internet accesses and interconnections with partner networks to\ + \ the strict necessary to be able to centralize and homogenize the monitoring\ + \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\ + \ business, all access to the business\u2019s information or systems is blocked\ + \ instantly." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.4 + description: 'Nobody shall have administrator privileges for daily tasks.' + annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ + \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ + \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ + \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\ + \ from administrative accounts." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.5 + description: Where feasible, automated mechanisms shall be implemented to support + the management of user accounts on the organisation's critical systems, including + disabling, monitoring, reporting and deleting user accounts. + annotation: Consider separately identifying each person with access to the organization's + critical systems with a username to remove generic and anonymous accounts + and access. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.6 + description: Separation of duties (SoD) shall be ensured in the management of + access rights. + annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\ + \ functions and system support functions among different roles.\n\u2022\t\ + conducting system support functions with different individuals.\n\u2022\t\ + not allow a single individual to both initiate and approve a transaction (financial\ + \ or otherwise).\n\u2022\tensuring that security personnel administering access\ + \ control functions do not also administer audit functions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.7 + description: Priviliged users shall be managed and monitored. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.8 + description: Account usage restrictions for specific time periods and locations + shall be taken into account in the organization's security access policy and + applied accordingly. + annotation: Specific restrictions can include, for example, restricting usage + to certain days of the week, time of day, or specific durations of time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.9 + description: Priviliged users shall be managed, monitored and audited. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-5 + description: Network integrity is protected (e.g., network segregation, network + segmentation) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.1 + description: Firewalls shall be installed and activated on all the organization's + networks. + annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\ + \ between your internal network and the Internet. This may be a function of\ + \ a (wireless) access point/router, or it may be a function of a router provided\ + \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\ + \ software installed on purchased firewall solutions and ensure that the administrator\u2019\ + s log-in and administrative password is changed upon installation and regularly\ + \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\ + \ computer system (including smart phones and other networked devices).\n\u2022\ + \tHave firewalls on each of your computers and networks even if you use a\ + \ cloud service provider or a virtual private network (VPN). Ensure that for\ + \ telework home network and systems have hardware and software firewalls installed,\ + \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\ + \ Detection / Prevention System (IDPS). These devices analyze network traffic\ + \ at a more detailed level and can provide a greater level of protection." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.2 + description: Where appropriate, network integrity of the organization's critical + systems shall be protected by incorporating network segmentation and segregation. + annotation: "\u2022\tConsider creating different security zones in the network\ + \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\ + \ control mechanisms) and control/monitor the traffic between these zones.\n\ + \u2022\tWhen the network is \"flat\", the compromise of a vital network component\ + \ can lead to the compromise of the entire network." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.3 + description: 'Where appropriate, network integrity of the organization''s critical + systems shall be protected by + (1) Identifying, documenting, and controlling connections between system components. + (2) Limiting external connections to the organization''s critical systems.' + annotation: Boundary protection mechanisms include, for example, routers, gateways, + unidirectional gateways, data diodes, and firewalls separating system components + into logically separate networks or subnetworks. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.4 + description: 'The organization shall monitor and control connections and communications + at the external boundary and at key internal boundaries within the organization''s + critical systems by implementing boundary protection devices where appropriate. ' + annotation: "Consider implementing the following recommendations:\n\u2022\t\ + Separate your public WIFI network from your business network.\n\u2022\tProtect\ + \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\ + \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\ + \ your corporate network.\n\u2022\tDivide your network according to security\ + \ levels and apply firewall rules. Isolate your networks for server administration.\n\ + \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\ + \ security gateways (deny all policy: only allow/open connections that have\ + \ been explicitly pre-authorized)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.5 + description: The organization shall implement, where feasible, authenticated + proxy servers for defined communications traffic between the organization's + critical systems and external networks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.6 + description: The organization shall ensure that the organization's critical + systems fail safely when a border protection device fails operationally. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-6 + description: Identities are proofed and bound to credentials and asserted in + interactions + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: IMPORTANT_PR.AC-6.1 + description: The organization shall implement documented procedures for verifying + the identity of individuals before issuing credentials that provide access + to organization's systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: PR.AC-6.2 + description: The organization shall ensure the use of unique credentials bound + to each verified user, device, and process interacting with the organization's + critical systems; make sure that they are authenticated, and that the unique + identifiers are captured when performing system interactions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-7 + description: "Users, devices, and other assets are authenticated (e.g., single-factor,\ + \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\ + \ security and privacy risks and other organizational risks)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + ref_id: IMPORTANT_PR.AC-7.1 + description: "The organization shall perform a documented risk assessment on\ + \ organization's critical system transactions and authenticate users, devices,\ + \ and other assets (e.g., single-factor, multi-factor) commensurate with the\ + \ risk of the transaction (e.g., individuals\u2019 security and privacy risks\ + \ and other organizational risks)." + annotation: Consider a security-by-design approach for new systems; For existing + systems a separate risk assessment should be used. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AT + name: Awareness and Training + description: "The organization\u2019s personnel and partners are provided cybersecurity\ + \ awareness education and are trained to perform their cybersecurity-related\ + \ duties and responsibilities consistent with related policies, procedures,\ + \ and agreements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-1 + description: 'All users are informed and trained ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: BASIC_PR.AT-1.1 + description: Employees shall be trained as appropriate. + annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\ + \ systems, and they should be trained immediately when hired and regularly\ + \ thereafter about the company\u2019s information security policies and what\ + \ they will be expected to do to protect company\u2019s business information\ + \ and technology.\n\u2022\tTraining should be continually updated and reinforced\ + \ by awareness campaigns." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: IMPORTANT_PR.AT-1.2 + description: The organization shall incorporate insider threat recognition and + reporting into security awareness training. + annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\ + \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\ + \ program by gathering in a document the messages you want to convey to your\ + \ staff (topics, audiences, objectives, etc.) and your communication rhythm\ + \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\ + \ and in an engaging way, involving management, IT colleagues, the ICT service\ + \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\ + \ recognition of fraud attempts, phishing, management of sensitive information,\ + \ incidents, etc. The goal is for all employees to understand ways to protect\ + \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\ + \ or your ICT service provider some practice scenarios (e.g. what to do if\ + \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\ + \ if an account is hacked, etc.), determine what behaviours to adopt, document\ + \ and communicate them to all your staff. The central point of contact in\ + \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\ + \ of a scenario to test your knowledge. Consider performing the exercise for\ + \ example at least once a year." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: PR.AT-1.3 + description: The organization shall implement an evaluation method to measure + the effectiveness of the awareness trainings. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-2 + description: 'Privileged users understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + ref_id: IMPORTANT_PR.AT-2.1 + description: Privileged users shall be qualified before privileges are granted, + and these users shall be able to demonstrate the understanding of their roles, + responsibilities, and authorities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-3 + description: 'Third-party stakeholders (e.g., suppliers, customers, partners) + understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.1 + description: "The organization shall establish and enforce security requirements\ + \ for business-critical third-party providers and users.\t" + annotation: "Enforcement should include that \u2018third party stakeholder\u2019\ + -users (e.g. suppliers, customers, partners) can demonstrate the understanding\ + \ of their roles and responsibilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.2 + description: "Third-party providers shall be required to notify any personnel\ + \ transfers, termination, or transition involving personnel with physical\ + \ or logical access to organization's business critical system's components.\t" + annotation: Third-party providers include, for example, service providers, contractors, + and other organizations providing system development, technology services, + outsourced applications, or network and security management. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.3 + description: The organization shall monitor business critical service providers + and users for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: PR.AT-3.4 + description: The organization shall audit business-critical external service + providers for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-4 + description: 'Senior executives understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + ref_id: IMPORTANT_PR.AT-4.1 + description: Senior executives shall demonstrate the understanding of their + roles, responsibilities, and authorities. + annotation: Guidance on role profiles along with their identified titles, missions, + tasks, skills, knowledge, competences is available in the "European Cybersecurity + Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles + ) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-5 + description: 'Physical and cybersecurity personnel understand their roles and + responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + ref_id: IMPORTANT_PR.AT-5.1 + description: The organization shall ensure that personnel responsible for the + physical protection and security of the organization's critical systems and + facilities are qualified through training before privileges are granted, and + that they understand their responsibilities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.DS + name: Data Security + description: "Information and records (data) are managed consistent with the\ + \ organization\u2019s risk strategy to protect the confidentiality, integrity,\ + \ and availability of information." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-1 + description: Data-at-rest is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + ref_id: PR.DS-1.1 + description: "The organization shall protect its critical system information\ + \ determined to be critical/ sensitive while at rest.\t" + annotation: "\u2022\tConsider using encryption techniques for data storage,\ + \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\ + \ encrypting end-user devices and removable media containing sensitive data\ + \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\ + \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt, Apple FileVault\xAE\ + , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\ + \ in the cloud. The below measures should be considered:\n\u2022\tImplement\ + \ dedicated safeguards to prevent unauthorized access, distortion, or modification\ + \ of system data and audit records (e.g. restricted access rights, daily backups,\ + \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\ + \ media, stored files, configuration files and data stored in the cloud." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-2 + description: Data-in-transit is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + ref_id: PR.DS-2.1 + description: The organization shall protect its critical system information + determined to be critical when in transit. + annotation: When the organization often sends sensitive documents or e-mails, + it is recommended to encrypt those documents and/or e-mails with appropriate, + supported, and authorized software tools. If you send sensitive documents + or emails, you may want to consider encrypting those documents and/or emails + with appropriate, supported, and authorized software tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-3 + description: Assets are formally managed throughout removal, transfers, and + disposition + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: BASIC_PR.DS-3.1 + description: Assets and media shall be disposed of safely. + annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\ + \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\ + ), ensure that all sensitive business or personal data are securely deleted\ + \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\ + \ physically destroyed (or re-commissioned). This is also known as \u201C\ + sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\ + \u2022\tConsider installing a remote-wiping application on company laptops,\ + \ tablets, cell phones, and other mobile devices." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.2 + description: The organization shall enforce accountability for all its business-critical + assets throughout the system lifecycle, including removal, transfers, and + disposition. + annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\ + \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\ + \ documentation related to the movements of business-critical assets." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.3 + description: The organization shall ensure that the necessary measures are taken + to deal with loss, misuse, damage, or theft of assets. + annotation: "This can be done by policies, processes & procedures (reporting),\ + \ technical & organizational means (encryption, Access Control (AC), Mobile\ + \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\ + \ agreement, guidelines & manuals, backups, inventory update \u2026)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: PR.DS-3.4 + description: The organization shall ensure that disposal actions are approved, + tracked, documented, and verified. + annotation: Disposal actions include media sanitization actions (See PR.IP-6) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-4 + description: Adequate capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.1 + description: Capacity planning shall ensure adequate resources for organization's + critical system information processing, networking, telecommunications, and + data storage. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.2 + description: Audit data from the organization's critical systems shall be moved + to an alternative system. + annotation: Be aware that log services can become a bottleneck and hinder the + correct functioning of the source systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: PR.DS-4.3 + description: "The organization\u2019s critical systems shall be protected against\ + \ denial-of-service attacks or at least the effect of such attacks will be\ + \ limited." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-5 + description: Protections against data leaks are implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + ref_id: IMPORTANT_PR.DS-5.1 + description: The organization shall take appropriate actions resulting in the + monitoring of its critical systems at external borders and critical internal + points when unauthorized access and activities, including data leakage, is + detected. + annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\ + \ access rights, daily backups, data encryption, installation of firewalls,\ + \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ + \ configuration of the central directory (Active Directory in Windows environment),\ + \ with specific focus on the access to data of key persons in the company." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-6 + description: Integrity checking mechanisms are used to verify software, firmware, + and information integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: IMPORTANT_PR.DS-6.1 + description: The organization shall implement software, firmware, and information + integrity checks to detect unauthorized changes to its critical system components + during storage, transport, start-up and when determined necessary. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.2 + description: The organization shall implement automated tools where feasible + to provide notification upon discovering discrepancies during integrity verification. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.3 + description: The organization shall implement automatic response capability + with pre-defined security safeguards when integrity violations are discovered. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-7 + description: The development and testing environment(s) are separate from the + production environment + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + ref_id: PR.DS-7.1 + description: The development and test environment(s) shall be isolated from + the production environment. + annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\ + \ should first be tested in an environment that is different and separate\ + \ from the production environment (operational environment) before that change\ + \ is effectively implemented . That way, the effect of those changes can be\ + \ analysed and adjustments can be made without disrupting operational activities.\n\ + \u2022\tConsider adding and testing cybersecurity features as early as during\ + \ development (secure development lifecycle principles). \u2022\tAny change\ + \ one wants to make to the ICT/OT environment should first be tested in an\ + \ environment that is different and separate from the production environment\ + \ (operational environment) before that change is effectively implemented\ + \ . That way, the effect of those changes can be analysed and adjustments\ + \ can be made without disrupting operational activities.\n\u2022\tConsider\ + \ adding and testing cybersecurity features as early as during development\ + \ (secure development lifecycle principles)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-8 + description: Integrity checking mechanisms are used to verify hardware integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.1 + description: The organization shall implement hardware integrity checks to detect + unauthorized tampering to its critical system's hardware. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.2 + description: The organization shall incorporate the detection of unauthorized + tampering to its critical system's hardware into the organization incident + response capability. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.IP + name: Information Protection Processes and Procedures + description: 'Security policies (that address purpose, scope, roles, responsibilities, + management commitment, and coordination among organizational entities), processes, + and procedures are maintained and used to manage protection of information + systems and assets.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-1 + description: A baseline configuration of information technology/industrial control + systems is created and maintained incorporating security principles (e.g. + concept of least functionality) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: IMPORTANT_PR.IP-1.1 + description: 'The organization shall develop, document, and maintain a baseline + configuration for the its business critical systems. ' + annotation: "\u2022\tThis control includes the concept of least functionality.\n\ + \u2022\tBaseline configurations include for example, information about organization's\ + \ business critical systems, current version numbers and patch information\ + \ on operating systems and applications, configuration settings/parameters,\ + \ network topology, and the logical placement of those components within the\ + \ system architecture.\n\u2022\tNetwork topology should include the nerve\ + \ points of the IT/OT environment (external connections, servers hosting data\ + \ and/or sensitive functions, DNS services security, etc.)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: PR.IP-1.2 + description: The organization shall configure its business-critical systems + to provide only essential capabilities; Therefore the baseline configuration + shall be reviewed, and unnecessary capabilities disabled. + annotation: "\u2022\tConfiguration of a system to provide only organization-defined\ + \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\ + .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\ + \ services." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-2 + description: A System Development Life Cycle to manage systems is implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: IMPORTANT_PR.IP-2.1 + description: The system and application development life cycle shall include + security considerations. + annotation: "\u2022\tSystem and application development life cycle should include\ + \ the acquisition process of the organization's business critical systems\ + \ and its components.\n\u2022\tVulnerability awareness and prevention training\ + \ for (web application) developers, and advanced social engineering awareness\ + \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\ + \ internet facing applications the implementation of a web application firewall\ + \ (WAF) should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: PR.IP-2.2 + description: The development process for critical systems and system components + shall cover the full design cycle and shall provide a description of the functional + properties of security controls, and design and implementation information + for security-relevant system interfaces. + annotation: "The development cycle includes:\n\u2022\tAll development phases:\ + \ specification , design, development, implementation.\n\u2022\tConfiguration\ + \ management for planned and unplanned changes and change control during the\ + \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-3 + description: Configuration change control processes are in place + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: IMPORTANT_PR.IP-3.1 + description: Changes shall be tested and validated before being implemented + into operational systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: PR.IP-3.2 + description: For planned changes to the organization's critical systems, a security + impact analysis shall be performed in a separate test environment before implementation + in an operational environment. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-4 + description: 'Backups of information are conducted, maintained, and tested ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: BASIC_PR.IP-4.1 + description: Backups for organization's business critical data shall be conducted + and stored on a system different from the device on which the original data + resides + annotation: "\u2022\tOrganization's business critical system's data includes\ + \ for example software, configurations and settings, documentation, system\ + \ configuration data including computer configuration backups, application\ + \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\ + \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\ + \ should be considered.\n\u2022\tConsider not storing the organization's data\ + \ backup on the same network as the system on which the original data resides\ + \ and provide an offline copy. Among other things, this prevents file encryption\ + \ by hackers (risk of ransomware)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.2 + description: The reliability and integrity of backups shall be verified and + tested on regular basis. + annotation: This should include regularly testing of the backup restore procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.3 + description: A separate alternate storage site for system backups shall be operated + and the same security safeguards as the primary storage location shall be + employed. + annotation: An offline backup of your data is ideally stored in a separate physical + location from the original data source and where feasible offsite for extra + protection and security. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.4 + description: Backup verification shall be coordinated with the functions in + the organization that are responsible for related plans. + annotation: "\u2022\tRelated plans include, for example, Business Continuity\ + \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\ + \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\ + \u2022\tRestoration of backup data during contingency plan testing should\ + \ be provided." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.5 + description: Critical system backup shall be separated from critical information + backup. + annotation: Seperation of critical system backup from critical information backup + should lead to a shorter recovery time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-5 + description: Policy and regulations regarding the physical operating environment + for organizational assets are met + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: IMPORTANT_PR.IP-5.1 + description: The organization shall define, implement, and enforce policy and + procedures regarding emergency and safety systems, fire protection systems, + and environment controls for its critical systems. + annotation: "The below measures should be considered:\n\u2022\tProtect unattended\ + \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\ + \ suppression mechanisms should take the organization's critical system environment\ + \ into account (e.g., water sprinkler systems could be hazardous in specific\ + \ environments)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: PR.IP-5.2 + description: The organization shall implement fire detection devices that activate + and notify key personnel automatically in the event of a fire. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-6 + description: Data is destroyed according to policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: IMPORTANT_PR.IP-6.1 + description: The organization shall ensure that its critical system's data is + destroyed according to policy. + annotation: "\u2022\tDisposal actions include media sanitization actions (See\ + \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\ + o\tHard copy media (physical representations of information)\no\tElectronic\ + \ or soft copy media (the bits and bytes contained in hard drives, random\ + \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\ + \ mobile computing devices, networking equipment\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: PR.IP-6.2 + description: Sanitation processes shall be documented and tested. + annotation: "\u2022\tSanitation processes include procedures and equipment.\n\ + \u2022\tConsider applying non-destructive sanitization techniques to portable\ + \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\ + \ confidentiality requirements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-7 + description: Protection processes are improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: IMPORTANT_PR.IP-7.1 + description: The organization shall incorporate improvements derived from the + monitoring, measurements, assessments, and lessons learned into protection + process updates (continuous improvement). + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.2 + description: The organization shall implement independent teams to assess the + protection process(es). + annotation: 'Independent teams, for example, may include internal or external + impartial personnel. + + Impartiality implies that assessors are free from any perceived or actual + conflicts of interest regarding the development, operation, or management + of the organization''s critical system under assessment or to the determination + of security control effectiveness.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.3 + description: The organization shall ensure that the security plan for its critical + systems facilitates the review, testing, and continual improvement of the + security protection processes. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-8 + description: 'Effectiveness of protection technologies is shared ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.1 + description: The organization shall collaborate and share information about + its critical system's related security incidents and mitigation measures with + designated partners. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.2 + description: Communication of effectiveness of protection technologies shall + be shared with appropriate parties. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.3 + description: The organization shall implement, where feasible, automated mechanisms + to assist in information collaboration. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-9 + description: Response plans (Incident Response and Business Continuity) and + recovery plans (Incident Recovery and Disaster Recovery) are in place and + managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: IMPORTANT_PR.IP-9.1 + description: Incident response plans (Incident Response and Business Continuity) + and recovery plans (Incident Recovery and Disaster Recovery) shall be established, + maintained, approved, and tested to determine the effectiveness of the plans, + and the readiness to execute the plans. + annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\ + \ objectives, restoration priorities, metrics, contingency roles, personnel\ + \ assignments and contact information.\n\u2022\tMaintaining essential functions\ + \ despite system disruption, and the eventual restoration of the organization\u2019\ + s systems, should be addressed.\n\u2022\tConsider defining incident types,\ + \ resources and management support needed to effectively maintain and mature\ + \ the incident response and contingency capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: PR.IP-9.2 + description: The organization shall coordinate the development and the testing + of incident response plans and recovery plans with stakeholders responsible + for related plans. + annotation: Related plans include, for example, Business Continuity Plans, Disaster + Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, + Critical Infrastructure Plans, Cyber incident response plans, and Occupant + Emergency Plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-11 + description: Cybersecurity is included in human resources practices (e.g., deprovisioning, + personnel screening) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: BASIC_PR.IP-11.1 + description: "Personnel having access to the organization\u2019s most critical\ + \ information or technology shall be verified." + annotation: "\u2022\tThe access to critical information or technology should\ + \ be considered when recruiting, during employment and at termination.\n\u2022\ + \tBackground verification checks should take into consideration applicable\ + \ laws, regulations, and ethics in proportion to the business requirements,\ + \ the classification of the information to be accessed and the perceived risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: IMPORTANT_PR.IP-11.2 + description: Develop and maintain a human resource information/cyber security + process that is applicable when recruiting, during employment and at termination + of employment. + annotation: "The human resource information/cyber security process should include\ + \ access to critical information or technology; background verification checks;\ + \ code of conduct; roles, authorities, and responsibilities\u2026" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-12 + description: A vulnerability management plan is developed and implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + ref_id: IMPORTANT_PR.IP-12.1 + description: The organization shall establish and maintain a documented process + that allows continuous review of vulnerabilities and strategies to mitigate + them. + annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\ + \ in the identified components and distribute updates (software publisher\ + \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\ + \ identify where its critical system's vulnerabilities may be exposed to adversaries." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.MA + name: Maintenance + description: Maintenance and repairs of industrial control and information system + components are performed consistent with policies and procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-1 + description: Maintenance and repair of organizational assets are performed and + logged, with approved and controlled tools + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: BASIC_PR.MA-1.1 + description: Patches and security updates for Operating Systems and critical + system components shall be installed. + annotation: "The following should be considered:\n\u2022\tLimit yourself to\ + \ only install those applications (operating systems, firmware, or plugins\ + \ ) that you need to run your business and patch/update them regularly.\n\u2022\ + \tYou should only install a current and vendor-supported version of software\ + \ you choose to use. It may be useful to assign a day each month to check\ + \ for patches.\n\u2022\tThere are products which can scan your system and\ + \ notify you when there is an update for an application you have installed.\ + \ If you use one of these products, make sure it checks for updates for every\ + \ application you use.\n\u2022\tInstall patches and security updates in a\ + \ timely manner." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.2 + description: The organization shall plan, perform and document preventive maintenance + and repairs on its critical system components according to approved processes + and tools. + annotation: 'Consider the below measures: + (1) Perform security updates on all software in a timely manner. + (2) Automate the update process and audit its effectiveness. + (3) Introduce an internal patching culture on desktops, mobile devices, servers, + network components, etc. to ensure updates are tracked.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.3 + description: The organization shall enforce approval requirements, control, + and monitoring of maintenance tools for use on the its critical systems. + annotation: Maintenance tools can include, for example, hardware/software diagnostic + test equipment, hardware/software packet sniffers and laptops. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.4 + description: The organization shall verify security controls following hardware + maintenance or repairs, and take action as appropriate. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.5 + description: The organization shall prevent the unauthorized removal of maintenance + equipment containing organization's critical system information. + annotation: This requirement maily focuses mainly on OT/ICS environments. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.6 + description: 'Maintenance tools and portable storage devices shall be inspected + when brought into the facility and shall be protected by anti-malware solutions + so that they are scanned for malicious code before they are used on organization''s + systems.' + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.7 + description: The organization shall verify security controls following hardware + and software maintenance or repairs/patching and take action as appropriate. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-2 + description: Remote maintenance of organizational assets is approved, logged, + and performed in a manner that prevents unauthorized access + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.1 + description: Remote maintenance shall only occur after prior approval, monitoring + to avoid unauthorised access, and approval of the outcome of the maintenance + activities as described in approved processes or procedures. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.2 + description: The organization shall make sure that strong authenticators, record + keeping, and session termination for remote maintenance is implemented. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: PR.MA-2.3 + description: The organization shall require that diagnostic services pertaining + to remote maintenance be performed from a system that implements a security + capability comparable to the capability implemented on the equivalent organization's + critical system. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.PT + name: Protective Technology + description: Technical security solutions are managed to ensure the security + and resilience of systems and assets, consistent with related policies, procedures, + and agreements. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-1 + description: Audit/log records are determined, documented, implemented, and + reviewed in accordance with policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: BASIC_PR.PT-1.1 + description: ' Logs shall be maintained, documented, and reviewed.' + annotation: "\u2022\tEnsure the activity logging functionality of protection\ + \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\ + \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\ + \tThe logs should be reviewed for any unusual or unwanted trends, such as\ + \ a large use of social media websites or an unusual number of viruses consistently\ + \ found on a particular computer. These trends may indicate a more serious\ + \ problem or signal the need for stronger protections in a particular area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: IMPORTANT_PR.PT-1.2 + description: 'The organization shall ensure that the log records include an + authoritative time source or internal clock time stamp that are compared and + synchronized to an authoritative time source. ' + annotation: Authoritative time sources include for example, an internal Network + Time Protocol (NTP) server, radio clock, atomic clock, GPS time source. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.3 + description: "The organization shall ensure that audit processing failures on\ + \ the organization's systems generate alerts and trigger defined responses.\t" + annotation: The use of System Logging Protocol (Syslog) servers can be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.4 + description: The organization shall enable authorized individuals to extend + audit capabilities when required by events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-2 + description: Removable media is protected and its use restricted according to + policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.1 + description: The usage restriction of portable storage devices shall be ensured + through an appropriate documented policy and supporting safeguards. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.2 + description: The organisation should technically prohibit the connection of + removable media unless strictly necessary; in other instances, the execution + of autoruns from such media should be disabled. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: PR.PT-2.3 + description: Portable storage devices containing system data shall be controlled + and protected while in transit and in storage. + annotation: Protection and control should include the scanning of all portable + storage devices for malicious code before they are used on organization's + systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-3 + description: The principle of least functionality is incorporated by configuring + systems to provide only essential capabilities + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: IMPORTANT_PR.PT-3.1 + description: The organization shall configure the business critical systems + to provide only essential capabilities. + annotation: Consider applying the principle of least functionality to access + systems and assets (see also PR.AC-4). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.2 + description: The organization shall disable defined functions, ports, protocols, + and services within its critical systems that it deems unnecessary. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.3 + description: The organization shall implement technical safeguards to enforce + a deny-all, permit-by-exception policy to only allow the execution of authorized + software programs. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-4 + description: Communications and control networks are protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: BASIC_PR.PT-4.1 + description: Web and e-mail filters shall be installed and used. + annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\ + \ should be configured based on the type of message attachments so that files\ + \ of the specified types are automatically processed (e.g. deleted).\n\u2022\ + \tWeb-filters should notify the user if a website may contain malware and\ + \ potentially preventing users from accessing that website." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.2 + description: The organization shall control the information flows/data flows + within its critical systems and between interconnected systems. + annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\ + \ for example, by labelling or colouring physical connectors as an aid to\ + \ manual hook-up.\n\u2022\tInspection of message content may enforce information\ + \ flow policy. For example, a message containing a command to an actuator\ + \ may not be permitted to flow between the control network and any other network.\n\ + \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\ + \ associated with labels or attributes (e.g., hardware I/O address). Manual\ + \ methods are typically static. Label or attribute policy mechanisms may be\ + \ implemented in hardware, firmware, and software that controls or has device\ + \ access, such as device drivers and communications controllers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.3 + description: The organization shall manage the interface for external communication + services by establishing a traffic flow policy, protecting the confidentiality + and integrity of the information being transmitted; This includes the review + and documenting of each exception to the traffic flow policy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT (DE) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.AE + name: Anomalies and Events + description: Anomalous activity is detected and the potential impact of events + is understood. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-1 + description: A baseline of network operations and expected data flows for users + and systems is established and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + ref_id: DE.AE-1.1 + description: The organization shall ensure that a baseline of network operations + and expected data flows for its critical systems is developed, documented + and maintained to track events. + annotation: "\u2022\tConsider enabling local logging on all your systems and\ + \ network devices and keep them for a certain period, for example up to 6\ + \ months.\n\u2022\tEnsure that your logs contain enough information (source,\ + \ date, user, timestamp, etc.) and that you have enough storage space for\ + \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\ + \ deploying a Security Information and Event Management tool (SIEM) that will\ + \ facilitate the correlation and analysis of your data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-2 + description: Detected events are analyzed to understand attack targets and methods + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: IMPORTANT_DE.AE-2.1 + description: The organization shall review and analyze detected events to understand + attack targets and methods. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: DE.AE-2.2 + description: 'The organization shall implement automated mechanisms where feasible + to review and analyze detected events. ' + annotation: Consider to review your logs regularly to identify anomalies or + abnormal events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-3 + description: Event data are collected and correlated from multiple sources and + sensors + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: BASIC_DE.AE-3.1 + description: "The activity logging functionality of protection / detection hardware\ + \ or software \n(e.g. firewalls, anti-virus) shall be enabled, backed-up and\ + \ reviewed." + annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\ + \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\ + \ as a large use of social media websites or an unusual number of viruses\ + \ consistently found on a particular computer. These trends may indicate a\ + \ more serious problem or signal the need for stronger protections in a particular\ + \ area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: IMPORTANT_DE.AE-3.2 + description: The organization shall ensure that event data is compiled and correlated + across its critical systems using various sources such as event reports, audit + monitoring, network monitoring, physical access monitoring, and user/administrator + reports. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: DE.AE-3.3 + description: The organization shall integrate analysis of events where feasible + with the analysis of vulnerability scanning information; performance data; + its critical system's monitoring, and facility monitoring to further enhance + the ability to identify inappropriate or unusual activity. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-4 + description: Impact of events is determined + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + ref_id: DE.AE-4.1 + description: "Negative impacts to organization\u2019s operations, assets, and\ + \ individuals resulting from detected events shall be determined and correlated\ + \ with risk assessment outcomes." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-5 + description: Incident alert thresholds are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.1 + description: The organization shall implement automated mechanisms and system + generated alerts to support event detection and to assist in the identification + of security alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.2 + description: The organization shall define incident alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.CM + name: Security Continuous Monitoring + description: The information system and assets are monitored to identify cybersecurity + events and verify the effectiveness of protective measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-1 + description: The network is monitored to detect potential cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: BASIC_DE.CM-1.1 + description: Firewalls shall be installed and operated on the network boundaries + and completed with firewall protection on the endpoints. + annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\ + \tConsider, where feasible, including smart phones and other networked devices\ + \ when installing and operating firewalls.\n\u2022\tConsider limiting the\ + \ number of interconnection gateways to the Internet." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: IMPORTANT_DE.CM-1.2 + description: The organization shall monitor and identify unauthorized use of + its business critical systems through the detection of unauthorized local + connections, network connections and remote connections. + annotation: "\u2022\tMonitoring of network communications should happen at the\ + \ external boundary of the organization's business critical systems and at\ + \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ + \ facing applications the implementation of a web application firewall (WAF)\ + \ should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: DE.CM-1.3 + description: "The organization shall conduct ongoing security status monitoring\ + \ of its network to detect defined information/cybersecurity events and indicators\ + \ of potential information/cybersecurity events.\t" + annotation: "Security status monitoring should include:\n\u2022\tThe generation\ + \ of system alerts when indications of compromise or potential compromise\ + \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\ + \ critical systems.\n\u2022\tThe establishment of audit records for defined\ + \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\ + \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\ + \ personnel, and service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-2 + description: The physical environment is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: IMPORTANT_DE.CM-2.1 + description: The physical environment of the facility shall be monitored for + potential information/cybersecurity events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: DE.CM-2.2 + description: The physical access to organization's critical systems and devices + shall be, on top of the physical access monitoring to the facility, increased + through physical intrusion alarms, surveillance equipment, independent surveillance + teams. + annotation: It is recommended to log all visitors. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-3 + description: Personnel activity is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: BASIC_DE.CM-3.1 + description: End point and network protection tools to monitor end-user behavior + for dangerous activity shall be implemented. + annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.2 + description: End point and network protection tools that monitor end-user behavior + for dangerous activity shall be managed. + annotation: Consider using a centralized log platform for the consolidation + and exploitation of log files. Consider to actively investigate the alerts + generated because of suspicious activities and take the appropriate actions + to remediate the threat, e.g. through the deployment of a security operations + centre (SOC). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.3 + description: Software usage and installation restrictions shall be enforced. + annotation: Only authorized software should be used and user access rights should + be limited to the specific data, resources and applications needed to complete + a required task (least privilege principle). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-4 + description: Malicious code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: BASIC_DE.CM-4.1 + description: Anti-virus, -spyware, and other -malware programs shall be installed + and updated. + annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\ + \ be countered by installing, using, and regularly updating anti-virus and\ + \ anti-spyware software on every device used in company\u2019s business (including\ + \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\ + \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\ + \ or at least daily followed by system scanning as appropriate.\n\u2022\t\ + It should be considered to provide the same malicious code protection mechanisms\ + \ for home computers (e.g. teleworking) or personal devices that are used\ + \ for professional work (BYOD)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: DE.CM-4.2 + description: The organisation shall set up a system to detect false positives + while detecting and eradicating malicious code. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-5 + description: Unauthorized mobile code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + ref_id: IMPORTANT_DE.CM-5.1 + description: The organization shall define acceptable and unacceptable mobile + code and mobile code technologies; and authorize, monitor, and control the + use of mobile code within the system. + annotation: "\u2022\tMobile code includes any program, application, or content\ + \ that can be transmitted across a network (e.g., embedded in an email, document,\ + \ or website) and executed on a remote system. Mobile code technologies include\ + \ for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\ + \tDecisions regarding the use of mobile code in organizational systems should\ + \ be based on the potential for the code to cause damage to the systems if\ + \ used maliciously. Usage restrictions and implementation guidance should\ + \ apply to the selection and use of mobile code installed." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-6 + description: External service provider activity is monitored to detect potential + cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.1 + description: All external connections by vendors supporting IT/OT applications + or infrastructure shall be secured and actively monitored to ensure that only + permissible actions occur during the connection. + annotation: This monitoring includes unauthorized personnel access, connections, + devices, and software. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.2 + description: External service providers' conformance with personnel security + policies and procedures and contract security requirements shall be monitored + relative to their cybersecurity risks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-7 + description: Monitoring for unauthorized personnel, connections, devices, and + software is performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: IMPORTANT_DE.CM-7.1 + description: The organization's business critical systems shall be monitored + for unauthorized personnel access, connections, devices, access points, and + software. + annotation: "\u2022\tUnauthorized personnel access includes access by external\ + \ service providers.\n\u2022\tSystem inventory discrepancies should be included\ + \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\ + \ critical systems should be included in the monitoring." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: DE.CM-7.2 + description: Unauthorized configuration changes to organization's systems shall + be monitored and addressed with the appropriate mitigation actions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-8 + description: Vulnerability scans are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.1 + description: The organization shall monitor and scan for vulnerabilities in + its critical systems and hosted applications ensuring that system functions + are not adversely impacted by the scanning process. + annotation: Consider the implementation of a continuous vulnerability scanning + program; Including reporting and mitigation plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.2 + description: The vulnerability scanning process shall include analysis, remediation, + and information sharing. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.DP + name: Detection Processes + description: Detection processes and procedures are maintained and tested to + ensure awareness of anomalous events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-2 + description: Detection activities comply with all applicable requirements + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + ref_id: IMPORTANT_DE.DP-2.1 + description: The organization shall conduct detection activities in accordance + with applicable federal and regional laws, industry regulations and standards, + policies, and other applicable requirements. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-3 + description: Detection processes are tested + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + ref_id: IMPORTANT_DE.DP-3.1 + description: The organization shall validate that event detection processes + are operating as intended. + annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\ + \ be demonstrable." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-4 + description: Event detection information is communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + ref_id: IMPORTANT_DE.DP-4.1 + description: The organization shall communicate event detection information + to predefined parties. + annotation: Event detection information includes for example, alerts on atypical + account usage, unauthorized remote access, wireless connectivity, mobile device + connection, altered configuration settings, contrasting system component inventory, + use of maintenance tools and nonlocal maintenance, physical access, temperature + and humidity, equipment delivery and removal, communications at the information + system boundaries, use of mobile code, use of Voice over Internet Protocol + (VoIP), and malware disclosure. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-5 + description: Detection processes are continuously improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: IMPORTANT_DE.DP-5.1 + description: Improvements derived from the monitoring, measurement, assessment, + testing, review, and lessons learned, shall be incorporated into detection + process revisions. + annotation: "\u2022\tThis results in a continuous improvement of the detection\ + \ processes.\n\u2022\tThe use of independent teams to assess the detection\ + \ process could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: DE.DP-5.2 + description: The organization shall conduct specialized assessments including + in-depth monitoring, vulnerability scanning, malicious user testing, insider + threat assessment, performance/load testing, and verification and validation + testing on the organization's critical systems. + annotation: These activities can be outsourced, preferably to accredited organizations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND (RS) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.RP + name: Response Planning + description: Response processes and procedures are executed and maintained, + to ensure response to detected cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + ref_id: RS.RP-1 + description: Response plan is executed during or after an incident + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + ref_id: BASIC_RS.RP-1.1 + description: An incident response process, including roles, responsibilities, + and authorities, shall be executed during or after an information/cybersecurity + event on the organization's critical systems. + annotation: "\u2022\tThe incident response process should include a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\ + \ in the incident response plan should be specific on involved people, contact\ + \ info, different roles and responsibilities, and who makes the decision to\ + \ initiate recovery procedures as well as who will be the contact with appropriate\ + \ external stakeholders. It should be considered to determine the causes of\ + \ an information/cybersecurity event and implement a corrective action in\ + \ order that the event does not recur or occur elsewhere (an infection by\ + \ malicious code on one machine did not have spread elsewhere in the network).\ + \ The effectiveness of any corrective action taken should be reviewed. Corrective\ + \ actions should be appropriate to the effects of the information/cybersecurity\ + \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.CO + name: Communications + description: Response activities are coordinated with internal and external + stakeholders (e.g. external support from law enforcement agencies). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-1 + description: Personnel know their roles and order of operations when a response + is needed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + ref_id: IMPORTANT_RS.CO-1.1 + description: The organization shall ensure that personnel understand their roles, + objectives, restoration priorities, task sequences (order of operations) and + assignment responsibilities for event response. + annotation: Consider the use the CCB Incident Management Guide to guide you + through this exercise and consider bringing in outside experts if needed. + Test your plan regularly and adjust it after each incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-2 + description: Incidents are reported consistent with established criteria + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: IMPORTANT_RS.CO-2.1 + description: The organization shall implement reporting on information/cybersecurity + incidents on its critical systems in an organization-defined time frame to + organization-defined personnel or roles. + annotation: All users should have a single point of contact to report any incident + and be encouraged to do so. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: RS.CO-2.2 + description: Events shall be reported consistent with established criteria. + annotation: Criteria to report should be included in the incident response plan. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-3 + description: Information is shared consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: BASIC_RS.CO-3.1 + description: "Information/cybersecurity incident information shall be communicated\ + \ and shared with the organization\u2019s employees in a format that they\ + \ can understand." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: IMPORTANT_RS.CO-3.2 + description: The organization shall share information/cybersecurity incident + information with relevant stakeholders as foreseen in the incident response + plan. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-4 + description: Coordination with stakeholders occurs consistent with response + plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + ref_id: IMPORTANT_RS.CO-4.1 + description: The organization shall coordinate information/cybersecurity incident + response actions with all predefined stakeholders. + annotation: "\u2022\tStakeholders for incident response include for example,\ + \ mission/business owners, organization's critical system owners, integrators,\ + \ vendors, human resources offices, physical and personnel security offices,\ + \ legal departments, operations personnel, and procurement offices.\n\u2022\ + \tCoordination with stakeholders occurs consistent with incident response\ + \ plans." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-5 + description: 'Voluntary information sharing occurs with external stakeholders + to achieve broader cybersecurity situational awareness ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + ref_id: IMPORTANT_RS.CO-5.1 + description: "The organization shall share information/cybersecurity event information\ + \ voluntarily, as appropriate, with external stakeholders, industry security\ + \ groups,\u2026 to achieve broader information/cybersecurity situational awareness." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.AN + name: Analysis + description: Analysis is conducted to ensure effective response and support + recovery activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-1 + description: Notifications from detection systems are investigated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: IMPORTANT_RS.AN-1.1 + description: The organization shall investigate information/cybersecurity-related + notifications generated from detection systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: RS.AN-1.2 + description: The organization shall implement automated mechanisms to assist + in the investigation and analysis of information/cybersecurity-related notifications. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-2 + description: The impact of the incident is understood + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: IMPORTANT_RS.AN-2.1 + description: Thorough investigation and result analysis shall be the base for + understanding the full implication of the information/cybersecurity incident. + annotation: "\u2022\tResult analysis can involve the outcome of determining\ + \ the correlation between the information of the detected event and the outcome\ + \ of risk assessments. In this way, insight is gained into the impact of the\ + \ event across the organization.\n\u2022\tConsider including detection of\ + \ unauthorized changes to its critical systems in its incident response capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: RS.AN-2.2 + description: The organization shall implement automated mechanisms to support + incident impact analysis. + annotation: Implementation could vary from a ticketing system to a Security + Information and Event Management (SIEM). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-3 + description: Forensics are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.1 + description: The organization shall provide on-demand audit review, analysis, + and reporting for after-the-fact investigations of information/cybersecurity + incidents. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.2 + description: The organization shall conduct forensic analysis on collected information/cybersecurity + event information to determine root cause. + annotation: Consider to determine the root cause of an incident. If necessary, + use forensics analysis on collected information/cybersecurity event information + to achieve this. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-4 + description: Incidents are categorized consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + ref_id: IMPORTANT_RS.AN-4.1 + description: Information/cybersecurity incidents shall be categorized according + to the level of severity and impact consistent with the evaluation criteria + included the incident response plan. + annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\ + \ incident and implement a corrective action in order that the incident does\ + \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\ + \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\ + \ to the effects of the information/cybersecurity incident encountered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-5 + description: Processes are established to receive, analyze and respond to vulnerabilities + disclosed to the organization from internal and external sources (e.g. internal + testing, security bulletins, or security researchers) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: IMPORTANT_RS.AN-5.1 + description: 'The organization shall implement vulnerability management processes + and procedures that include processing, analyzing and remedying vulnerabilities + from internal and external sources. ' + annotation: Internal and external sources could be e.g. internal testing, security + bulletins, or security researchers. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: RS.AN-5.2 + description: The organization shall implement automated mechanisms to disseminate + and track remediation efforts for vulnerability information, captured from + internal and external sources, to key stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.MI + name: Mitigation + description: Activities are performed to prevent expansion of an event, mitigate + its effects, and resolve the incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + ref_id: RS.MI-1 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + ref_id: IMPORTANT_RS.MI-1.1 + description: The organization shall implement an incident handling capability + for information/cybersecurity incidents on its business critical systems that + includes preparation, detection and analysis, containment, eradication, recovery + and documented risk acceptance. + annotation: A documented risk acceptance deals with risks that the organisation + assesses as not dangerous to the organisation's business critical systems + and where the risk owner formally accepts the risk (related with the risk + appetite of the organization) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.IM + name: Improvements + description: Organizational response activities are improved by incorporating + lessons learned from current and previous detection/response activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-1 + description: Response plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: BASIC_RS.IM-1.1 + description: The organization shall conduct post-incident evaluations to analyse + lessons learned from incident response and recovery, and consequently improve + processes / procedures / technologies to enhance its cyber resilience. + annotation: Consider bringing involved people together after each incident and + reflect together on ways to improve what happened, how it happened, how we + reacted, how it could have gone better, what should be done to prevent it + from happening again, etc. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: IMPORTANT_RS.IM-1.2 + description: Lessons learned from incident handling shall be translated into + updated or new incident handling procedures that shall be tested, approved + and trained. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-2 + description: Response and Recovery strategies are updated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + ref_id: IMPORTANT_RS.IM-2.1 + description: The organization shall update the response and recovery plans + to address changes in its context. + annotation: "The organization\u2019s context relates to the organizational structure,\ + \ its critical systems, attack vectors, new threats, improved technology,\ + \ environment of operation, problems encountered during plan implementation/execution/testing\ + \ and lessons learned." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER (RC) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.RP + name: Recovery Planning + description: Recovery processes and procedures are executed and maintained to + ensure restoration of systems or assets affected by cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + ref_id: RC.RP-1 + description: 'Recovery plan is executed during or after a cybersecurity incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: BASIC_RC.RP-1.1 + description: A recovery process for disasters and information/cybersecurity + incidents shall be developed and executed as appropriate. + annotation: "A process should be developed for what immediate actions will be\ + \ taken in case of a fire, medical emergency, burglary, natural disaster,\ + \ or an information/cyber security incident.\nThis process should consider:\n\ + \u2022\tRoles and Responsibilities, including of who makes the decision to\ + \ initiate recovery procedures and who will be the contact with appropriate\ + \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\ + \ and information systems in case of an incident. This includes shutting down\ + \ or locking computers, moving to a backup site, physically removing important\ + \ documents, etc.\n\u2022\tWho to call in case of an incident." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: RC.RP-1.2 + description: "The essential organization\u2019s functions and services shall\ + \ be continued with little or no loss of operational continuity and continuity\ + \ shall be sustained until full system restoration." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.IM + name: Improvements + description: Recovery planning and processes are improved by incorporating lessons + learned into future activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + ref_id: RC.IM-1 + description: Recovery plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + ref_id: IMPORTANT_RC.IM-1.1 + description: The organization shall incorporate lessons learned from incident + recovery activities into updated or new system recovery procedures and, after + testing, frame this with appropriate training. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.CO + name: Communications + description: Restoration activities are coordinated with internal and external + parties (e.g. coordinating centers, Internet Service Providers, owners of + attacking systems, victims, other CSIRTs, and vendors). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-1 + description: Public relations are managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: IMPORTANT_RC.CO-1.1 + description: The organization shall centralize and coordinate how information + is disseminated and manage how the organization is presented to the public. + annotation: "Public relations management may include, for example, managing\ + \ media interactions, coordinating and logging all requests for interviews,\ + \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\ + \ media requests with appropriate and available internal experts who are ready\ + \ to be interviewed, screening all of information provided to the media, ensuring\ + \ personnel are familiar with public relations and privacy policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: RC.CO-1.2 + description: A Public Relations Officer shall be assigned. + annotation: "The Public Relations Officer should consider the use of pre-define\ + \ external contacts \n(e.g. press, regulators, interest groups)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-2 + description: 'Reputation is repaired after an incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + ref_id: RC.CO-2.1 + description: The organization shall implement a crisis response strategy to + protect the organization from the negative consequences of a crisis and help + restore its reputation. + annotation: Crisis response strategies include, for example, actions to shape + attributions of the crisis, change perceptions of the organization in crisis, + and reduce the negative effect generated by the crisis. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-3 + description: Recovery activities are communicated to internal and external stakeholders + as well as executive and management teams + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + ref_id: IMPORTANT_RC.CO-3.1 + description: The organization shall communicate recovery activities to predefined + stakeholders, executive and management teams. + annotation: Communication of recovery activities to all relevant stakeholders + applies only to entities subject to the NIS legislation. diff --git a/tools/ccb/ccb-cyberfundamentals.yaml b/tools/ccb/ccb-cyberfundamentals.yaml new file mode 100644 index 000000000..629c806a4 --- /dev/null +++ b/tools/ccb/ccb-cyberfundamentals.yaml @@ -0,0 +1,3377 @@ +urn: urn:intuitem:risk:library:ccb-cff-2023-03-01 +locale: en +ref_id: CCB-CFF-2023-03-01 +name: CCB CyberFundamentals Framework +description: Centre For Cybersecurity Belgium - CyberFundamentals Framework +copyright: All texts, layouts, designs and other elements of any nature in this document + are subject to copyright law. +version: 1 +provider: CCB +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01 + ref_id: CCB-CFF-2023-03-01 + name: CCB CyberFundamentals Framework + description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY (ID) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.AM + name: Asset Management + description: "The data, personnel, devices, systems, and facilities that enable\ + \ the organization to achieve business purposes are identified and managed\ + \ consistent with their relative importance to organizational objectives and\ + \ the organization\u2019s risk strategy." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-1 + description: Physical devices and systems within the organization are inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: BASIC_ID.AM-1.1 + description: An inventory of assets associated with information and information + processing facilities within the organization shall be documented, reviewed, + and updated when changes occur. + annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\ + \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\ + \ robots, machine tools, firmware, network switches, routers, power supplies,\ + \ and other networked components or devices. \n\u2022\tThis inventory must\ + \ include all assets, whether or not they are connected to the organization's\ + \ network.\n\u2022\tThe use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.2 + description: "The inventory of assets associated with information and information\ + \ processing facilities shall reflect changes in the organization\u2019s\ + \ context and include all information necessary for effective accountability." + annotation: "\u2022\tInventory specifications include for example, manufacturer,\ + \ device type, model, serial number, machine names and network addresses,\ + \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\ + \ justify, and take responsibility for one's actions, it implies answerability\ + \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\ + \ of material." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.3 + description: When unauthorized hardware is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported hardware without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: ID.AM-1.4 + description: Mechanisms for detecting the presence of unauthorized hardware + and firmware components within the organization's network shall be identified. + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to address unauthorized assets on a frequently\ + \ basis; The organization may choose to remove the asset from the network,\ + \ deny the asset from connecting remotely to the network, or quarantine the\ + \ asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-2 + description: Software platforms and applications within the organization are + inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: BASIC_ID.AM-2.1 + description: An inventory that reflects what software platforms and applications + are being used in the organization shall be documented, reviewed, and updated + when changes occur. + annotation: "\u2022\tThis inventory includes software programs, software platforms\ + \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\ + \ should be part of the contractual agreements with the provider.\n\u2022\t\ + Information in the inventory should include for example: name, description,\ + \ version, number of users, data processed, etc.\n\u2022\tA distinction should\ + \ be made between unsupported software and unauthorized software.\n\u2022\t\ + The use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.2 + description: "The inventory of software platforms and applications associated\ + \ with information and information processing shall reflect changes in the\ + \ organization\u2019s context and include all information necessary for effective\ + \ accountability." + annotation: The inventory of software platforms and applications should include + the title, publisher, initial install/use date, and business purpose for each + entry; where appropriate, include the Uniform Resource Locator (URL), app + store(s), version(s), deployment mechanism, and decommission date. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.3 + description: Individuals who are responsible and who are accountable for administering + software platforms and applications within the organization shall be identified. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.4 + description: When unauthorized software is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported software without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: ID.AM-2.5 + description: "Mechanisms for detecting the presence of unauthorized software\ + \ within the organization\u2019s ICT/OT environment shall be identified. " + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to regularly address unauthorised assets;\ + \ The organization may choose to remove the asset from the network, deny the\ + \ asset from connecting remotely to the network, or quarantine the asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-3 + description: Organizational communication and data flows are mapped + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: BASIC_ID.AM-3.1 + description: Information that the organization stores and uses shall be identified. + annotation: "\u2022\tStart by listing all the types of information your business\ + \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\ + \ makes sense to your business. You may want to have your employees make a\ + \ list of all the information they use in their regular activities. List everything\ + \ you can think of, but you do not need to be too specific. For example, you\ + \ may keep customer names and email addresses, receipts for raw material,\ + \ your banking information, or other proprietary information.\n\u2022\tConsider\ + \ mapping this information with the associated assets identified in the inventories\ + \ of physical devices, systems, software platforms and applications used within\ + \ the organization (see ID.AM-1 & ID.AM-2)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: IMPORTANT_ID.AM-3.2 + description: All connections within the organization's ICT/OT environment, and + to other organization-internal platforms shall be mapped, documented, approved, + and updated as appropriate. + annotation: "\u2022\tConnection information includes, for example, the interface\ + \ characteristics, data characteristics, ports, protocols, addresses, description\ + \ of the data, security requirements, and the nature of the connection.\n\u2022\ + \tConfiguration management can be used as supporting asset.\n\u2022\tThis\ + \ documentation should not be stored only on the network it represents.\n\u2022\ + \tConsider keeping a copy of this documentation in a safe offline environment\ + \ (e.g. offline hard disk, paper hardcopy, \u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: ID.AM-3.3 + description: "The information flows/data flows within the organization\u2019\ + s ICT/OT environment, as well as to other organization-internal systems shall\ + \ be mapped, documented, authorized, and updated when changes occur." + annotation: "\u2022\tWith knowledge of the information/data flows within a system\ + \ and between systems, it is possible to determine where information can and\ + \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\ + \ to only authorized interfaces.\no\tHeightening system monitoring activity\ + \ whenever there is an indication of increased risk to organization's critical\ + \ operations and assets.\no\tProtecting the system from information leakage\ + \ due to electromagnetic signals emanations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-4 + description: External information systems are catalogued + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: IMPORTANT_ID.AM-4.1 + description: The organization shall map, document, authorize and when changes + occur, update, all external services and the connections made with them. + annotation: "\u2022\tOutsourcing of systems, software platforms and applications\ + \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\ + \ information systems are systems or components of systems for which organizations\ + \ typically have no direct supervision and authority over the application\ + \ of security requirements and controls, or the determination of the effectiveness\ + \ of implemented controls on those systems i.e., services that are run in\ + \ cloud, SaaS, hosting or other external environments, API (Application Programming\ + \ Interface)\u2026\n\u2022\tMapping external services and the connections\ + \ made to them and authorizing them in advance avoids wasting unnecessary\ + \ resources investigating a supposedly non-authenticated connection to external\ + \ systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: ID.AM-4.2 + description: The flow of information to/from external systems shall be mapped, + documented, authorized, and update when changes occur. + annotation: Consider requiring external service providers to identify and document + the functions, ports, protocols, and services necessary for the connection + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-5 + description: 'Resources (e.g., hardware, devices, data, time, personnel, and + software) are prioritized based on their classification, criticality, and + business value ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + ref_id: BASIC_ID.AM-5.1 + description: "The organization\u2019s resources (hardware, devices, data, time,\ + \ personnel, information, and software) shall be prioritized based on their\ + \ classification, criticality, and business value." + annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\ + \ devices, data, time, personnel, information, and software):\no\tWhat would\ + \ happen to my business if these resources were made public, damaged, lost\u2026\ + ?\no\tWhat would happen to my business when the integrity of resources is\ + \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\ + \ couldn\u2019t access these resources? And rank these resources based on\ + \ their classification, criticality, and business value.\n\u2022\tResources\ + \ should include enterprise assets. \u2022\tCreate a classification for sensitive\ + \ information by first determining categories, e.g.\no\tPublic - freely accessible\ + \ to all, even externally\no\tInternal - accessible only to members of your\ + \ organization\no\tConfidential - accessible only to those whose duties require\ + \ access.\n\u2022\tCommunicate these categories and identify what types of\ + \ data fall into these categories (HR data, financial data, legal data, personal\ + \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\ + \u2022\tData classification should apply to the three aspects: C-I-A. Consider\ + \ implementing an automated tool, such as a host-based Data Loss Prevention\ + \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\ + \ through enterprise assets, including those located onsite or at a remote\ + \ service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-6 + description: Cybersecurity roles, responsibilities, and authorities for the + entire workforce and third-party stakeholders are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: IMPORTANT_ID.AM-6.1 + description: Information security and cybersecurity roles, responsibilities + and authorities within the organization shall be documented, reviewed, authorized, + and updated and alignment with organization-internal roles and external partners. Key + Measure + annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\ + \ and authorities: who in your organization should be consulted, informed,\ + \ and held accountable for all or part of your assets.\n\u2022\tProvide security\ + \ roles, responsibilities, and authority for all key functions in information/cyber\ + \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\ + \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\ + \ partners) with physical or logical access to the organization\u2019s ICT/OT\ + \ environment." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: ID.AM-6.2 + description: The organization shall appoint an information security officer. + annotation: The information security officer should be responsible for monitoring + the implementation of the organization's information/cyber security strategy + and safeguards. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.BE + name: Business Environment + description: "The organization\u2019s mission, objectives, stakeholders, and\ + \ activities are understood and prioritized; this information is used to inform\ + \ cybersecurity roles, responsibilities, and risk management decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-1 + description: "The organization\u2019s role in the supply chain is identified\ + \ and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: IMPORTANT_ID.BE-1.1 + description: "The organization\u2019s role in the supply chain shall be identified,\ + \ documented, and communicated. " + annotation: "\u2022\tThe organisation should be able to clearly identify who\ + \ is upstream and downstream of the organisation and which suppliers provide\ + \ services, capabilities, products and items to the organisation.\n\u2022\t\ + The organisation should communicate its position to its upstream and downstream\ + \ so that it is understood where they sit in terms of critical importance\ + \ to the organisation's operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: ID.BE-1.2 + description: The organization shall protect its ICT/OT environment from supply + chain threats by applying security safeguards as part of a documented comprehensive + security strategy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-2 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector is identified and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + ref_id: IMPORTANT_ID.BE-2.1 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector shall be identified and communicated." + annotation: The organisation covered by NIS legislation has a responsibility + to know the other organisations in the same sector in order to work with them + to achieve the objectives set by NIS for that particular sector. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-3 + description: Priorities for organizational mission, objectives, and activities + are established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + ref_id: IMPORTANT_ID.BE-3.1 + description: Priorities for organizational mission, objectives, and activities + are established and communicated. + annotation: Information protection needs should be determined, and the related + processes revised as necessary. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-4 + description: Dependencies and critical functions for delivery of critical services + are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + ref_id: IMPORTANT_ID.BE-4.1 + description: Dependencies and mission-critical functions for the delivery of + critical services shall be identified, documented, and prioritized according + to their criticality as part of the risk assessment process. + annotation: Dependencies and business critical functions should include support + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-5 + description: Resilience requirements to support delivery of critical services + are established for all operating states (e.g. under duress/attack, during + recovery, normal operations) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: IMPORTANT_ID.BE-5.1 + description: To support cyber resilience and secure the delivery of critical + services, the necessary requirements are identified, documented and their + implementation tested and approved. + annotation: "\u2022\tConsider implementing resiliency mechanisms to support\ + \ normal and adverse operational situations (e.g., failsafe, load balancing,\ + \ hot swap).\n\u2022\tConsider aspects of business continuity management in\ + \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\ + \ Continuity Plan (BCP)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.2 + description: Information processing & supporting facilities shall implement + redundancy to meet availability requirements, as defined by the organization + and/or regulatory frameworks. + annotation: "\u2022\tConsider provisioning adequate data and network redundancy\ + \ (e.g. redundant network devices, servers with load balancing, raid arrays,\ + \ backup services, 2 separate datacentres, fail-over network connections,\ + \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\ + \ from power outages and other failures due to utility interruptions (e.g.\ + \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\ + \ redundant power cabling, 2 different power service providers...)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.3 + description: Recovery time and recovery point objectives for the resumption + of essential ICT/OT system processes shall be defined. + annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\ + \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\ + \ locations and one copy should be stored at an off-site location).\n\u2022\ + \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\ + \ to increase resilience." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.GV + name: Governance + description: "The policies, procedures, and processes to manage and monitor\ + \ the organization\u2019s regulatory, legal, risk, environmental, and operational\ + \ requirements are understood and inform the management of cybersecurity risk." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-1 + description: Organizational cybersecurity policy is established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: BASIC_ID.GV-1.1 + description: Policies and procedures for information security and cyber security + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\ + \ and expectations for business operations, can be used to train new employees\ + \ on your information security expectations, and can aid an investigation\ + \ in case of an incident. These policies and procedures should be readily\ + \ accessible to employees.\n\u2022\tPolicies and procedures for information-\ + \ and cybersecurity should clearly describe your expectations for protecting\ + \ the organization\u2019s information and systems, and how management expects\ + \ the company\u2019s resources to be used and protected by all employees.\n\ + \u2022\tPolicies and procedures should be reviewed and updated at least annually\ + \ and every time there are changes in the organization or technology. Whenever\ + \ the policies are changed, employees should be made aware of the changes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: IMPORTANT_ID.GV-1.2 + description: An organization-wide information security and cybersecurity policy + shall be established, documented, updated when changes occur, disseminated, + and approved by senior management. + annotation: "The policy should include, for example:\n\u2022\tThe identification\ + \ and assignment of roles, responsibilities, management commitment, coordination\ + \ among organizational entities, and compliance. Guidance on role profiles\ + \ along with their identified titles, missions, tasks, skills, knowledge,\ + \ competences is available in the \"European Cybersecurity Skills Framework\ + \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\ + \u2022\tThe coordination among organizational entities responsible for the\ + \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\ + \ information, access control, media protection, vulnerability management,\ + \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\ + \ the ICT/OT systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-3 + description: Legal and regulatory requirements regarding cybersecurity, including + privacy and civil liberties obligations, are understood and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: BASIC_ID.GV-3.1 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be understood and implemented. + annotation: There are no additional guidelines. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: IMPORTANT_ID.GV-3.2 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be managed. + annotation: "\u2022\tThere should be regular reviews to ensure the continuous\ + \ compliance with legal and regulatory requirements regarding information/cybersecurity,\ + \ including privacy obligations.\n\u2022\tThis requirement also applies to\ + \ contractors and service providers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-4 + description: Governance and risk management processes address cybersecurity + risks + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: BASIC_ID.GV-4.1 + description: As part of the company's overall risk management, a comprehensive + strategy to manage information security and cybersecurity risks shall be developed + and updated when changes occur. + annotation: This strategy should include determining and allocating the required + resources to protect the organisation's business-critical assets. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: IMPORTANT_ID.GV-4.2 + description: "Information security and cybersecurity risks shall be documented,\ + \ formally approved, and updated when changes occur.\t" + annotation: Consider using Risk Management tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RA + name: Risk Assessment + description: The organization understands the cybersecurity risk to organizational + operations (including mission, functions, image, or reputation), organizational + assets, and individuals. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-1 + description: Asset vulnerabilities are identified and documented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: BASIC_ID.RA-1.1 + description: Threats and vulnerabilities shall be identified. + annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\ + s hardware, software, or procedures. It is a gap through which a bad actor\ + \ can gain access to the organization\u2019s assets. A vulnerability exposes\ + \ an organization to threats.\n\u2022\tA threat is a malicious or negative\ + \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\ + \ potential for loss and damage when the threat does occur." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: IMPORTANT_ID.RA-1.2 + description: A process shall be established to monitor, identify, and document + vulnerabilities of the organisation's business critical systems in a continuous + manner. + annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\ + \ should be considered.\n\u2022\tThe organization should establish and maintain\ + \ a testing program appropriate to its size, complexity, and maturity." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: ID.RA-1.3 + description: "To ensure that organization's operations are not adversely impacted\ + \ by the testing process, performance/load testing and penetration testing\ + \ on the organization\u2019s systems shall be conducted with care." + annotation: Consider validating security measures after each penetration test. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-2 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: IMPORTANT_ID.RA-2.1 + description: ' A threat and vulnerability awareness program that includes a + cross-organization information-sharing capability shall be implemented. ' + annotation: A threat and vulnerability awareness program should include ongoing + contact with security groups and associations to receive security alerts and + advisories. (Security groups and associations include, for example, special + interest groups, forums, professional associations, news groups, and/or peer + groups of security professionals in similar organizations).This contact can + include the sharing of information about potential vulnerabilities and incidents. + This sharing capability should have an unclassified and classified information + sharing capability. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: ID.RA-2.2 + description: It shall be identified where automated mechanisms can be implemented + to make security alert and advisory information available to relevant organization + stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-5 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + determine risk + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: BASIC_ID.RA-5.1 + description: The organization shall conduct risk assessments in which risk is + determined by threats, vulnerabilities and impact on business processes and + assets. + annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\ + \tIdentify the consequences that losses of confidentiality, integrity and\ + \ availability may have on the assets and related business processes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: IMPORTANT_ID.RA-5.2 + description: The organization shall conduct and document risk assessments in + which risk is determined by threats, vulnerabilities, impact on business processes + and assets, and the likelihood of their occurrence. + annotation: "\u2022\tRisk assessment should include threats from insiders and\ + \ external parties.\n\u2022\tQualitative and/or quantitative risk analysis\ + \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\ + \ software tooling." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: ID.RA-5.3 + description: Risk assessment results shall be disseminated to relevant stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-6 + description: Risk responses are identified and prioritized + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + ref_id: IMPORTANT_ID.RA-6.1 + description: "A comprehensive strategy shall be developed and implemented to\ + \ manage risks to the organization\u2019s critical systems, that includes\ + \ the identification and prioritization of risk responses." + annotation: "\u2022\tManagement and employees should be involved in information-\ + \ and cybersecurity.\n\u2022\tIt should be identified what the most important\ + \ assets are, and how they are protected.\n\u2022\tIt should be clear what\ + \ impact will be if these assets are compromised.\n\u2022\tIt should be established\ + \ how the implementation of adequate mitigation measures will be organized." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RM + name: Risk Management Strategy + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support operational risk decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-1 + description: Risk management processes are established, managed, and agreed + to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + ref_id: IMPORTANT_ID.RM-1.1 + description: A cyber risk management process that identifies key internal and + external stakeholders and facilitates addressing risk-related issues and information + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: 'External stakeholders include customers, investors and shareholders, + suppliers, government agencies and the wider community. ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-2 + description: Organizational risk tolerance is determined and clearly expressed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + ref_id: IMPORTANT_ID.RM-2.1 + description: "The organization shall clearly determine it\u2019s risk appetite." + annotation: Determination and expression of risk tolerance (risk appetite) should + be in line with the policies on information security and cybersecurity, to + facilitate demonstration of coherence between policies, risk tolerance and + measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-3 + description: "The organization\u2019s determination of risk tolerance is informed\ + \ by its role in critical infrastructure and sector specific risk analysis" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + ref_id: IMPORTANT_ID.RM-3.1 + description: "The organization\u2019s role in critical infrastructure and its\ + \ sector shall determine the organization\u2019s risk appetite." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.SC + name: Supply Chain Risk Management + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support risk decisions associated\ + \ with managing supply chain risk. The organization has established and implemented\ + \ the processes to identify, assess and manage supply chain risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-1 + description: Cyber supply chain risk management processes are identified, established, + assessed, managed, and agreed to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + ref_id: ID.SC-1.1 + description: The organization shall document, review, approve, update when changes + occur, and implement a cyber supply chain risk management process that supports + the identification, assessment, and mitigation of the risks associated with + the distributed and interconnected nature of ICT/OT product and service supply + chains. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-2 + description: 'Suppliers and third party partners of information systems, components, + and services are identified, prioritized, and assessed using a cyber supply + chain risk assessment process ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: IMPORTANT_ID.SC-2.1 + description: "The organization shall conduct cyber supply chain risk assessments\ + \ at least annually or when a change to the organization\u2019s critical systems,\ + \ operational environment, or supply chain occurs; These assessments shall\ + \ be documented, and the results disseminated to relevant stakeholders including\ + \ those responsible for ICT/OT systems." + annotation: This assessment should identify and prioritize potential negative + impacts to the organization from the risks associated with the distributed + and interconnected nature of ICT/OT product and service supply chains. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: ID.SC-2.2 + description: "A documented list of all the organization\u2019s suppliers, vendors\ + \ and partners who may be involved in a major incident shall be established,\ + \ kept up-to-date and made available online and offline." + annotation: This list should include suppliers, vendors and partners contact + information and the services they provide, so they can be contacted for assistance + in the event of an outage or service degradation. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-3 + description: "Contracts with suppliers and third-party partners are used to\ + \ implement appropriate measures designed to meet the objectives of an organization\u2019\ + s cybersecurity program and Cyber Supply Chain Risk Management Plan." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: IMPORTANT_ID.SC-3.1 + description: Based on the results of the cyber supply chain risk assessment, + a contractual framework for suppliers and external partners shall be established + to address sharing of sensitive information and distributed and interconnected + ICT/OT products and services. + annotation: "\u2022\tEntities not subject to the NIS legislation should consider\ + \ business critical suppliers and third-party partners only.\n\u2022\tKeep\ + \ in mind that GDPR requirements need to be fulfilled when business information\ + \ contains personal data (applicable on all levels), i.e. security measures\ + \ need to be addressed in the contractual framework." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.2 + description: "Contractual information security and cybersecurity\u2019 requirements\ + \ for suppliers and third-party partners shall be implemented to ensure a\ + \ verifiable flaw remediation process, and to ensure the correction of flaws\ + \ identified during \u2018information security and cybersecurity\u2019 testing\ + \ and evaluation." + annotation: "\u2022\tInformation systems containing software (or firmware) affected\ + \ by recently announced software flaws (and potential vulnerabilities resulting\ + \ from those flaws) should be identified.\n\u2022\tNewly released security\ + \ relevant patches, service packs, and hot fixes should be installed, and\ + \ these patches, service packs, and hot fixes are tested for effectiveness\ + \ and potential side effects on the organization\u2019s information systems\ + \ before installation. Flaws discovered during security assessments, continuous\ + \ monitoring, incident response activities, or information system error handling\ + \ are also addressed expeditiously. Flaw remediation should be incorporated\ + \ into configuration management as an emergency change." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.3 + description: "The organization shall establish contractual requirements permitting\ + \ the organization to review the \u2018information security and cybersecurity\u2019\ + \ programs implemented by suppliers and third-party partners." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-4 + description: Suppliers and third-party partners are routinely assessed using + audits, test results, or other forms of evaluations to confirm they are meeting + their contractual obligations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: IMPORTANT_ID.SC-4.1 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing audits, test results, and other evaluations." + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: ID.SC-4.2 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing third-party independent audits, test results, and other evaluations." + annotation: The depth of the review should depend on the criticality of delivered + products and services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-5 + description: Response and recovery planning and testing are conducted with suppliers + and third-party providers + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: IMPORTANT_ID.SC-5.1 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in response + and recovery planning activities. + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: ID.SC-5.2 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in testing + and execution of the response and recovery plans. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT (PR) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AC + name: Identity Management, Authentication and Access Control + description: Access to physical and logical assets and associated facilities + is limited to authorized users, processes, and devices, and is managed consistent + with the assessed risk of unauthorized access to authorized activities and + transactions. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-1 + description: Identities and credentials are issued, managed, verified, revoked, + and audited for authorized devices, users and processes + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: BASIC_PR.AC-1.1 + description: 'Identities and credentials for authorized devices and users shall + be managed.' + annotation: "Identities and credentials for authorized devices and users could\ + \ be managed through a password policy. A password policy is a set of rules\ + \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ + (Not limitative list and measures to be considered as appropriate)\n\u2022\ + \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\ + \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\ + \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\ + \ must be longer than a state-of-the-art number of characters with a combination\ + \ of character types and changed periodically or when there is any suspicion\ + \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\ + \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\ + \ are managed by user groups." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: IMPORTANT_PR.AC-1.2 + description: Identities and credentials for authorized devices and users shall + be managed, where feasible through automated mechanisms. + annotation: "\u2022\tAutomated mechanisms can help to support the management\ + \ and auditing of information system credentials.\n\u2022\tConsider strong\ + \ user authentication, meaning an authentication based on the use of at least\ + \ two authentication factors from different categories of either knowledge\ + \ (something only the user knows), possession (something only the user possesses)\ + \ or inherence (something the user is) that are independent, in that the breach\ + \ of one does not compromise the reliability of the others, and is designed\ + \ in such a way to protect the confidentiality of the authentication data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.3 + description: System credentials shall be deactivated after a specified period + of inactivity unless it would compromise the safe operation of (critical) + processes. + annotation: "\u2022\tTo guarantee the safe operation, service accounts should\ + \ be used for running processes and services.\n\u2022\tConsider the use of\ + \ a formal access procedure for external parties." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.4 + description: "For transactions within the organization's critical systems, the\ + \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\ + \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\ + \ for system-to-system communications" + annotation: Consider the use of SSO (Single Sign On) in combination with MFA + for the organization's internal and external critical systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.5 + description: "The organization\u2019s critical systems shall be monitored for\ + \ atypical use of system credentials. Credentials associated with significant\ + \ risk shall be disabled." + annotation: "\u2022\tConsider limiting the number of failed login attempts by\ + \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\ + \ accessible until it has been reset or the account lockout duration elapses." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-2 + description: Physical access to assets is managed and protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: BASIC_PR.AC-2.1 + description: Physical access to the facility, servers and network components + shall be managed. + annotation: "\u2022\tConsider to strictly manage keys to access the premises\ + \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\ + \ an employee's keys or badges when they leave the company permanently.\n\ + o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\ + \ to external service providers (cleaning agents, etc.), unless it is possible\ + \ to trace these accesses and restrict them technically to given time slots.\n\ + \u2022\tConsider to not leaving internal network access outlets accessible\ + \ in public areas. These public places can be waiting rooms, corridors..." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: IMPORTANT_PR.AC-2.2 + description: The management of physical access shall include measures related + to access in emergency situations. + annotation: "\u2022\tPhysical access controls may include, for example: lists\ + \ of authorized individuals, identity credentials, escort requirements, guards,\ + \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\ + \u2022\tThe following measures should be considered:\no\tImplement a badge\ + \ system and create different security zones.\no\tLimit physical access to\ + \ servers and network components to authorized personnel.\no\tLog all access\ + \ to servers and network components.\n\u2022\tVisitor access records should\ + \ be maintained, reviewed and acted upon as required." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.3 + description: Physical access to critical zones shall be controlled in addition + to the physical access to the facility. + annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\ + \ (server rooms\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.4 + description: 'Assets related to critical zones shall be physically protected. ' + annotation: "\u2022\tConsider protecting power equipment, power cabling, network\ + \ cabling, and network access interfaces from accidental damage, disruption,\ + \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\ + \ separated power systems for organization\u2019s critical operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-3 + description: Remote access is managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.1 + description: The organisation's wireless access points shall be secured. + annotation: "Consider the following when wireless networking is used:\n\u2022\ + \tChange the administrative password upon installation of a wireless access\ + \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\ + \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\ + \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\ + \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\ + \ internet access to customers is separated from your business network.\n\u2022\ + \tConnecting to unknown or unsecured / guest wireless access points, should\ + \ be avoided, and if unavoidable done through an encrypted virtual private\ + \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\ + \ mobile) according to the organization's security policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.2 + description: The organization's networks when accessed remotely shall be secured, + including through multi-factor authentication (MFA). + annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, + remote desktop, and Virtual Private Network (VPNs). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: IMPORTANT_PR.AC-3.3 + description: "Usage restrictions, connection requirements, implementation guidance,\ + \ and authorizations for remote access to the organization\u2019s critical\ + \ systems environment shall be identified, documented and implemented. " + annotation: "Consider the following:\n\u2022\tRemote access methods include,\ + \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\ + \ mobile device connections, and communications through external networks.\n\ + \u2022\tLogin credentials should be in line with company's user authentication\ + \ policies.\n\u2022\tRemote access for support activities or maintenance of\ + \ organizational assets should be approved, logged, and performed in a manner\ + \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\ + \ of any remote connection to its device by a visual indication." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.4 + description: "Remote access to the organization\u2019s critical systems shall\ + \ be monitored and cryptographic mechanisms shall be implemented where determined\ + \ necessary." + annotation: This should include that only authorized use of privileged functions + from remote access is allowed. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.5 + description: The security for connections with external systems shall be verified + and framed by documented agreements. + annotation: Access from pre-defined IP addresses could be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-4 + description: Access permissions and authorizations are managed, incorporating + the principles of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.1 + description: "Access permissions for users to the organization\u2019s systems\ + \ shall be defined and managed." + annotation: "The following should be considered:\n\u2022\tDraw up and review\ + \ regularly access lists per system (files, servers, software, databases,\ + \ etc.), possibly through analysis of the Active Directory in Windows-based\ + \ systems, with the objective of determining who needs what kind of access\ + \ (privileged or not), to what, to perform their duties in the organization.\n\ + \u2022\tSet up a separate account for each user (including any contractors\ + \ needing access) and require that strong, unique passwords be used for each\ + \ account.\n\u2022\tEnsure that all employees use computer accounts without\ + \ administrative privileges to perform typical work functions. This includes\ + \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\ + \ consider using the minimal privileges (e.g. internet access only) as required\ + \ for your business needs.\n\u2022\tPermission management should be documented\ + \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\ + \ (SSO) when appropriate." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.2 + description: It shall be identified who should have access to the organization's + business's critical information and technology and the means to get access. + annotation: 'Means to get access may include: a key, password, code, or administrative + privilege.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.3 + description: 'Employee access to data and information shall be limited to the + systems and specific information they need to do their jobs (the principle + of Least Privilege).' + annotation: "The principle of Least Privilege should be understood as the principle\ + \ that a security architecture should be designed so that each employee is\ + \ granted the minimum system resources and authorizations that the employee\ + \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\ + \ to have access to all the business\u2019s information.\n\u2022\tLimit the\ + \ number of Internet accesses and interconnections with partner networks to\ + \ the strict necessary to be able to centralize and homogenize the monitoring\ + \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\ + \ business, all access to the business\u2019s information or systems is blocked\ + \ instantly." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.4 + description: 'Nobody shall have administrator privileges for daily tasks.' + annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ + \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ + \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ + \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\ + \ from administrative accounts." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.5 + description: Where feasible, automated mechanisms shall be implemented to support + the management of user accounts on the organisation's critical systems, including + disabling, monitoring, reporting and deleting user accounts. + annotation: Consider separately identifying each person with access to the organization's + critical systems with a username to remove generic and anonymous accounts + and access. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.6 + description: Separation of duties (SoD) shall be ensured in the management of + access rights. + annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\ + \ functions and system support functions among different roles.\n\u2022\t\ + conducting system support functions with different individuals.\n\u2022\t\ + not allow a single individual to both initiate and approve a transaction (financial\ + \ or otherwise).\n\u2022\tensuring that security personnel administering access\ + \ control functions do not also administer audit functions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.7 + description: Priviliged users shall be managed and monitored. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.8 + description: Account usage restrictions for specific time periods and locations + shall be taken into account in the organization's security access policy and + applied accordingly. + annotation: Specific restrictions can include, for example, restricting usage + to certain days of the week, time of day, or specific durations of time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.9 + description: Priviliged users shall be managed, monitored and audited. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-5 + description: Network integrity is protected (e.g., network segregation, network + segmentation) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.1 + description: Firewalls shall be installed and activated on all the organization's + networks. + annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\ + \ between your internal network and the Internet. This may be a function of\ + \ a (wireless) access point/router, or it may be a function of a router provided\ + \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\ + \ software installed on purchased firewall solutions and ensure that the administrator\u2019\ + s log-in and administrative password is changed upon installation and regularly\ + \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\ + \ computer system (including smart phones and other networked devices).\n\u2022\ + \tHave firewalls on each of your computers and networks even if you use a\ + \ cloud service provider or a virtual private network (VPN). Ensure that for\ + \ telework home network and systems have hardware and software firewalls installed,\ + \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\ + \ Detection / Prevention System (IDPS). These devices analyze network traffic\ + \ at a more detailed level and can provide a greater level of protection." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.2 + description: Where appropriate, network integrity of the organization's critical + systems shall be protected by incorporating network segmentation and segregation. + annotation: "\u2022\tConsider creating different security zones in the network\ + \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\ + \ control mechanisms) and control/monitor the traffic between these zones.\n\ + \u2022\tWhen the network is \"flat\", the compromise of a vital network component\ + \ can lead to the compromise of the entire network." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.3 + description: 'Where appropriate, network integrity of the organization''s critical + systems shall be protected by + (1) Identifying, documenting, and controlling connections between system components. + (2) Limiting external connections to the organization''s critical systems.' + annotation: Boundary protection mechanisms include, for example, routers, gateways, + unidirectional gateways, data diodes, and firewalls separating system components + into logically separate networks or subnetworks. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.4 + description: 'The organization shall monitor and control connections and communications + at the external boundary and at key internal boundaries within the organization''s + critical systems by implementing boundary protection devices where appropriate. ' + annotation: "Consider implementing the following recommendations:\n\u2022\t\ + Separate your public WIFI network from your business network.\n\u2022\tProtect\ + \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\ + \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\ + \ your corporate network.\n\u2022\tDivide your network according to security\ + \ levels and apply firewall rules. Isolate your networks for server administration.\n\ + \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\ + \ security gateways (deny all policy: only allow/open connections that have\ + \ been explicitly pre-authorized)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.5 + description: The organization shall implement, where feasible, authenticated + proxy servers for defined communications traffic between the organization's + critical systems and external networks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.6 + description: The organization shall ensure that the organization's critical + systems fail safely when a border protection device fails operationally. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-6 + description: Identities are proofed and bound to credentials and asserted in + interactions + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: IMPORTANT_PR.AC-6.1 + description: The organization shall implement documented procedures for verifying + the identity of individuals before issuing credentials that provide access + to organization's systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: PR.AC-6.2 + description: The organization shall ensure the use of unique credentials bound + to each verified user, device, and process interacting with the organization's + critical systems; make sure that they are authenticated, and that the unique + identifiers are captured when performing system interactions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-7 + description: "Users, devices, and other assets are authenticated (e.g., single-factor,\ + \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\ + \ security and privacy risks and other organizational risks)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + ref_id: IMPORTANT_PR.AC-7.1 + description: "The organization shall perform a documented risk assessment on\ + \ organization's critical system transactions and authenticate users, devices,\ + \ and other assets (e.g., single-factor, multi-factor) commensurate with the\ + \ risk of the transaction (e.g., individuals\u2019 security and privacy risks\ + \ and other organizational risks)." + annotation: Consider a security-by-design approach for new systems; For existing + systems a separate risk assessment should be used. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AT + name: Awareness and Training + description: "The organization\u2019s personnel and partners are provided cybersecurity\ + \ awareness education and are trained to perform their cybersecurity-related\ + \ duties and responsibilities consistent with related policies, procedures,\ + \ and agreements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-1 + description: 'All users are informed and trained ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: BASIC_PR.AT-1.1 + description: Employees shall be trained as appropriate. + annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\ + \ systems, and they should be trained immediately when hired and regularly\ + \ thereafter about the company\u2019s information security policies and what\ + \ they will be expected to do to protect company\u2019s business information\ + \ and technology.\n\u2022\tTraining should be continually updated and reinforced\ + \ by awareness campaigns." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: IMPORTANT_PR.AT-1.2 + description: The organization shall incorporate insider threat recognition and + reporting into security awareness training. + annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\ + \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\ + \ program by gathering in a document the messages you want to convey to your\ + \ staff (topics, audiences, objectives, etc.) and your communication rhythm\ + \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\ + \ and in an engaging way, involving management, IT colleagues, the ICT service\ + \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\ + \ recognition of fraud attempts, phishing, management of sensitive information,\ + \ incidents, etc. The goal is for all employees to understand ways to protect\ + \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\ + \ or your ICT service provider some practice scenarios (e.g. what to do if\ + \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\ + \ if an account is hacked, etc.), determine what behaviours to adopt, document\ + \ and communicate them to all your staff. The central point of contact in\ + \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\ + \ of a scenario to test your knowledge. Consider performing the exercise for\ + \ example at least once a year." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: PR.AT-1.3 + description: The organization shall implement an evaluation method to measure + the effectiveness of the awareness trainings. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-2 + description: 'Privileged users understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + ref_id: IMPORTANT_PR.AT-2.1 + description: Privileged users shall be qualified before privileges are granted, + and these users shall be able to demonstrate the understanding of their roles, + responsibilities, and authorities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-3 + description: 'Third-party stakeholders (e.g., suppliers, customers, partners) + understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.1 + description: "The organization shall establish and enforce security requirements\ + \ for business-critical third-party providers and users.\t" + annotation: "Enforcement should include that \u2018third party stakeholder\u2019\ + -users (e.g. suppliers, customers, partners) can demonstrate the understanding\ + \ of their roles and responsibilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.2 + description: "Third-party providers shall be required to notify any personnel\ + \ transfers, termination, or transition involving personnel with physical\ + \ or logical access to organization's business critical system's components.\t" + annotation: Third-party providers include, for example, service providers, contractors, + and other organizations providing system development, technology services, + outsourced applications, or network and security management. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.3 + description: The organization shall monitor business critical service providers + and users for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: PR.AT-3.4 + description: The organization shall audit business-critical external service + providers for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-4 + description: 'Senior executives understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + ref_id: IMPORTANT_PR.AT-4.1 + description: Senior executives shall demonstrate the understanding of their + roles, responsibilities, and authorities. + annotation: Guidance on role profiles along with their identified titles, missions, + tasks, skills, knowledge, competences is available in the "European Cybersecurity + Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles + ) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-5 + description: 'Physical and cybersecurity personnel understand their roles and + responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + ref_id: IMPORTANT_PR.AT-5.1 + description: The organization shall ensure that personnel responsible for the + physical protection and security of the organization's critical systems and + facilities are qualified through training before privileges are granted, and + that they understand their responsibilities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.DS + name: Data Security + description: "Information and records (data) are managed consistent with the\ + \ organization\u2019s risk strategy to protect the confidentiality, integrity,\ + \ and availability of information." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-1 + description: Data-at-rest is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + ref_id: PR.DS-1.1 + description: "The organization shall protect its critical system information\ + \ determined to be critical/ sensitive while at rest.\t" + annotation: "\u2022\tConsider using encryption techniques for data storage,\ + \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\ + \ encrypting end-user devices and removable media containing sensitive data\ + \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\ + \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt, Apple FileVault\xAE\ + , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\ + \ in the cloud. The below measures should be considered:\n\u2022\tImplement\ + \ dedicated safeguards to prevent unauthorized access, distortion, or modification\ + \ of system data and audit records (e.g. restricted access rights, daily backups,\ + \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\ + \ media, stored files, configuration files and data stored in the cloud." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-2 + description: Data-in-transit is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + ref_id: PR.DS-2.1 + description: The organization shall protect its critical system information + determined to be critical when in transit. + annotation: When the organization often sends sensitive documents or e-mails, + it is recommended to encrypt those documents and/or e-mails with appropriate, + supported, and authorized software tools. If you send sensitive documents + or emails, you may want to consider encrypting those documents and/or emails + with appropriate, supported, and authorized software tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-3 + description: Assets are formally managed throughout removal, transfers, and + disposition + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: BASIC_PR.DS-3.1 + description: Assets and media shall be disposed of safely. + annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\ + \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\ + ), ensure that all sensitive business or personal data are securely deleted\ + \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\ + \ physically destroyed (or re-commissioned). This is also known as \u201C\ + sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\ + \u2022\tConsider installing a remote-wiping application on company laptops,\ + \ tablets, cell phones, and other mobile devices." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.2 + description: The organization shall enforce accountability for all its business-critical + assets throughout the system lifecycle, including removal, transfers, and + disposition. + annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\ + \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\ + \ documentation related to the movements of business-critical assets." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.3 + description: The organization shall ensure that the necessary measures are taken + to deal with loss, misuse, damage, or theft of assets. + annotation: "This can be done by policies, processes & procedures (reporting),\ + \ technical & organizational means (encryption, Access Control (AC), Mobile\ + \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\ + \ agreement, guidelines & manuals, backups, inventory update \u2026)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: PR.DS-3.4 + description: The organization shall ensure that disposal actions are approved, + tracked, documented, and verified. + annotation: Disposal actions include media sanitization actions (See PR.IP-6) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-4 + description: Adequate capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.1 + description: Capacity planning shall ensure adequate resources for organization's + critical system information processing, networking, telecommunications, and + data storage. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.2 + description: Audit data from the organization's critical systems shall be moved + to an alternative system. + annotation: Be aware that log services can become a bottleneck and hinder the + correct functioning of the source systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: PR.DS-4.3 + description: "The organization\u2019s critical systems shall be protected against\ + \ denial-of-service attacks or at least the effect of such attacks will be\ + \ limited." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-5 + description: Protections against data leaks are implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + ref_id: IMPORTANT_PR.DS-5.1 + description: The organization shall take appropriate actions resulting in the + monitoring of its critical systems at external borders and critical internal + points when unauthorized access and activities, including data leakage, is + detected. + annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\ + \ access rights, daily backups, data encryption, installation of firewalls,\ + \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ + \ configuration of the central directory (Active Directory in Windows environment),\ + \ with specific focus on the access to data of key persons in the company." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-6 + description: Integrity checking mechanisms are used to verify software, firmware, + and information integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: IMPORTANT_PR.DS-6.1 + description: The organization shall implement software, firmware, and information + integrity checks to detect unauthorized changes to its critical system components + during storage, transport, start-up and when determined necessary. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.2 + description: The organization shall implement automated tools where feasible + to provide notification upon discovering discrepancies during integrity verification. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.3 + description: The organization shall implement automatic response capability + with pre-defined security safeguards when integrity violations are discovered. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-7 + description: The development and testing environment(s) are separate from the + production environment + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + ref_id: PR.DS-7.1 + description: The development and test environment(s) shall be isolated from + the production environment. + annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\ + \ should first be tested in an environment that is different and separate\ + \ from the production environment (operational environment) before that change\ + \ is effectively implemented . That way, the effect of those changes can be\ + \ analysed and adjustments can be made without disrupting operational activities.\n\ + \u2022\tConsider adding and testing cybersecurity features as early as during\ + \ development (secure development lifecycle principles). \u2022\tAny change\ + \ one wants to make to the ICT/OT environment should first be tested in an\ + \ environment that is different and separate from the production environment\ + \ (operational environment) before that change is effectively implemented\ + \ . That way, the effect of those changes can be analysed and adjustments\ + \ can be made without disrupting operational activities.\n\u2022\tConsider\ + \ adding and testing cybersecurity features as early as during development\ + \ (secure development lifecycle principles)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-8 + description: Integrity checking mechanisms are used to verify hardware integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.1 + description: The organization shall implement hardware integrity checks to detect + unauthorized tampering to its critical system's hardware. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.2 + description: The organization shall incorporate the detection of unauthorized + tampering to its critical system's hardware into the organization incident + response capability. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.IP + name: Information Protection Processes and Procedures + description: 'Security policies (that address purpose, scope, roles, responsibilities, + management commitment, and coordination among organizational entities), processes, + and procedures are maintained and used to manage protection of information + systems and assets.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-1 + description: A baseline configuration of information technology/industrial control + systems is created and maintained incorporating security principles (e.g. + concept of least functionality) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: IMPORTANT_PR.IP-1.1 + description: 'The organization shall develop, document, and maintain a baseline + configuration for the its business critical systems. ' + annotation: "\u2022\tThis control includes the concept of least functionality.\n\ + \u2022\tBaseline configurations include for example, information about organization's\ + \ business critical systems, current version numbers and patch information\ + \ on operating systems and applications, configuration settings/parameters,\ + \ network topology, and the logical placement of those components within the\ + \ system architecture.\n\u2022\tNetwork topology should include the nerve\ + \ points of the IT/OT environment (external connections, servers hosting data\ + \ and/or sensitive functions, DNS services security, etc.)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: PR.IP-1.2 + description: The organization shall configure its business-critical systems + to provide only essential capabilities; Therefore the baseline configuration + shall be reviewed, and unnecessary capabilities disabled. + annotation: "\u2022\tConfiguration of a system to provide only organization-defined\ + \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\ + .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\ + \ services." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-2 + description: A System Development Life Cycle to manage systems is implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: IMPORTANT_PR.IP-2.1 + description: The system and application development life cycle shall include + security considerations. + annotation: "\u2022\tSystem and application development life cycle should include\ + \ the acquisition process of the organization's business critical systems\ + \ and its components.\n\u2022\tVulnerability awareness and prevention training\ + \ for (web application) developers, and advanced social engineering awareness\ + \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\ + \ internet facing applications the implementation of a web application firewall\ + \ (WAF) should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: PR.IP-2.2 + description: The development process for critical systems and system components + shall cover the full design cycle and shall provide a description of the functional + properties of security controls, and design and implementation information + for security-relevant system interfaces. + annotation: "The development cycle includes:\n\u2022\tAll development phases:\ + \ specification , design, development, implementation.\n\u2022\tConfiguration\ + \ management for planned and unplanned changes and change control during the\ + \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-3 + description: Configuration change control processes are in place + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: IMPORTANT_PR.IP-3.1 + description: Changes shall be tested and validated before being implemented + into operational systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: PR.IP-3.2 + description: For planned changes to the organization's critical systems, a security + impact analysis shall be performed in a separate test environment before implementation + in an operational environment. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-4 + description: 'Backups of information are conducted, maintained, and tested ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: BASIC_PR.IP-4.1 + description: Backups for organization's business critical data shall be conducted + and stored on a system different from the device on which the original data + resides + annotation: "\u2022\tOrganization's business critical system's data includes\ + \ for example software, configurations and settings, documentation, system\ + \ configuration data including computer configuration backups, application\ + \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\ + \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\ + \ should be considered.\n\u2022\tConsider not storing the organization's data\ + \ backup on the same network as the system on which the original data resides\ + \ and provide an offline copy. Among other things, this prevents file encryption\ + \ by hackers (risk of ransomware)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.2 + description: The reliability and integrity of backups shall be verified and + tested on regular basis. + annotation: This should include regularly testing of the backup restore procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.3 + description: A separate alternate storage site for system backups shall be operated + and the same security safeguards as the primary storage location shall be + employed. + annotation: An offline backup of your data is ideally stored in a separate physical + location from the original data source and where feasible offsite for extra + protection and security. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.4 + description: Backup verification shall be coordinated with the functions in + the organization that are responsible for related plans. + annotation: "\u2022\tRelated plans include, for example, Business Continuity\ + \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\ + \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\ + \u2022\tRestoration of backup data during contingency plan testing should\ + \ be provided." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.5 + description: Critical system backup shall be separated from critical information + backup. + annotation: Seperation of critical system backup from critical information backup + should lead to a shorter recovery time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-5 + description: Policy and regulations regarding the physical operating environment + for organizational assets are met + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: IMPORTANT_PR.IP-5.1 + description: The organization shall define, implement, and enforce policy and + procedures regarding emergency and safety systems, fire protection systems, + and environment controls for its critical systems. + annotation: "The below measures should be considered:\n\u2022\tProtect unattended\ + \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\ + \ suppression mechanisms should take the organization's critical system environment\ + \ into account (e.g., water sprinkler systems could be hazardous in specific\ + \ environments)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: PR.IP-5.2 + description: The organization shall implement fire detection devices that activate + and notify key personnel automatically in the event of a fire. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-6 + description: Data is destroyed according to policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: IMPORTANT_PR.IP-6.1 + description: The organization shall ensure that its critical system's data is + destroyed according to policy. + annotation: "\u2022\tDisposal actions include media sanitization actions (See\ + \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\ + o\tHard copy media (physical representations of information)\no\tElectronic\ + \ or soft copy media (the bits and bytes contained in hard drives, random\ + \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\ + \ mobile computing devices, networking equipment\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: PR.IP-6.2 + description: Sanitation processes shall be documented and tested. + annotation: "\u2022\tSanitation processes include procedures and equipment.\n\ + \u2022\tConsider applying non-destructive sanitization techniques to portable\ + \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\ + \ confidentiality requirements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-7 + description: Protection processes are improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: IMPORTANT_PR.IP-7.1 + description: The organization shall incorporate improvements derived from the + monitoring, measurements, assessments, and lessons learned into protection + process updates (continuous improvement). + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.2 + description: The organization shall implement independent teams to assess the + protection process(es). + annotation: 'Independent teams, for example, may include internal or external + impartial personnel. + + Impartiality implies that assessors are free from any perceived or actual + conflicts of interest regarding the development, operation, or management + of the organization''s critical system under assessment or to the determination + of security control effectiveness.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.3 + description: The organization shall ensure that the security plan for its critical + systems facilitates the review, testing, and continual improvement of the + security protection processes. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-8 + description: 'Effectiveness of protection technologies is shared ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.1 + description: The organization shall collaborate and share information about + its critical system's related security incidents and mitigation measures with + designated partners. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.2 + description: Communication of effectiveness of protection technologies shall + be shared with appropriate parties. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.3 + description: The organization shall implement, where feasible, automated mechanisms + to assist in information collaboration. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-9 + description: Response plans (Incident Response and Business Continuity) and + recovery plans (Incident Recovery and Disaster Recovery) are in place and + managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: IMPORTANT_PR.IP-9.1 + description: Incident response plans (Incident Response and Business Continuity) + and recovery plans (Incident Recovery and Disaster Recovery) shall be established, + maintained, approved, and tested to determine the effectiveness of the plans, + and the readiness to execute the plans. + annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\ + \ objectives, restoration priorities, metrics, contingency roles, personnel\ + \ assignments and contact information.\n\u2022\tMaintaining essential functions\ + \ despite system disruption, and the eventual restoration of the organization\u2019\ + s systems, should be addressed.\n\u2022\tConsider defining incident types,\ + \ resources and management support needed to effectively maintain and mature\ + \ the incident response and contingency capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: PR.IP-9.2 + description: The organization shall coordinate the development and the testing + of incident response plans and recovery plans with stakeholders responsible + for related plans. + annotation: Related plans include, for example, Business Continuity Plans, Disaster + Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, + Critical Infrastructure Plans, Cyber incident response plans, and Occupant + Emergency Plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-11 + description: Cybersecurity is included in human resources practices (e.g., deprovisioning, + personnel screening) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: BASIC_PR.IP-11.1 + description: "Personnel having access to the organization\u2019s most critical\ + \ information or technology shall be verified." + annotation: "\u2022\tThe access to critical information or technology should\ + \ be considered when recruiting, during employment and at termination.\n\u2022\ + \tBackground verification checks should take into consideration applicable\ + \ laws, regulations, and ethics in proportion to the business requirements,\ + \ the classification of the information to be accessed and the perceived risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: IMPORTANT_PR.IP-11.2 + description: Develop and maintain a human resource information/cyber security + process that is applicable when recruiting, during employment and at termination + of employment. + annotation: "The human resource information/cyber security process should include\ + \ access to critical information or technology; background verification checks;\ + \ code of conduct; roles, authorities, and responsibilities\u2026" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-12 + description: A vulnerability management plan is developed and implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + ref_id: IMPORTANT_PR.IP-12.1 + description: The organization shall establish and maintain a documented process + that allows continuous review of vulnerabilities and strategies to mitigate + them. + annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\ + \ in the identified components and distribute updates (software publisher\ + \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\ + \ identify where its critical system's vulnerabilities may be exposed to adversaries." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.MA + name: Maintenance + description: Maintenance and repairs of industrial control and information system + components are performed consistent with policies and procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-1 + description: Maintenance and repair of organizational assets are performed and + logged, with approved and controlled tools + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: BASIC_PR.MA-1.1 + description: Patches and security updates for Operating Systems and critical + system components shall be installed. + annotation: "The following should be considered:\n\u2022\tLimit yourself to\ + \ only install those applications (operating systems, firmware, or plugins\ + \ ) that you need to run your business and patch/update them regularly.\n\u2022\ + \tYou should only install a current and vendor-supported version of software\ + \ you choose to use. It may be useful to assign a day each month to check\ + \ for patches.\n\u2022\tThere are products which can scan your system and\ + \ notify you when there is an update for an application you have installed.\ + \ If you use one of these products, make sure it checks for updates for every\ + \ application you use.\n\u2022\tInstall patches and security updates in a\ + \ timely manner." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.2 + description: The organization shall plan, perform and document preventive maintenance + and repairs on its critical system components according to approved processes + and tools. + annotation: 'Consider the below measures: + (1) Perform security updates on all software in a timely manner. + (2) Automate the update process and audit its effectiveness. + (3) Introduce an internal patching culture on desktops, mobile devices, servers, + network components, etc. to ensure updates are tracked.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.3 + description: The organization shall enforce approval requirements, control, + and monitoring of maintenance tools for use on the its critical systems. + annotation: Maintenance tools can include, for example, hardware/software diagnostic + test equipment, hardware/software packet sniffers and laptops. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.4 + description: The organization shall verify security controls following hardware + maintenance or repairs, and take action as appropriate. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.5 + description: The organization shall prevent the unauthorized removal of maintenance + equipment containing organization's critical system information. + annotation: This requirement maily focuses mainly on OT/ICS environments. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.6 + description: 'Maintenance tools and portable storage devices shall be inspected + when brought into the facility and shall be protected by anti-malware solutions + so that they are scanned for malicious code before they are used on organization''s + systems.' + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.7 + description: The organization shall verify security controls following hardware + and software maintenance or repairs/patching and take action as appropriate. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-2 + description: Remote maintenance of organizational assets is approved, logged, + and performed in a manner that prevents unauthorized access + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.1 + description: Remote maintenance shall only occur after prior approval, monitoring + to avoid unauthorised access, and approval of the outcome of the maintenance + activities as described in approved processes or procedures. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.2 + description: The organization shall make sure that strong authenticators, record + keeping, and session termination for remote maintenance is implemented. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: PR.MA-2.3 + description: The organization shall require that diagnostic services pertaining + to remote maintenance be performed from a system that implements a security + capability comparable to the capability implemented on the equivalent organization's + critical system. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.PT + name: Protective Technology + description: Technical security solutions are managed to ensure the security + and resilience of systems and assets, consistent with related policies, procedures, + and agreements. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-1 + description: Audit/log records are determined, documented, implemented, and + reviewed in accordance with policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: BASIC_PR.PT-1.1 + description: ' Logs shall be maintained, documented, and reviewed.' + annotation: "\u2022\tEnsure the activity logging functionality of protection\ + \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\ + \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\ + \tThe logs should be reviewed for any unusual or unwanted trends, such as\ + \ a large use of social media websites or an unusual number of viruses consistently\ + \ found on a particular computer. These trends may indicate a more serious\ + \ problem or signal the need for stronger protections in a particular area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: IMPORTANT_PR.PT-1.2 + description: 'The organization shall ensure that the log records include an + authoritative time source or internal clock time stamp that are compared and + synchronized to an authoritative time source. ' + annotation: Authoritative time sources include for example, an internal Network + Time Protocol (NTP) server, radio clock, atomic clock, GPS time source. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.3 + description: "The organization shall ensure that audit processing failures on\ + \ the organization's systems generate alerts and trigger defined responses.\t" + annotation: The use of System Logging Protocol (Syslog) servers can be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.4 + description: The organization shall enable authorized individuals to extend + audit capabilities when required by events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-2 + description: Removable media is protected and its use restricted according to + policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.1 + description: The usage restriction of portable storage devices shall be ensured + through an appropriate documented policy and supporting safeguards. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.2 + description: The organisation should technically prohibit the connection of + removable media unless strictly necessary; in other instances, the execution + of autoruns from such media should be disabled. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: PR.PT-2.3 + description: Portable storage devices containing system data shall be controlled + and protected while in transit and in storage. + annotation: Protection and control should include the scanning of all portable + storage devices for malicious code before they are used on organization's + systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-3 + description: The principle of least functionality is incorporated by configuring + systems to provide only essential capabilities + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: IMPORTANT_PR.PT-3.1 + description: The organization shall configure the business critical systems + to provide only essential capabilities. + annotation: Consider applying the principle of least functionality to access + systems and assets (see also PR.AC-4). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.2 + description: The organization shall disable defined functions, ports, protocols, + and services within its critical systems that it deems unnecessary. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.3 + description: The organization shall implement technical safeguards to enforce + a deny-all, permit-by-exception policy to only allow the execution of authorized + software programs. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-4 + description: Communications and control networks are protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: BASIC_PR.PT-4.1 + description: Web and e-mail filters shall be installed and used. + annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\ + \ should be configured based on the type of message attachments so that files\ + \ of the specified types are automatically processed (e.g. deleted).\n\u2022\ + \tWeb-filters should notify the user if a website may contain malware and\ + \ potentially preventing users from accessing that website." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.2 + description: The organization shall control the information flows/data flows + within its critical systems and between interconnected systems. + annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\ + \ for example, by labelling or colouring physical connectors as an aid to\ + \ manual hook-up.\n\u2022\tInspection of message content may enforce information\ + \ flow policy. For example, a message containing a command to an actuator\ + \ may not be permitted to flow between the control network and any other network.\n\ + \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\ + \ associated with labels or attributes (e.g., hardware I/O address). Manual\ + \ methods are typically static. Label or attribute policy mechanisms may be\ + \ implemented in hardware, firmware, and software that controls or has device\ + \ access, such as device drivers and communications controllers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.3 + description: The organization shall manage the interface for external communication + services by establishing a traffic flow policy, protecting the confidentiality + and integrity of the information being transmitted; This includes the review + and documenting of each exception to the traffic flow policy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT (DE) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.AE + name: Anomalies and Events + description: Anomalous activity is detected and the potential impact of events + is understood. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-1 + description: A baseline of network operations and expected data flows for users + and systems is established and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + ref_id: DE.AE-1.1 + description: The organization shall ensure that a baseline of network operations + and expected data flows for its critical systems is developed, documented + and maintained to track events. + annotation: "\u2022\tConsider enabling local logging on all your systems and\ + \ network devices and keep them for a certain period, for example up to 6\ + \ months.\n\u2022\tEnsure that your logs contain enough information (source,\ + \ date, user, timestamp, etc.) and that you have enough storage space for\ + \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\ + \ deploying a Security Information and Event Management tool (SIEM) that will\ + \ facilitate the correlation and analysis of your data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-2 + description: Detected events are analyzed to understand attack targets and methods + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: IMPORTANT_DE.AE-2.1 + description: The organization shall review and analyze detected events to understand + attack targets and methods. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: DE.AE-2.2 + description: 'The organization shall implement automated mechanisms where feasible + to review and analyze detected events. ' + annotation: Consider to review your logs regularly to identify anomalies or + abnormal events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-3 + description: Event data are collected and correlated from multiple sources and + sensors + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: BASIC_DE.AE-3.1 + description: "The activity logging functionality of protection / detection hardware\ + \ or software \n(e.g. firewalls, anti-virus) shall be enabled, backed-up and\ + \ reviewed." + annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\ + \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\ + \ as a large use of social media websites or an unusual number of viruses\ + \ consistently found on a particular computer. These trends may indicate a\ + \ more serious problem or signal the need for stronger protections in a particular\ + \ area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: IMPORTANT_DE.AE-3.2 + description: The organization shall ensure that event data is compiled and correlated + across its critical systems using various sources such as event reports, audit + monitoring, network monitoring, physical access monitoring, and user/administrator + reports. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: DE.AE-3.3 + description: The organization shall integrate analysis of events where feasible + with the analysis of vulnerability scanning information; performance data; + its critical system's monitoring, and facility monitoring to further enhance + the ability to identify inappropriate or unusual activity. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-4 + description: Impact of events is determined + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + ref_id: DE.AE-4.1 + description: "Negative impacts to organization\u2019s operations, assets, and\ + \ individuals resulting from detected events shall be determined and correlated\ + \ with risk assessment outcomes." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-5 + description: Incident alert thresholds are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.1 + description: The organization shall implement automated mechanisms and system + generated alerts to support event detection and to assist in the identification + of security alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.2 + description: The organization shall define incident alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.CM + name: Security Continuous Monitoring + description: The information system and assets are monitored to identify cybersecurity + events and verify the effectiveness of protective measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-1 + description: The network is monitored to detect potential cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: BASIC_DE.CM-1.1 + description: Firewalls shall be installed and operated on the network boundaries + and completed with firewall protection on the endpoints. + annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\ + \tConsider, where feasible, including smart phones and other networked devices\ + \ when installing and operating firewalls.\n\u2022\tConsider limiting the\ + \ number of interconnection gateways to the Internet." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: IMPORTANT_DE.CM-1.2 + description: The organization shall monitor and identify unauthorized use of + its business critical systems through the detection of unauthorized local + connections, network connections and remote connections. + annotation: "\u2022\tMonitoring of network communications should happen at the\ + \ external boundary of the organization's business critical systems and at\ + \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ + \ facing applications the implementation of a web application firewall (WAF)\ + \ should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: DE.CM-1.3 + description: "The organization shall conduct ongoing security status monitoring\ + \ of its network to detect defined information/cybersecurity events and indicators\ + \ of potential information/cybersecurity events.\t" + annotation: "Security status monitoring should include:\n\u2022\tThe generation\ + \ of system alerts when indications of compromise or potential compromise\ + \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\ + \ critical systems.\n\u2022\tThe establishment of audit records for defined\ + \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\ + \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\ + \ personnel, and service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-2 + description: The physical environment is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: IMPORTANT_DE.CM-2.1 + description: The physical environment of the facility shall be monitored for + potential information/cybersecurity events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: DE.CM-2.2 + description: The physical access to organization's critical systems and devices + shall be, on top of the physical access monitoring to the facility, increased + through physical intrusion alarms, surveillance equipment, independent surveillance + teams. + annotation: It is recommended to log all visitors. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-3 + description: Personnel activity is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: BASIC_DE.CM-3.1 + description: End point and network protection tools to monitor end-user behavior + for dangerous activity shall be implemented. + annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.2 + description: End point and network protection tools that monitor end-user behavior + for dangerous activity shall be managed. + annotation: Consider using a centralized log platform for the consolidation + and exploitation of log files. Consider to actively investigate the alerts + generated because of suspicious activities and take the appropriate actions + to remediate the threat, e.g. through the deployment of a security operations + centre (SOC). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.3 + description: Software usage and installation restrictions shall be enforced. + annotation: Only authorized software should be used and user access rights should + be limited to the specific data, resources and applications needed to complete + a required task (least privilege principle). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-4 + description: Malicious code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: BASIC_DE.CM-4.1 + description: Anti-virus, -spyware, and other -malware programs shall be installed + and updated. + annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\ + \ be countered by installing, using, and regularly updating anti-virus and\ + \ anti-spyware software on every device used in company\u2019s business (including\ + \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\ + \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\ + \ or at least daily followed by system scanning as appropriate.\n\u2022\t\ + It should be considered to provide the same malicious code protection mechanisms\ + \ for home computers (e.g. teleworking) or personal devices that are used\ + \ for professional work (BYOD)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: DE.CM-4.2 + description: The organisation shall set up a system to detect false positives + while detecting and eradicating malicious code. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-5 + description: Unauthorized mobile code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + ref_id: IMPORTANT_DE.CM-5.1 + description: The organization shall define acceptable and unacceptable mobile + code and mobile code technologies; and authorize, monitor, and control the + use of mobile code within the system. + annotation: "\u2022\tMobile code includes any program, application, or content\ + \ that can be transmitted across a network (e.g., embedded in an email, document,\ + \ or website) and executed on a remote system. Mobile code technologies include\ + \ for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\ + \tDecisions regarding the use of mobile code in organizational systems should\ + \ be based on the potential for the code to cause damage to the systems if\ + \ used maliciously. Usage restrictions and implementation guidance should\ + \ apply to the selection and use of mobile code installed." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-6 + description: External service provider activity is monitored to detect potential + cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.1 + description: All external connections by vendors supporting IT/OT applications + or infrastructure shall be secured and actively monitored to ensure that only + permissible actions occur during the connection. + annotation: This monitoring includes unauthorized personnel access, connections, + devices, and software. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.2 + description: External service providers' conformance with personnel security + policies and procedures and contract security requirements shall be monitored + relative to their cybersecurity risks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-7 + description: Monitoring for unauthorized personnel, connections, devices, and + software is performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: IMPORTANT_DE.CM-7.1 + description: The organization's business critical systems shall be monitored + for unauthorized personnel access, connections, devices, access points, and + software. + annotation: "\u2022\tUnauthorized personnel access includes access by external\ + \ service providers.\n\u2022\tSystem inventory discrepancies should be included\ + \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\ + \ critical systems should be included in the monitoring." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: DE.CM-7.2 + description: Unauthorized configuration changes to organization's systems shall + be monitored and addressed with the appropriate mitigation actions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-8 + description: Vulnerability scans are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.1 + description: The organization shall monitor and scan for vulnerabilities in + its critical systems and hosted applications ensuring that system functions + are not adversely impacted by the scanning process. + annotation: Consider the implementation of a continuous vulnerability scanning + program; Including reporting and mitigation plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.2 + description: The vulnerability scanning process shall include analysis, remediation, + and information sharing. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.DP + name: Detection Processes + description: Detection processes and procedures are maintained and tested to + ensure awareness of anomalous events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-2 + description: Detection activities comply with all applicable requirements + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + ref_id: IMPORTANT_DE.DP-2.1 + description: The organization shall conduct detection activities in accordance + with applicable federal and regional laws, industry regulations and standards, + policies, and other applicable requirements. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-3 + description: Detection processes are tested + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + ref_id: IMPORTANT_DE.DP-3.1 + description: The organization shall validate that event detection processes + are operating as intended. + annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\ + \ be demonstrable." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-4 + description: Event detection information is communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + ref_id: IMPORTANT_DE.DP-4.1 + description: The organization shall communicate event detection information + to predefined parties. + annotation: Event detection information includes for example, alerts on atypical + account usage, unauthorized remote access, wireless connectivity, mobile device + connection, altered configuration settings, contrasting system component inventory, + use of maintenance tools and nonlocal maintenance, physical access, temperature + and humidity, equipment delivery and removal, communications at the information + system boundaries, use of mobile code, use of Voice over Internet Protocol + (VoIP), and malware disclosure. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-5 + description: Detection processes are continuously improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: IMPORTANT_DE.DP-5.1 + description: Improvements derived from the monitoring, measurement, assessment, + testing, review, and lessons learned, shall be incorporated into detection + process revisions. + annotation: "\u2022\tThis results in a continuous improvement of the detection\ + \ processes.\n\u2022\tThe use of independent teams to assess the detection\ + \ process could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: DE.DP-5.2 + description: The organization shall conduct specialized assessments including + in-depth monitoring, vulnerability scanning, malicious user testing, insider + threat assessment, performance/load testing, and verification and validation + testing on the organization's critical systems. + annotation: These activities can be outsourced, preferably to accredited organizations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND (RS) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.RP + name: Response Planning + description: Response processes and procedures are executed and maintained, + to ensure response to detected cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + ref_id: RS.RP-1 + description: Response plan is executed during or after an incident + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + ref_id: BASIC_RS.RP-1.1 + description: An incident response process, including roles, responsibilities, + and authorities, shall be executed during or after an information/cybersecurity + event on the organization's critical systems. + annotation: "\u2022\tThe incident response process should include a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\ + \ in the incident response plan should be specific on involved people, contact\ + \ info, different roles and responsibilities, and who makes the decision to\ + \ initiate recovery procedures as well as who will be the contact with appropriate\ + \ external stakeholders. It should be considered to determine the causes of\ + \ an information/cybersecurity event and implement a corrective action in\ + \ order that the event does not recur or occur elsewhere (an infection by\ + \ malicious code on one machine did not have spread elsewhere in the network).\ + \ The effectiveness of any corrective action taken should be reviewed. Corrective\ + \ actions should be appropriate to the effects of the information/cybersecurity\ + \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.CO + name: Communications + description: Response activities are coordinated with internal and external + stakeholders (e.g. external support from law enforcement agencies). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-1 + description: Personnel know their roles and order of operations when a response + is needed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + ref_id: IMPORTANT_RS.CO-1.1 + description: The organization shall ensure that personnel understand their roles, + objectives, restoration priorities, task sequences (order of operations) and + assignment responsibilities for event response. + annotation: Consider the use the CCB Incident Management Guide to guide you + through this exercise and consider bringing in outside experts if needed. + Test your plan regularly and adjust it after each incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-2 + description: Incidents are reported consistent with established criteria + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: IMPORTANT_RS.CO-2.1 + description: The organization shall implement reporting on information/cybersecurity + incidents on its critical systems in an organization-defined time frame to + organization-defined personnel or roles. + annotation: All users should have a single point of contact to report any incident + and be encouraged to do so. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: RS.CO-2.2 + description: Events shall be reported consistent with established criteria. + annotation: Criteria to report should be included in the incident response plan. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-3 + description: Information is shared consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: BASIC_RS.CO-3.1 + description: "Information/cybersecurity incident information shall be communicated\ + \ and shared with the organization\u2019s employees in a format that they\ + \ can understand." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: IMPORTANT_RS.CO-3.2 + description: The organization shall share information/cybersecurity incident + information with relevant stakeholders as foreseen in the incident response + plan. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-4 + description: Coordination with stakeholders occurs consistent with response + plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + ref_id: IMPORTANT_RS.CO-4.1 + description: The organization shall coordinate information/cybersecurity incident + response actions with all predefined stakeholders. + annotation: "\u2022\tStakeholders for incident response include for example,\ + \ mission/business owners, organization's critical system owners, integrators,\ + \ vendors, human resources offices, physical and personnel security offices,\ + \ legal departments, operations personnel, and procurement offices.\n\u2022\ + \tCoordination with stakeholders occurs consistent with incident response\ + \ plans." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-5 + description: 'Voluntary information sharing occurs with external stakeholders + to achieve broader cybersecurity situational awareness ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + ref_id: IMPORTANT_RS.CO-5.1 + description: "The organization shall share information/cybersecurity event information\ + \ voluntarily, as appropriate, with external stakeholders, industry security\ + \ groups,\u2026 to achieve broader information/cybersecurity situational awareness." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.AN + name: Analysis + description: Analysis is conducted to ensure effective response and support + recovery activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-1 + description: Notifications from detection systems are investigated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: IMPORTANT_RS.AN-1.1 + description: The organization shall investigate information/cybersecurity-related + notifications generated from detection systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: RS.AN-1.2 + description: The organization shall implement automated mechanisms to assist + in the investigation and analysis of information/cybersecurity-related notifications. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-2 + description: The impact of the incident is understood + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: IMPORTANT_RS.AN-2.1 + description: Thorough investigation and result analysis shall be the base for + understanding the full implication of the information/cybersecurity incident. + annotation: "\u2022\tResult analysis can involve the outcome of determining\ + \ the correlation between the information of the detected event and the outcome\ + \ of risk assessments. In this way, insight is gained into the impact of the\ + \ event across the organization.\n\u2022\tConsider including detection of\ + \ unauthorized changes to its critical systems in its incident response capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: RS.AN-2.2 + description: The organization shall implement automated mechanisms to support + incident impact analysis. + annotation: Implementation could vary from a ticketing system to a Security + Information and Event Management (SIEM). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-3 + description: Forensics are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.1 + description: The organization shall provide on-demand audit review, analysis, + and reporting for after-the-fact investigations of information/cybersecurity + incidents. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.2 + description: The organization shall conduct forensic analysis on collected information/cybersecurity + event information to determine root cause. + annotation: Consider to determine the root cause of an incident. If necessary, + use forensics analysis on collected information/cybersecurity event information + to achieve this. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-4 + description: Incidents are categorized consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + ref_id: IMPORTANT_RS.AN-4.1 + description: Information/cybersecurity incidents shall be categorized according + to the level of severity and impact consistent with the evaluation criteria + included the incident response plan. + annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\ + \ incident and implement a corrective action in order that the incident does\ + \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\ + \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\ + \ to the effects of the information/cybersecurity incident encountered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-5 + description: Processes are established to receive, analyze and respond to vulnerabilities + disclosed to the organization from internal and external sources (e.g. internal + testing, security bulletins, or security researchers) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: IMPORTANT_RS.AN-5.1 + description: 'The organization shall implement vulnerability management processes + and procedures that include processing, analyzing and remedying vulnerabilities + from internal and external sources. ' + annotation: Internal and external sources could be e.g. internal testing, security + bulletins, or security researchers. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: RS.AN-5.2 + description: The organization shall implement automated mechanisms to disseminate + and track remediation efforts for vulnerability information, captured from + internal and external sources, to key stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.MI + name: Mitigation + description: Activities are performed to prevent expansion of an event, mitigate + its effects, and resolve the incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + ref_id: RS.MI-1 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + ref_id: IMPORTANT_RS.MI-1.1 + description: The organization shall implement an incident handling capability + for information/cybersecurity incidents on its business critical systems that + includes preparation, detection and analysis, containment, eradication, recovery + and documented risk acceptance. + annotation: A documented risk acceptance deals with risks that the organisation + assesses as not dangerous to the organisation's business critical systems + and where the risk owner formally accepts the risk (related with the risk + appetite of the organization) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.IM + name: Improvements + description: Organizational response activities are improved by incorporating + lessons learned from current and previous detection/response activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-1 + description: Response plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: BASIC_RS.IM-1.1 + description: The organization shall conduct post-incident evaluations to analyse + lessons learned from incident response and recovery, and consequently improve + processes / procedures / technologies to enhance its cyber resilience. + annotation: Consider bringing involved people together after each incident and + reflect together on ways to improve what happened, how it happened, how we + reacted, how it could have gone better, what should be done to prevent it + from happening again, etc. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: IMPORTANT_RS.IM-1.2 + description: Lessons learned from incident handling shall be translated into + updated or new incident handling procedures that shall be tested, approved + and trained. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-2 + description: Response and Recovery strategies are updated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + ref_id: IMPORTANT_RS.IM-2.1 + description: The organization shall update the response and recovery plans + to address changes in its context. + annotation: "The organization\u2019s context relates to the organizational structure,\ + \ its critical systems, attack vectors, new threats, improved technology,\ + \ environment of operation, problems encountered during plan implementation/execution/testing\ + \ and lessons learned." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER (RC) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.RP + name: Recovery Planning + description: Recovery processes and procedures are executed and maintained to + ensure restoration of systems or assets affected by cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + ref_id: RC.RP-1 + description: 'Recovery plan is executed during or after a cybersecurity incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: BASIC_RC.RP-1.1 + description: A recovery process for disasters and information/cybersecurity + incidents shall be developed and executed as appropriate. + annotation: "A process should be developed for what immediate actions will be\ + \ taken in case of a fire, medical emergency, burglary, natural disaster,\ + \ or an information/cyber security incident.\nThis process should consider:\n\ + \u2022\tRoles and Responsibilities, including of who makes the decision to\ + \ initiate recovery procedures and who will be the contact with appropriate\ + \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\ + \ and information systems in case of an incident. This includes shutting down\ + \ or locking computers, moving to a backup site, physically removing important\ + \ documents, etc.\n\u2022\tWho to call in case of an incident." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: RC.RP-1.2 + description: "The essential organization\u2019s functions and services shall\ + \ be continued with little or no loss of operational continuity and continuity\ + \ shall be sustained until full system restoration." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.IM + name: Improvements + description: Recovery planning and processes are improved by incorporating lessons + learned into future activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + ref_id: RC.IM-1 + description: Recovery plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + ref_id: IMPORTANT_RC.IM-1.1 + description: The organization shall incorporate lessons learned from incident + recovery activities into updated or new system recovery procedures and, after + testing, frame this with appropriate training. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.CO + name: Communications + description: Restoration activities are coordinated with internal and external + parties (e.g. coordinating centers, Internet Service Providers, owners of + attacking systems, victims, other CSIRTs, and vendors). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-1 + description: Public relations are managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: IMPORTANT_RC.CO-1.1 + description: The organization shall centralize and coordinate how information + is disseminated and manage how the organization is presented to the public. + annotation: "Public relations management may include, for example, managing\ + \ media interactions, coordinating and logging all requests for interviews,\ + \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\ + \ media requests with appropriate and available internal experts who are ready\ + \ to be interviewed, screening all of information provided to the media, ensuring\ + \ personnel are familiar with public relations and privacy policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: RC.CO-1.2 + description: A Public Relations Officer shall be assigned. + annotation: "The Public Relations Officer should consider the use of pre-define\ + \ external contacts \n(e.g. press, regulators, interest groups)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-2 + description: 'Reputation is repaired after an incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + ref_id: RC.CO-2.1 + description: The organization shall implement a crisis response strategy to + protect the organization from the negative consequences of a crisis and help + restore its reputation. + annotation: Crisis response strategies include, for example, actions to shape + attributions of the crisis, change perceptions of the organization in crisis, + and reduce the negative effect generated by the crisis. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-3 + description: Recovery activities are communicated to internal and external stakeholders + as well as executive and management teams + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + ref_id: IMPORTANT_RC.CO-3.1 + description: The organization shall communicate recovery activities to predefined + stakeholders, executive and management teams. + annotation: Communication of recovery activities to all relevant stakeholders + applies only to entities subject to the NIS legislation. diff --git a/tools/ccb/cff.xlsx b/tools/ccb/cff.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..b3c9936c70a31b2c4720133745fb843c974d0f3d GIT binary patch literal 52780 zcmeFX1CuCGx29RPb;`DF+qP}nw(Y7@wr$(CZJT|*+cPmebLSs)?}*$P8JQW8x#E4+ z+V6@jF9i&O0ssa80RR9%08o}*zGVvt0FVL-0Duet0i-2lXX|WY>#V2jVQ=E3L+fs1 zjb8u)M4kr#^zZrqGyXS@z)=p}v9&YJdpdBwG0su(lUIn(w#~ z`IiqFSVe`T07Q|kAxUogtNTI5zPpV~ePH-TXXbMyE>)jIZBy3jmCuLvPCZbPy(Ic= zo+%bTE3S?nY-tvNx_rxECJRM~*Ng(IKBy|Me_>8WoGP(rj1z9Kb~wkKK&{(ku^Xf| zrBY?T=%847M6ty1VkWPh1R=Wd@E~j5b43P3zc~d`!b6Huul7WakVpmx7#7Z5C_VbE zv$@+3>)LU*qD6tKytJ@1-2f7p9@fwK;lbdih>Lnr(88>#X5fRPML7^^D1@K^aC}wy zgQiCQcJ8OYADn1z+E0kU#-qtTG6&f2P{P>`;Oy+9RDww?HumBOfbPeu*}TzAOnBao zVi8<7d!O935Vo@)**tiWY^=Q}>Pz*8X<9%qJ}K<(^oGlMFOCINwvMa$X*7^aMXR>q z!;AH2wR9NAtdPsoKM;R^fdSON3|QHQwUa1uq_13RLrpiTmq(C(gqsJ_(J0amh5l|DN4i%_}O3 zl7wUe=bXG>v4b{s6^S?@`)y^2dY{sFF~XOs+tQ5}yfW1D7|p27vLVgvG<^Jv!hc6b zvb@CLKX=4{0RS)oAOPL1>Ha4*Zg!4VhIV#V|EX>NH$i~^3fw=u{`VeTiPM%t^f1A< zAw5C!-42OA@)Mk16d~O$o8a{INMSP8M&*1SpP9)wtaU|cbA`mrj|@|$pBzsII7BWx z6yy!qARQZ7GtE%CuX1Xy_~Fe=9j|bx(c*R0v~;YqYgV#y#-03xyVj#PK}f>aXuFx^;FE$d@qiwzZcN|f6CEB`Fqy>FVSj&0RX`Nlf*ye{I8lR zQW>}1q(|ufbH)eJMU`wU#u_{(fVo)~&_cgKJ?dXz9t9y%L3|7<@Y5|c{(z*nAY9jO zem2U+WH+L=nx*JYRRXKVD6%i&&rMoB(XL%`_G5bipI}Cvz=0^)fMSy&uv%EFSF<9? zXC}$x1%NLT31w9YVk88uisY0}N!s5a-$9Jl;u#@Rj4>|LpH2fB8;CzbvX9gZ5#b9T zs!7dmVkB~zD6tu6P8tsSQL>kEJ}3Es+m?8C+VN0MN##G*w&%L(Pgq+tZcULwngP(t zwqM*je;2Wj1x7EtEu+ubS#hLHRfzTil;miAxk{w+9Ff} zr()&$Ah^2Rnh9MODnJK=hKrwF@!XM4Y-!X(3?Ab@4YvCCEpM9HIU->$|$$ zRGtf;z#d#w5IHe}qdr8F)g46&iBqu?fiO;n&49vrgSd-z5i%)$PNXp}*OY-@z3m4dqmOSWyF z$WcZQG;#WByaWwomU(`YY{L?rv)!tP_GYfz`G9t@v1|VKe)i1J!5O9OI!-hOq@$7? z(Yc0)jbkd0!Sxrq(C?py|9gIXYyj+4{g)eYAprnj|EJ2GoIR{foc@y+i&QslH`x(< z^z?rN_BsV6>bqJ9%F7NRXy$ZK#G#&2QpvN(>3~GMj?unf;auvIS9HL4xP_1G-Q7)R zV9wuUh(I|Rm7J=Pu(#gP8B#6-D|G_-c+7Ty3O5v0IFn>Js0r_=#Ec z;8N18G!!OVwe7tu>**8UFTQ0hgj#{hSo@<-${sf^ z5yy&+lE$>oTn=m03i$#$g58NVn6}E;r@mkRWr}ONO=oAEbn;AairezF%o`73C!=wG z2Nc2-a?vnV218zo`zwcPEG9tYtkB}C*5wwO8%UpNjei{wk8T5H-X%cm=4d8q)GrAQ zh|#mzS-Xt-wQFgW&%W5U=Uj@4O1n51doF9Pel`uV$@8>=Ps5|WO(lix9p}5;dOWAt zb^*l-XGA5dXq!)iin;RSh6&B1=z<$3ImO#+aCj?4rBfjDbvII4pE zGHOdEe$Q`fk%-iP6ZlVRB{V8vx(L&Xy4R%oYjo4H8!zY@YE==q!Qa^^NZe7s#z4HI zhpXoVyk;8$B<@(gwidV(TCu8nJj*kYw}PO3$e)+CAFFncDM7pa+CMv2xgtA^ns#00 zFLgWC4aImL@VjJj>%Z<38?ApT2-B-A0pWAcgRX_VF>N4or8z&U2l%}vd@yFdTNU=a z*1PfC8##2`quzavOcW4oPa2<%l0}ej=40e?h(lJj09k*)B{!r!!^lB>~bB;G(@*{d@&6Cb>y4JFxBI z^?_oDwZcGnfZNH{RjQORDJYB7{1~zUSJ(UTp&-vJGvw-P*AQY< zVdW6vO{FWlH6JHlqI&@8o5L?%J9BJZL}vl)(F03VQyHf<$JS&2^uXOcO9K8a#K$z9FV=wZC`ldGjJ$Q42lfYJtTGQ> zA|?~U7DREg=R`oU0&@@ATfpi>nFt}7h8~xn({2ugcY?uSD1E(nf33~s6Zv;=_`Y4e z?aPhE;o|Up%`Z5z-t1A++IhcUoB8>EGkhGLv(e%C?T=0}{;cBhz8{~?e)EszwF}er zct315lF{{iJiXrHdhKZe!B5=r%0vjajv;QGQk97@W99e8tnK$gtFWdqp2pVvrY z?^Q#Z@@i+bjdW7wxxe|Zj=th(z#}oJE)BkmCUW-a%xGjm*8ykjfj%r+)(T6fYLw%#^KTo8s75aCT{r9Uz{ zX2o$r$~x6fF-uLX!5={gq7?Gfc;D&Vn1=g;@$Ffccit)^I zZODGhSiE!?PLV4gx(&N~a@zFIA4x^zAd|Rb+~}#hx8AdF5+PhhfzNh!eAe86{l0f} zQm4&o+MI%-WgdCxS$7;cTO@H8MdOq~60sGZCy`*IDZr!20Na(ct97##QA01(3v;B=Z)TVP*5lLYfjUxVAbyF41H@hjfUOvJ-~HHSI+4R$!9J7@1&-;^Lii+@j#6w6U

w_(iwml_x>^ixDWLN!NWQBhI>ZZ$nfHwt;st%Wlm+r4 zrr2{CPzL(?S2Ek!JWkNeh%BVg)xpfv7^RZ6k+*V+lxA4(lg61brjt=sBf>jBPS_@M z^-_`^(~18xpue-q^QVy7f2u?_fC;vaprW07T7YPk2lAngAz{6MXxpW){mla|)!ktQ zKwrmCdhx?PdZ#(028&pveJuZuh|9CbDHB4h2Q?TM+@csRA6zvMYY2=9D@$l+Xw`!s z#n<)J1i<>VfRhKvvn>~q1B1CS{%oBR27%SvI{uXB#L1jIwt#nV)zPGG`;F)psZxFv z7v`Pwd`io)P=VKStj&5XZA3Qb-CKT7iP^xV@rwTjJjO-Fuj7$D1#Fyt%4;Eht>|x3 zfhhQlv*L>X5!b>6pJQJa!II8Qwo#9~c^TLwZ%d%%+{VxwTVOkPp0&8ra5`yla=d@u zK7EhYQD3WfXME75(|Ef*dNt>~o`2YG1 zRL?jFuW(>owuZwRHi(; zRxBI%}DCL@STU&vCo8`R1A{|+TI$ZS11b7Mz2|}e;^M{ zgnEtbE>}32Wum?AF}G&f{DCaw;;&LJ{HhN#EE4(YvW+>e1iRp!ONMr?vu9{aYLw>l zD=bQ>8_Ae}_m`IC*iGdlH5wQWan}0PLC-{@a-(Fvi!{8Iih!e|b`2r94L13szDAp6 zr=qdfyY9|ixE?RMZumn{AZLNZ181he?5Vl1Pi;_`O!K>cUZgy?FOS;LKzT_CtM zuqwz1jAk5c;SVWSq{8l_&*^)1_!De=k1wH~Ef1EQ;_O=vghW*DvUApW2Yo3VF!GEN zPKP3S?r&<54I244>KnIX%-`z?HpCR9gJ?%4_)+omPaeO&|K%!@Qxt52=n;f#1HJtN zApyA<#buljg%dtfR2d{UH{Jd;*YgY`eS*6)$Mqi$zqfkm(jGFx-Msv0Yv*d0EL++mOZ}CQlH=aq1z*%u+W}XT?X5I(y->li>bS_K zh-)5$`~f*T6QYm#qBb$fUDSV38b66l9~>?TU*{gCR~G`|yJm=XHxa7_!20dZY6`Q?^oU~Rigr{rlCa`B3NAeUM>RkQtj5L zpDVI$(0049d5CG+WW&$U314k2MC1*zq zTeJT%ic3D@jz^-Y*P14(zW|fNR3#W;ijoxqN*F0Ykt-Z^5|RzN%>jt`5fkD3%m@k6 zE0TZjH?F#6=spIYNN%&a+PL=kGgct9*zp)hVpB-+%ReH|7}?n+wQ2I@NiR7$vQqb8@KcO>?}0VsKrHX zH0|8j>&E-te~pX0uK0!k%(L#B_0j8+8ysVwu zncP2Je^6O7@~N72(6Y02*YBd$vZDWaSsVx}k*HAe z+iQzuP0o7Axh+cjxc1hW8H87S9Itnw|UY*lO~nWn>OvjLzT-~DYHq9_NG(s_VHlxioT##-4QxVVU}eR(cQt~5_`vSrQT_gGPV^1kox@^Nx?@b)Z% zus~)Md6br*m@?ARp{ai(up({i70DmVQBq&NV|N7+o;`k0G74BJ-n_ko%FZa_;!->T z97t%{8{D*)9>TH*JU=&3z^*hOjw%s z&$EmC%<|_m5UFkN8}w0aPluAgPO=?U_C4If<}#qWWeknblm6t1`jcpaJm-MROge9gvJOl0`6@U(vYfRtVZ;-y2E80Fj*F0ue8{# zi;i{0h9toD$kgj$XZF^b9^D96+Rh!MwF^JC4oW8ORLWh|l5{&QTcLCaGZ?b6Ak)K* zwYSJgE<^_M%v7rU4|@#(_7dr<{nEj1PnG$=rENvLYN5T!_C))+yfK4k0))d)ikS$C zJ7qw*^wu)+s5-WJ5)2kS1ky1XHC>epNR{F-P-+xvVHN7bH?FJr3MFw}A;4TQmnpNM z-p>q#FbQ}!zd+Mdi2Q`#5cdu6wfz|3$cbZAAvQaQ!G`#W$3Mq2<0iw*} zuUZR~3!-q$RrdG5b@UqEzjftzqK&NkZfmFR$_K!ttlUhfr_;-#aD;Hvp}bL)9f_{X z&F9Hhj&W8go{Dle_eDbyER75OCj-UTxb%#%dkqI4{3oaEcsnn1^tRf}NUdbvZ?%1o7( zL68$pB`iJzi*{?oI~lRHrl7}``3(j}?q*%c{!Y@}+VgO9 z?e2Sq-~DXm?f)GGFI>5N&w$Tpxpus;wZ4GGX?jNMK^*XF(|v~Or_rwW1XVYvXD_&& z!Wa84G$60cCF)`s>d$()f#$rPgONA1X$+Mb-7UWTv{g}BMm0;xZ9gFKVKZOozMat} zRPTpJ%x1M|9-SMuhks{_4;FDEgY%+i<}6t z`{n+vZ&fEU)h-xMD*Yp7M{7T_yKK{#D8zokj3$(pntwod!_u<+?5famH%HAL{X?XK z{EYW|${v|v>6z3Q$$lRVA23uAMeZq4^|f5kuA=V%Ns>8eQ!e)=af4j)6W$gqq%X4E z@KII==^O-u+ev20zB?x+=nn!790ojtLXQg>`L7>_*AW;H9>0yFT@R5SNr3HBg2ThvRCc()k$nMbY0GVlw`Z{HkOZg;fkL6o;zp_mR$KtbOz(4RVZ0E&n;s`iFHvu~qP9fffR z!w(NI4df2A)*GsZnV*C<2HzzH%e?u(st@zY`8?_PtU9<;$Aq+RrCr(5J~&fO zmXFNd;eO&-ykt>Ij>Nl6WXEo0^v9n|p0XdGSo>YmQ1L$768xs>Wco%;zU4y+W;HtUlo53E&OktK6 z`xm4E%}km;6Qu!+Jki~v@SbTVCx8bL-|H-e4cUeI;qfaxwHD(?&LJV~+S_C6z*XfXss_>3_qCwDLI7EHK?|YcA z!lo_i0l6No=v&$ULN56WaL~|q`tG$@dcLWBhYoJoF;=5z=Tv%O9FO?H>{i9-ttf&K z$!Td3UL92jnmOov&{K?gFO!W$?79R5aGZecBK}(PBASQY+B~TM``1u=Z5qGNuaP3; zZ8rW7KUxgje3^{OwcG8%r)b|&k;X8+I)h*<8w-9o3fKrkn-G5Va)(lyZHN$rQot6* z6K7fs2AT$&mKOxKSQWo5h=GNu=ygo4hD_VQo4$8u?|e{AXn$RQye2XlKpgC&VWwj2 zsfIPEfz@9}A9Wl_OX*kjY>j@B7Vgkt>v`*dbHv6iI$KPa8leY*F>ymY`l-XkB*Rk1yFX4S5-Exbh~olOZ4fF$&op>D8B7*S55S!r5I&Lxmoz3l3_5a-!XZ^*V22 z5S^95+lLkH79X+Y>apXnQt7DE> zBd!+j526tRrqRMF1#La~)(F>H05jifwEHTq2#dU3drj3mW#YHG!)7TNxH;?ChxgvT zzE3zTA#*{&NtO!+DSXacW#pu@Gx5@GI#RSpVFjSAwUwxE4Zq@^U|NtU87M)BHxn$4 zQw8}iF_N(Dfzr3t`N0Jpz9VR7y5rC$Vn?Z0k!1K8$Rfdo6T#wyH%dV#C@CC34&lAn zM|>QEBiyNFt-^!Ppe`eZo}(>o+3WdGN8@dZGImUrel~|Ty2jnlz$^fevNXm2sA>e= z2?>M$KF=$?xnLFGek&De*y&TSI~Em^%)#R0B7_6jw>475Qh1mi`7s=Z4$gFQn6wzE zV$G%fpOiYWc$xj&rQKL~;E{Mk5dI1U-QxnJ8FNGKzr^BHWRt82(^ZJV`bm zE+O|(_8|crnhh9Hf$*txs)MZ8@1=76kXG?|XN`!RmN{dQyv+NBx+7;N8d!7*zryac zA*6lqZGS#yI3NT#^z$=97HZln=!E%I(!%^s2IrDd2Q}v@V;x8Qc9~C7Avgo@_Mekk zNef;Z-X0v6|2|fObuv?G=?q{#g`6{QB};h@I!E` zii!wOx-QdP#?%ejZkT$}U{v(vd09&4Am4P-M+^n;p&p^4to1LD1K1K8QMzUGym#)8 z%H5J@0ydhX4U|erhz5wC_K?rh7Eo>R(Ly@ozW?)+yOsXagh8{Y% z97Y3YhmJK365yf^^Z-_S1dpKd$TvlTAp-s)o%_d&qSI82m?e6XEj;FXeY77T?01@R zTHZ}u3$B$^=;kQ6CEKHi!U%z26C@GwZ)===MDwIV^=u>l~?Z=76-nH|MG~4 znxaI!o$)BBI3E%hnE4m$1Azp@E8+8zOVE2M`U!|6dm4ASQx`mO)f2iWiOP`t60GSF z>UX@xr6eNS8&}~NdIgYg(Vtc=KoVOGK>uvJ3(p%-lXZ}eftPp$ytY1jB41q9|M zMTCWGtFwIy5Xx8}Wnq#4dJcWwi#PqLD-i+>Z!{Xsk)ZVwu|(G?ekXr(BdEPN6 zCDj0|iv(pxvkV)<`SG(v!bw5NMh?kD9#;i|i)H-+`axtsjW@gJ2S(eZBh1GX4+{mx z>)&8NC1Yfo7{XL=kiJH6IXn_I2MH`4%j~3I92M3=(nDu=flVHAL1Yz{37IMA8o*8cG;^m;zKf8=&kr)6gmEzN%7P4b3CB(JP99mN9 zM@{5&5myWo(G-Bo;25zh{vh^W6@+WCq(od*KN}jL#Y*CwVn<1i@)T7J=kXMbWU3f0 z50E(VDLsgew_3Ug=flj#u4jt)%%ORj>-v7Mn>x)Mx^m@gk1E0}I$DWuXwW39=}gY= zC)dOQPK|h$pJ?a@hUv*szox!_r~*0)()TEFL7@ltttjXn=Mf2kh-HLBW_Ej%l=j(M zyM}OYNL!=DmF|jO-1;5>*Jwehfi8wK#eGL2#gPrho$G^0%Dt2!ne}lwYAr6>>lZ6YEfS!Lt7--OwsJkKO>y&B8~tL9fOA z;f({b)gFvnB}ya&KA=FLLi+Z*^8G-1_;^KN2IA=6o=4yV6E%~DO0^n9O^wME03JR7R4&5x zogVd((p zeKB4JL-Yf|GO9GeS^^da00l8|bwmhe)j#+8ZRKie;DHFAvy3ULK?92u>_L4xYH-bE zQxhsxf$$S``F=Jp=GJk&-@a}4yAS9Q$}s|zmtYj=@J0%s!u4u%#5cH$lnW{RU?zPD zoKKJ>>yE+1or(kog3@aIi6QQ(b?|QlDl(S3p1L6Iu)xtHd4HgU4N149+{v%LF;%R^>S=vED)^S z3#bCxA^4&o*;wWPf;~*5#LqQ9koZ3lOo9xO*Yhhd0c$y6mN5Hw#KZ&GBT?2rj1sE) z_jOcS@$EQ{F##j6x8|QEb_PyQCJv95Oqf25?1BkqFf04spO4<@2|ZqSm|-j&FTG$iAmpQLEwe(z zllL819@+>d(G9U1R1B$#4?~kYX5b=$p-IN8!QOp!4hB9;&*)0Ca&iYB#|vzMfyNi3 zoOqg)_Asr|S;!NR@j2nmHx{L3cbE{Gz9zu?r<51y3nGUsfh(3~#qW8Y5z7a-RZtSe z5VVES@8ZuAGbT(Y(95HXYbI|H`Dy7!>$zfcQpgcNjxM+ut4kO2DG{=2;ai`z38*nI zkn$VlBZ)%rAbx-{JPD-Nu*m>O=q@>zz(v_59kBPLA$fClyB5K^B7JFF65cZd zL*3D}*!B5!v_1#gC<3Xa7i!fcTn=pdoA1|Otcj)n%s&Bn(kT3y3^%z_uX#>voJ-_KNJ_Ws%@&<@U zFp2t)fT=ucPGr%nhX>AI1HJ3SRTT)=7m6Pkk7BFaecYvq)3+GKVHSW&`p#YHyN00z z`E5D5h&^)1gJv{-E0SY#`$?RwIQiajAejkfNL&j|C;*f^)d-_gh=QQlz`>uZPGA03}uH@mO*%O4fyk1-; zBJemOIAaH4dCbu7Vj7{-K~5ir*sf}z6FlIJ zdLu9Act}g9D%kO>!GHxAu}_I;tg;wzSn5CX>-opYQql(WDMP2Dih%OvL1r-HLsNVL zl4mcx3@NFbJ3|YVukmq=RXstVs9lx42S>1#K;l+Kb^ah)u<1&+i~@^YEJpJ&4QnGC zuOK(3+LhE8RlfEv3gD{LLSs1q2pf)Aib@%FX&(_#Y$-@>O6KnydpCs3V7O`S(-y_g z-J{@$a$~m~^4jojz)Ln)ltdd}dSd_wOcvnQbe9#5G}oXHMU9R?@Czv~M*&%|&709! z7T{MAy#5Isp79eWc<@&jYhft^gu+Ln1n|+S4n*o`<`2vq6=kx!%e+5{=SQ3%4_#myAd+a(O)OtR*Ot^90?Nz}eGY5nq_pq!BxP@I zy}fj;!bPbVf^cCt%u|n3WCAe2K{+ifr8Xp`XZ;JQVNyEYq`&q~fdfUy45O)hD`Wu5 z=_?U%lZ=U8&LGkq+sPE)1qet(gBxtCPB0JRVblPn516N_iWwFR+3$wM^2mau7hWKi z>`H6_^$X?#q&SCq&8W2Z)2?!D+SFKuiTVRW!SCLB#BXZf)kqNr0~#qkS1A&TR)wlL zG#?hUrN@w?QlB(qFN_?OF3~2OzJEqoTn8Yd>e$R~t9T!`l>fqa*^VPGuT4umzv3CM zalb6f6{D2eiiXv?C?ZcTL=vqYDjvl;%0i%|nbay80>3Oshy6sY$M^+&W{=^!X9~Ci zkwcLPKxmZaGnWTegVYCHB;JIUb}q60U01$3w|6OjLb+{05&(r`w29!bjnu6fBM25z zGhdDx3aRkh&Xik%YpPKsfY`$v&Mzp+sLBo=@}u1ovW=Sgg{rkD`G|kpnbYUKA1^4FAP2aD0A2qL^vzi_V4W90xzVU$i=_QUEBGCGfsdkI#6$;Whpe zJI@O9T+@LGb!1q+REm=XL`4k*4MQjTos|-lv6=mKyXFx7!0htlm`Zo`hQ2=GX&7P{ zPK;wL?yd<>sqyCtD*~5BL|C~|LcI1;G>{|0n}%{@e~0%ey&k!7ybSk`rR9dIPWV_n;=7XDcuv%q&H{CZJKMUl zv5dx<|sc3Dz7Pc*EtF+iamZe#8i~ zIRzzp0e5gLf)0*xdtwC%Lk;(;W)&%-<^+*GFuH}V(aI!e1^G$v7B;N0x$q6s7HlH_ zsNah|ZRahV9=esBiP#UE7ig_?2L7u}GN+C98hL5xc7PVq4G|37+vP+WVE!j?5ipcn8G|NO|D!311#0{^WaZ&8KJCv`4IwVDG zB89;Y8a@{@zAM>#i@4a6u-2|mK6Y%8@W7DZa!7Vk9eUwFMjlim9+re|K8bN-UfL?% zBE~pZ2dSi0PGY>4)SnC&F&UdSX8_f)%$r6rZt(tO!jrO?bs=B-tNnq6)kJZw@z${t z`d;)%@54ctQ_Mc3e22O<)mzGJQCrqv0-IP!Ju?o1jH8_1puuZ9wlI^b?a#)+#w*eY zf*vQ^^d0n3!YDlN&5TMzgAC%H^>%Srzo0Id2{gn;^=HXbw_#bY6R7LZ5J ztuM+L*@|VsAZiZMd^O2hNu&m=Y@YlqOlj%Axn2%?!e(b&%%7@a1P%&8VDBMo=!Xu< zXDJI*Z_aU?G_FQg>PV?DCSguj&-v5?DOp(RxNbBk1O^yJOhoWmno;GJ7VQJ3L2aP; zQGe%_KpB%o@_{{N^cuR)yP5Gs=|5VB3~FALM;Xa^WfxiJ1s4mcT>)MT;}et&g=#MDu{h4k z5SFno@Rx)1wf0Y8oH{V?q;_Cw2R)Y z6O4Z9SD&~y?TQ4qT0Km71;;p}Eg*`@a>}#NY~kMQjyam^Tgir+W`5vS*M>j12u}+8 zP4YXgS4hVuvkuU@ntNH+MWfph`5YFmP0ok^StAy#>3(wPs8j-CU{*dPRh==R@j)Rj z63b{;PTCInxHph1n`5GJC0ks+K_xF9NET-4pGOV=YM_f@B4s11g_@{#%#;ez_VI64 zrv3z^3sXyAc!}>#h~4X2a;hh_h2OX$UpmFbTeE2WEL-lG1QDkNUCcIj{Jb8vW%JF%A5ffga0x{ zk;Ajj1U}Mk>JjJ=6^X>v1g|F`Lrry&p0;kiDw#4a@`nqtcP@aUil3Y65(_NV^pqGtu(`C6#w3!2Ob&OgI%xKQnS}bN%83sh z@?Xlnbu26*wr1;r{ANF3^G$M2AX*nm4s!}1n=<9Tm;8)y>j&8}X`_=o5~Y~I%?c&K zG5Um>?Xwk?R3xp3UyvVjZ=8fn+F&c^?~Zsz6>gEP*n0^s9r2_J z<}M>4{7mAe(iIkbu#_GHDVNo~vZ)+Y5tnrV2Ew*_Dw#2?k@{wSIE5#QAZWOzgMJiGKlJDOj4zcRc3Pf>dB$3QDV?l+f%CuVfIGpT>z~cOJ;v{m$c6 zWY~t;)+Rr`tY?1S<55x17{rNC-QZS%__f5dLY#Z7p&jdlQXE_Fkox<`L8R}T28&S) z)88jf)9Hv#A49;=ugC}qGwi(t^=Zt5XKs}EKkjKHm66o;uk2P)I>C4HJ=-&6t=jU8 z#E@7lF;3~_^oAQjKhf2=TwKJjeI(ScUN{M1t#GY45=j+Brf(e!aMEqou1wZ{@pu{Z zNoNih&bdf9adcQ53icNR22h?HZ=}7$iSqwE(DG9yRQjdmdEV<6MVGe;9p5^X zBs2gB^QtO^u-n8*%`5yHbcZ3595YXb>hCkL4d-I`ht`z)7gr;h$dmr*WUMH=wh!7Q zXlSlLQ|Jl2O$UVYy2dyg%bv=hVG#xuP{jt3vz@U&RR-c^upR4nFXH*D?Nz^{J#DPa z-gBj0kb?&+@VL~>jy9LCyYKqcOyf`bV&mW;Oavd|FSHDcgOQd;FA0E~WTRE% z+wrvFo8~7KG~t)3C6w(MwS|R~_fa;Nr}A<1H_4c=*o3fhj_BC7!%QU2w0YGcdW9oUwMytW zGM|#SXwgof9-!R&LI6Ac;UC&3)S@AEG`#aB`4L@>M>>;A57Enb;x>pZ{DMzwl>ips0QGTEpUWbI>Dq$L4L!#1Dwtr9?!6qnd0zt8BHCdm z<;J!8!zz%fmX$jSi84u(EyJI=qK^9n+CCQ{Qwx__2~6Gx?D`PH_6{Vw8r9_OdNiWl zP_W6=_XBFhGDD&UlY8XK+;r%}Q{~_oo@<+_{W~-H&|wp1r6|alaji1eQQ!O?n}h5g zr$T*w4>n|Z)jW_}rkvegJ2tN90MxMqaRkD@R@0OPK22AzRPh5d{9$Mq%ICkXTRwzv4pU0^V@>>eWw;)|RL)qtXDJ*h+q3lCJHjaq;R|$mB@Vh$P&&kd*n;vqjV)uI3 zLs2)tS`quGFv4qiusRhU*Hl*)wE`I!wAx64iMOr)14ux(zW~gVia~xtzer6s94)=Y z20l!3Zwrh$+EG9&knM9>;U*u1adb27J~jKXJ)JE))qklLzVvjN_ej0+SPy%bD z;UowWSX#SIPhEqoZo&vRV&nxBJd4!O+>ENk=^?R2;SvZ2g02zgf2_(No(C9uxxx`1 zl3IE4SGBM>ToMGei4Hz22odX#BC91%2@AdEn*V2#an$-~gzVzEnIt^|%jGZB1NH7%jQ2>z>xRuLqz2*lb-y7{av^UyqsZL(oG%VX=GOZ>@0zDq5sgN$# zqs`0{Hxgz!!W1fKW?2l83K>r4L1WT3FH9n4DPninQIkGAO#(IZ>QeGL#tIlempirv zbx+`kq_2P%X9KTEJQ@=8utG%frALL`2dr07p!QK}s{r(GTjZG7|A}1}C1;l0hJi)# zV{UV0qdFvHc~Fi38#b5Yygz%c|AT#&rHa*p$jbn7uhT1RdA@su3+|w58cRdlA=TyX$QQZQrh@k(5b(5| zW3S+NbHX73d4@}%GljB!SGVXGzYyGox$d*7eFejIPmaekL(U9_9%YOal^4c#yH z$Yjwfp=ASjr2;_*frNI+8==R-jqP{OWFhYE(|7N+FLxJ)C!T47@u|L7rn2OblFsltCe&I5C>8W3@h%3-*Hei+k zB2C-9-88suoNDoV+nrOk62$Jju7KdRZwu}Y+BMwgT7Ht@OXHU5yG}}H&CS;K5-`Yq zi*Vmf3tC)5!fR{VY20}8UF2^H;oH38X&FKTN^|f^BUkqcwS25gLv|TM!duCU-^Mko zDb6!pcpIP>b&ogf@MDM``P6ck*rffPyM!|o77~7}9t>b1-+z?PFMtCQAzFB9P|&qA+r+Ub2&k-30KE8BH|=X3oR}FcD}b^YL8U z1$IY<9_*C6$@I%851ZL&@Q*Xdu)ka*dTw04W8N{~QX&DgPi)_`z5%?GcA_8Yl4B+> zX`eBDsgLztNt*)eG7Em+PhoRALuv))+ zw5M-u_r$ZPMG2=e82)>mStRR*rST~jHBZ{IJpsdGS`szw5XZKka0~7B-pY*$4swOxUPmw zXx`QW?fL`Y45YLST@U4B!M6<8Ztx*#PflKIsF!p}cZRoYI>WjNUHQG_d|}}MQNdxw z!t=ZG4@{DZk-j%*igv@b6_cc4P~xU@@!}O3^u2)ds%Oirm?+AmizIcUgx!__^u!oZ-@SA=z=Qj+<-r%xbq>@vT$4-AdZ~Xf8WJ@goUmB@M&!cH)Flot%f2Q^4 zyfsWn6r7=ez;bhdk!P_NfSU!2M{^xJW!dO)h4k<{DY*GLRuV`zZy#1_4mX{}UPR9# zn?z!27sh*5Xb3w@w2H9iFiA`qu6i1DJJTjC3Hyw4=$e^J6AJRvAL2`QqK&9y=2E%_ zt@4-V689qsz~)AWD(aSdn`$R3pDhlfB6`zFLnQf2bM#q<312TO)~g zF_W7}JMPlCUcpE7Yg9$a_;nCuNx@-4t1TA3*`eGn-9*Ix$8y^Hw%EFWp%TJ(Kvj04 zVCX5jUO6P8(2}Emy*PPP;sHStLA>(k;0Xg!r|RSQ91Iv%Sh!Q~9O{HsZ zuq5-Hj7=ZoU^C~ILkS+D@w>vcyl}PA7aRRS@ZOs$ZVOnQ4(BrYx2DTo$pf9^Sp4})o6 zHc~B*o84)OjSW4{h6FnBti3w69slLw_PO zUh#fkC=AAU@PwfOfaK3KmAz_KcS|;w4yz&xRlLOqY+Tk*&cweL#=s3}p0VDJN&#-A zRyBqy&3;nUX4wiKF&n|?>)XSviQf0UbUB7IJ-&9QR< z4b2u95&H|5ug2fY7Q~;Yt=Tn+!W_0)8E{X8hm(*zv16CG6A|$WPMz1!Tb~j5Gzp`L zC@pW9<28Uxs6e^5x1cLH6fX;|p{U%qhg(#6rD80Y@RKVU9@pEJy-Sb+_!v55-Y8)z zg$Igk$oRDfh|TXa?w0r^Xq5~(lN@t0D01VkS(aOXZK=SUE| zO*{7v8V-lA39*!@FGffb89M^aNjR}k__nHWL#EIw7}u6?ipeDN*Eu6dzYp@o6hw0P z#}D4W{lYb-r=ck{lRKFi1P94u^HmZ}Jdf)4;(DT^L+b_Ul22M~@*(Yj#2Z;%ie4Y6 zVl+~W^aAL?Eskn>UxC)j#;m%LIIV7d2#6<1jBHtVIus}R9ytJ-5QQ_xdTAL@XgOv# z^%)y4WPYV@1gZ&mdn!J(5ZZcr;4y{*YR+)ak#I@!kYg&zpd-!TiLl_HPyE=@eApBA z(g>a4gRkH@!&9pXEB0`YtZS&?Uk4U-<< zw2}QFd)l<(qyw-%V3^H%pg|buH5?EzXYuD*R)w_WLLics$a5C{t{Dj1HUKM~_36|A zo@kC2zK5}6Mq=&*Y+}sC1lZ}8tVvkkkc^_Tz*o9(W4$e7=PUYWQpWrRQVi}aYLOIw zla~-k3JOia$h$(G5#JFU2d#t_%@#4*;GSCvo_FUN50RL)yOCgYggy$#NDv*wAu%Z# zO>n2dm0#AOu;_5D*lAjd)R`4c+7@Z5DuRm!mkixl`>{Y`lE#CK(OF@`L2Z<9grv0O zDEP54xA#t-ot{7T8!J6GDo7(@DL-tm$X8c%tYFnOhyrwI+)s9~kO`4nW@iN7f|`P5 z$Gsc!cR}cd8Zy>1rmv#1tf{)p2{05jUsRgTjPH|pr}?!}!;-EVO6j?LV`|lq?4W!z zP1m~)TPRn2RP>Shq$@20Nb=WuFF7L9+4$=n1OEQy@oPEc?hOs8Fz(yLT#Q1a_W4nI z(XMZ+H+RIj1J>rOFwThATuQXzYXZgb2wf&NkMt(`grHBb80TgKPc2Y(fRze$RZKi` z1JcEnN~`}ne!{C-5S%;X;J#e(XL&8cFD@o%oc-}*XNBBJeB{8U{EsBWSfG#m0XILz zI(&&ErQJxqIL3QV9v4Eulij6&uQw@T+A-G1gLQ0zo^dfnN)+Y>06pivjYoQTkN^y0U86i+oHC^nzK7NW|+`Ofb z%@Gb&Z$ELI%vG@dDM9V%yPol)F}ox=_?sy=C@6F7;iRsX^jr;&j}&O)@+}O95w5&1 zaD9ZOplr=P-WBsX;9Gz-qaGn{-wb9U);}WWs?C+@$*@tH1!MYfi-i5G7JC3-^j>BC z+UHt&DM9)XybTt|IE99gCj?y3L@Br6g%hab1ZK&4frFTS&q+NVXxv->Vu5gw#$nx~ zKx1Ai$l0~cd(thnLPDx-D}V#|3uQJrnj==Ncj!knr)*$OTghTUp$L3-m|;T`dS&RU z5AL1HPCUzL3Kpheovq*HB?xKoqOv0oHhGPhEpZb^!foA)Y_w_hJS%HK7{0P#Pjrj~ z*=aG6HWonGt-Ke>7FxyreVTdX=7fpGiv44gY+)#rQ*xHjDQJ1cCs9lha1UIM1cE}~ z2&ToJ>XJIyk9;5johHDSK+``QVN&$rY+3h!UpNTy$D58J1k4m_QgISOivp zFt3cUtZj_7CWOn6Wr%tG-G1*Eh;4c6kKX92#!IhNNa%vGhnHD58*OMW%Z~3@SX^Gj zjF)x6v&?p4=u`Qa09rDb3`t%Vw1(CTG^2v{C6_{^wZM40q^?1s5O~oF6oFnR<%(pp z(VSu0)WKn~yjKN{Uk_}g7fzB(xM`B@j(YvmnZ)2N$<`t@jB;=3Oq$TJgzUd+^V{;?n>WsU~U@4=(ROrDBR! zsRJaN(463gGS5tZQIJuAD+l$izmTtvbd}-S$LueuC8JV*ks-L@b~>h=QI<{9r z`pjC*2n#Lg5#zs!_Xb3jZXDcc0vu1tMb`agqFeD;r@4 zyd*!0&yy=~EWhJV>bDjd#RB55y%7_iVI#zLYi<_9b@2iWMu=@-D(| zr2Tub#L!}iWs*Y_ZF=C0crzXNfmYMtw2US&;FMi`^H3L+qiZx6_j6;SPc}Yya!g@us_Uubt+l$`iaF7q_y&izMDXnNo8?AnURaP z=H6J}J#f}ce*z~`4OlU+2p538@-7!oD^CBy2yeI|G=k<~${ zes|9Qz*`?M-{Xb4q`E{DATF#cc9M*VohLXPQ}@m^h5&2unrAyJzH7_Vq9fXCyc0Bj zPspb;kPAn%hl%;Ee|V)YZ%-D$qP#q6X``GBYlQjXgt$1z?QgL4B2=#5gZ%`#b%h72$J4I`Q(-Qgfn$G?BuakWIYe&xU0(Fv zTC!*uZ&nC}p~&i8xzEAb|&qOe*ZX-d=~o>gg%^3)+%ppLkel?%2K5 zF`=rvUNq>VGnrLf*?0S@ct<2=&d??G9$+yhyqpL03-0@>G``^Ex);L)bH&Q?`BAc!X2AG*RqNivc3f#amwcl?S9S|E*pTSxFG#Wha&R z*RRZ@Yc4@!5b3(hYH_S$%5E;fM*|6A5wQq7Mn>$mU)p*w+AEHeH1o?8H@^~mRvTdl z*5H#GI*L~UXuDuF09;m=>uc+-RA}n{0DLdpMC;fN2Za zUElup@bKfukB_i$wjs6GLI+*PXKV zg7Z}MiD&(F60-U^H`ng++BI%&)_vZ9i|%h4`;v7LmnSav9l0j_o1((Z@VvQnLFfpl zHL@0)eY`;K`zf6HY$F8n$?^O)euARIy<>l^?y4>=X$^rfC7ykTQy`TT1=Ts~$64$! zOVgdh`=ZIb5Q7Lg4Vk)nYe$Yf%@v({FM9VrYcqP~dsuEbE`5gSdve^1M)PG4PVUfs zms%f%V>$3<`S&}jIWL&@csbVN%o2Syw$2(%gI`(4>(T;;a3p~}sl@Z+IZB%tfpP4; z=P=KyPnn4Yl?iCerWfK=Ti#UroTNj;0^Y#!`j|a)rx2)XSUUlu zaUVcGRjvlSMWl&Mf=sZz5&K5k16X6EF<8Yx$}m>l0cFkH4 zvFQbw+iPVE+(4APegpjE{+bCqT9mf=z~>G+Zx!-s7D>2c$iH)~V);L%)7k8a?PoCa{ z-2{dycpcb})K5!e62KLZGUT`pDCdHO1N|8`k+`G?KxU47ApyRyyHxu_TnC5kkG+Ve zk&mnmIJR69+Q&ECpgON~xw>0Js}BSjqvUdsi(~X5lDbQZcEO$vn=glNX{7p!pEA(# zHtNC`S54#Ps0)hH=rb*S){3iO=>#%5B`)P1i=&FNe+8q9*(%&k17WXtFjGrxpw{Y4 z>^m{_xHgSkGE7)$3qfkyVq;P)pp-9VN!LcXya0os#a~_re|wnrIaLkXaoz`D(^C0< z>-YfoX~56?&|jaxC!_HO23yG0#8CIjzR1U8_hnhUSuU2~(vy)OJPXxG5m0MA{Nt43 zt@BpXg*~^1p zZ(@DBbj$(XjuC!|)*0`3hOS+w(3_x!C}NfsX4&}n6*-t(w_DO{+LK%5u6$1hQ0ApZ zp=}6d%Y%?EvAidd#ECop#Z z`IG1PeJ!3fbA;EwW}QqVgvnTvI)D|?2KxbgYk(85zpR3>SHZo33;-rAy({38*h`dp z@sb<4y9-xSul=+Ts#Jq(mjxEh`F+-+FtxC7U0I^6arDe&1aGZdy(hZS$`=M5!f&Z! z8uOX^$17kTX7EOE1h#B1W^@J#QL>o8PJ?nCSb;59?p>L!g#rw8Q;^*VPxCQ7E#xS^ zACk(}4#2Q0pT(0HM-y_OdDueCs^S+S$Usbm>0bv}_1};Kly}yst~T}Q`68g}4VnN; zeMBVfd1O8!!xpWt59SB5Z^xwy@Dz@k)$Pj-U>8L~P$mK}d1TE)cN$j^Gl!`C1)v7g z@q=t465XV@8VaDUu35a-vQwaSqcAR|L&oq1mTRja+ahn~t~%qKcOXRpDFD)o>SMOg z3D6xv_w0$PO0j5F&(T|YQf}5gIA!s%AkVl6%EHh)zBI5uFWds69b;jT18xEyE|ybk zez|QU?~aqP7I@NTJ1l`g;?51>`%dMp2SA6)Bua?{smun?7p0u&eX$0C##Jy!J;Zn| zHbK97&uepYQUqw=cr$x14dVHvOmLD(8AOY#3+9(s8ZHu(BYAlEJD0D`0vYETWcP{p zYwWctbTIez-qJs0_ce>q9fh0*#PLJt8Ccm4FO2;SYGH6tK(AO|@gfT$+N_;^yGDAD z4kVYnDK%);@wC>TkoAjxib2V`>g7!gm+R^1@Q&W8Z2$BeHbI0OT-LZ4ZqXu@`&`)< zm~*3l7tyrnt!##{8qq8a+;%WNhoIh6+jbZL3T^RL;@H^6oPsnVO@r4PL4~DgDtZ(L zbe8}fArho*4_u8-l)#-t79lF!8iOShC#UXUv>u+NM?Ri+ti2mT2sq!;H4B|=H5ul6 z<98E{NYpl?%Fv?1(ydTvfXW23TZkxtwOnyh>^aeya*-X{2p|<|v{q7;3l{g+yYm5? zynd>+*nq9>sIH1>w9 z#VQF$P=qfnNq{TX^jy^|k}F}Md9z|;mw171KYD)sGCsU1@>oF^GCP|`FvM6MQ^U|2 zny9THNR%=RD$XEF3$x)w;HjXn2w*Ta*51#1rU$7pZMT(e@dmtrpwf-53c+f-O&Va0 zA|+Grga(r!2jMS($0Q$%0zah@H}P$JP%O)-V`T7L*gOyFOxM!M+9zlK1~!VtwEp|| z@TnCM$HwQMCMI!uSF)5QHm z2h_p8zyG_<|2H^nfW?0~|M6or7A2U*RC7rf&PLD}Z-+o3aPgp5@TF1d)+oho;*His z$?^gXKH~N%df4eO6;W(svttmat81a0CXpTTL}EK^E)?YZ{WLCu-(rokZmSsYK}ZIQ zLxb5Oa>XN4A^AC*0Xe);oNcJBsbO%MF7J^(@$hidT=@0<^>9E8G4)NAnNBPq$sk_r zG=tlg7@3St?g2R=re@zgniy+tXehcbsn zm=HcH>a8H56{EdAeDS)vz~F!kbV*vnLPlMRYY0$zcDR8VDIECa-jnZ+8!8y*C2DvU z4)@L%M@;*4!#1{cEEujZ7$t>iY9~ND4O_>P4{$eX8NXs3&5hNP^AIeYk&FyX1wK;V zXcfES1wi?g`mNEdda>c=)L0>pYa)*GG1ncQodJTwGkzf^_%kiZH$rN1vtdHAGTiAh zG3^jWrv*0cx?w7jwtkHYApBx)GbczrTcGh&*VkvEgtb0m3vCt!1(oc~hWB z?@gVvFJjWNSM^DBwo-T6OBUqeigsz;&HXN_SY~WUPDTEtMsCs8VIMllZ)~V zcZ$5PUCnRrvH!fBT`6#_scp+Ja!?IG3(K1eYbE9oaq~d9dvK}I)l>2!Xs)U#&{-BW z#Y^Tfs@c5N3$oJF!L)=v4hu#7HMAhed=G5E90#&j3BSQJ?~nDW%@|x$C=u0^fmNF? zO9ca_SfympiW{bbZYV*qx5ZoLdnm!@u*CgU{43&F&WS@IK2d?=SJckrc)IKYWGreacy!qe1 z0(pRP0j847?Lo4qeqxOgTZR6n8y1$vNS8=(h;Pdm9UMSSg}rGc4{xc~o+V>;1^YB^ zUwwN^_u8pm;BN{5U;>+(Sh@-X+-xR==>>aoYtz38ItV;q%SVFM1oDlpe+yW;mvxEf& znv<3-V%lzA1eKyaU^w;rk9POfimHYP1^9^we`ezCU$YV=^chh>!F=&cejX?Qs@9OE zz1d5nPL3iVgfC5Nm z-6Z;RbAe}#dWXHH>~Fdq1p!YFMI|{gevo$fhHs6R3mIQB%t`Sl6S~|i3){J;H?2V! zFmV<$UY13sxV^XFr3Hv`!UnokFKq6ikY#9H%T=7Vy4&XC?#_y`-hqG`!{al&E~w0< z4?;7swB!CVAnD%Ne$mlK?GARhyT4W=Q_VyEf*-Cg91)r9?1*sH%|7F*-3yJ7rjSf4 zk}P*99iiBL`Y^50yb%RX&e+e$Sa85BSxTilnuH*Gfe3u4>rAx)m>EH=lQy9Wr^Pwj z?!`~$LeWHYt8iAzM@f#~5`O>TGTSbeCYk3af5wWiD+~-`Qk=>Z584zP5%pJ}!4@Ie zt7NaDAkI=bY~C2XPec~^RJc@9b_=$K?x{{7M##j%Y3n#vtZpLw*Gd>TbJ^?Kw(qvn zvO86(GK$B^Li3cj3}}d({S-nmx$a+>J1uNi0Wlf`q^oiF>DoXLV<%(MnKpw$BY5ii7f-VgMcqkIo;CR@fy|sP9{V?+;15Qf zqy?mtDmnP7XY2Pt$a{|lNF@2adQ1{JWWCM~gly-}U-0K%Q0YHRt<5O?@PZFJ@j~;( za>sq$XvlkM21q?01NH-A)iG(_79=+`BCodE4%cZK15}NE$MAaseJz$(h7<6pge|%N zib~CVKeULV5~Lgjc1f&tI<;(;*gLK|)vty#>a#chZhb|0QA?6y9}#1-B21S}tL4tM z@@EMjA9NN9f^bXE1}zwI(&}v6dEQ-qbRvlNp1zG&odDv-#1%4Bt$%R-thhY5E>ox! z8;a`#O@&*w|A9k+1}+MfQcsZBa)6^&>VPoK+^&0B?>2~`1T|c&fBp=EO(r^|u-U5& z>wg0JDYdpVaF0mlQ@)S%cppm5zh>qcvxqS^t%20=T!ctC8JYkU@L2pbl?t%YPzG#2 zrF%?Agn+GGCK}?}^?AV)c7mL1;GC|sNO%HZFZK;5*Z}uSVrdFdRTDq;y(Y>qiD_8{ z@kEqvhkILc1!V{DWu5L8MAcS~JcFMb%Z$Oq!iD$GJF_9@n%pgCPe+~}<&enk^;)>F zEjG1eAIpk_(*~u&wJW(gaY!O3Q^*1Rxm|dzIf-bY9jm%0Vu=-PA#N&>W)d8@SKt7^ z=CT@nn`zjcQ$)Ex2#iW#S-veFFv!S{-GGQRb8>=@W0&B2ghY^}w7wN5RIj!U3Xbqw z2_@wJFb#OmY*~zs34C)wDc6e~-d^iCdupG*2p%x@N&GEbt)moKW z1Hk2$qj0B+_d9boq>q^^q@qv;nL$^h?6f-sY9-9Ps_I-Qp`=HkWjUHp@Y)w~7aA_C zzjDt@;7(u@)lW%OqAJfC4jTR$M6X0}L*`@!<`)%fE41URx+WF`PXKvE<0dQpm*Sn7 zlJQYJ2OExzIC`0ljM3mYc%9e8OEWEUdvmYsY+FF#*1W9im>t#av~?0OXb6;Z1>s1~ z@&|%4l$(pSR@9^QP?4S6-ge1H15q}cw*6R{-;G9w6AUY4JqAWwDdsG&v&xHExB>s= z0puU&Guk%qNc}iBep%ZN9qsc_^_U@2v3bu#grT;HtrG}G^je)!GFHTSI zQNVJy_cXCBoyCQP{AI_{)HB+}pD?o2n$PcH=ehNLM@Ds$t5-6&FNl?Z61EeVM=3AH z${N&cUcFmxg-J@~K=J)$eh2k_$rwqA$GMZMGE&v-4Ixwdw=6gh)}8CeFIGu2wk1^8 z9=Oxj_FNQGih=FB0f?@Nam?D9np?vloKp&kH62Vh5lk?=L;o+P^AXskNRU^sxor_x zC-jY`n&RlrAvP8hL?!k>b-*quxUQq6NXbD3yNiYed_=aOs-}9Axl0<}Dp|xos2&Y2 z6)0!fHe&PIn*W9@>&tbDo~?3NSh`V zQ$2L8E`H=Ub zk7JP~=c~RE!#9Ojrk|(CAL7^+ADQO(5G~DgeM(0tPvusXl0Izl$`0z1dYeDeQRgCt zSqf4)9%_r-T)d%knK(^$ft4C1$~|w$s$(`3>wNU|)$91@m!@eM{|r?y8p4T=RqRgh zA@8ZyaYQ+P1MlgJ&K2sB#-QkoTyNB`j;W~6AJ6xkoH?k|gSNimS6Uv{bfQYnJdCcM zfD_i&trqg7;JZdbl6@`BR3_aynom8tai2f#iz3Qv5%hgC2mfF39sUx+{$qG(qv16U{2ri0XX~2- zcj@uOD15*+$b-w_oSv`wT6kIHKA_WsQYR@5nn?>(}(=>1# zwRzeF`gE*k)ap^9 z{)KJ%LuwA=XZH}tP}S8l?gSRL*pEIqe|~;?(c0@d%mT~ z6ciE5(w=_-fX3#q6KK2rQ0T#YN z!UyAiGVu();si#)>h1q`boXWZUhGR^O@@q*~By3Ju??zs4oTl*LsgGGwB+5q*bBUp1`0k2@MW@!jBvX%HX02)aFc`f* z0DQW=62sK42UjNCVM04Oseuo|?H39pbBcWFp_`?(bqb{yDA&LN9*OK&TlOu@#J;1) zawbVgEMQ6kN|1%H96JjQykuF7U7N7FS+FB>)!Mt_j)B4)lT*_j(YPSQ%N*z0UE*qR z6H9wE_a?U=ETg1nU{E-d_$OZZ#p}aoN5_>1GRz3+<>w@baq^_!qPlGt(!E6o;)?VU z!n3-S_TC_Fes@l+-4k1(@Mjl5Fr+=7fInjwGo*{4zj`Urtf&M)j)p=IwMQrKMP^8O z1Pd6-u*!+(u&1V9soGmsDNg%=2GhPv`~dCOWDSKmW={A+4}jtokR0@S#19G^B$QKP z;qu0e1SWY9MGl5*IRZIwYanb$*+RsZ2s%47gdMLsgL1?^tS?Y^9b;0n3PD$9ZPNS) ze0+Z=DK`J-#1kMbNuan?FjO}5#%IEF6Xm9#K>J(G>_6^|<<6SbQg)SS+ rH7iA` zoA?qbOkho|u7z}Izd6UOfLl5?G-R`lK@xDQPFV<|{&DB@oa0uuPs-I5om7ZWhN)D* z-3bSi7^p4H$vr?RiMSyylBQ@-N|;?Y`jO4 z^Rnw_`qCBa;9R~=@N<4D^c%5s8}r+1piJy5)sjoA!$K41BC{X_?b8&Z$zi_@XS*OCATKMc|WMdoBmwg-3-#w%=4f~{I1G?(y<`sE>x^fZKD3A4&X zd}5(GV%T@7)+j9lu1HCm9~S;&dPXoC>ExL{LXpMOrKoOyUy!hX2nG8&l34yWfqRqh zj2U#{v)dCKon@alQf<7;QEwo9b*j!*d>8T1gZXYrYs;}kG%|y-RHYh&JJ;R6-$XbaH%x0K;*OLo(=WQ?0(uxT09w0YjrCDP|uth7OvTWrXJ#7Naep3o6f$F`e|37bK54 zBfH2Ri*V#*vpv@yoZr6>>z+2#60RpH*ijT7h1F-C7D)ye7PkBhEl_fGsI1IaJS79! ze@j)ER@`7l(P66FPgkeslme#|y>8A859oz05L=GNvLH-RW602Ac+EGUsbrn}-u`#5 zU!tm*8VqRneuJDndaCkWU?k9!4WW-R5@>&uTVGR(p}H2mx(u{hZyXB~6+nQvL?YznXN9dZ~6CQS4lJgK8tMqa)Zpe+n(=)u-bDXL); zVa&HMkqb@`X#wCYNbK-|TyC7*g_OoUJN)KXyX4Xm_qEhv=_tcW;%p%bB6cF5)45PJ z`O(Tg9D-CnBAc0PH98xe$Xm-qMxrt#zhPamkI&Ji+{D+hQ6SC{1wIzz(rGgDeSbw} zDyq&nyZF=8@%W0FOY5p9RFO@-EJJDhnrOTV0P5x**sfeST^P}kA+8)`P3%@11nyd# z4&ZsY6p)qxJjf*Kgi=a!VekdaE4DEoO<^l5B3n-p#i^`{uxh)0zos5>1^f&1h6+Er zY80+=S;^jEYk{S)|MYlvJby!YEH#-ptbqsGa-~TWc6B3o*LgPaJ`FU&w{ny zyUKD^>h?5xBVv>*F-Y5C~M0pron$~j&^-GkLFTqKsYV;{0 zS>sSdEsM&Z%c{Dza)ZaRvk@O@&(c*>1zdEviN!%jM7}rYm25Zxp4RW)bllI4^%u~b z^__D3#OufyC8&IeSpHPSIC3NC9HVwx=<~q-G?DPe#2mEQ(Cc{Ci{nwB2sJtPz(U@? z+kN7J!q*J7WWHcAdSHh61%4aZndLla>-!fj?Dl_pi0~FK8A}WlF}AlPHym2` z0r4CdjFXMrCz!nIX?6DzGObeww5QiUK!v*{0*Mg2SMc6<6W5Kf1bGQz z0ww}FJl+=nKic~SA&$#bARd5!0zEPKXXVaEau)?^Tzpz&_OwTV2X1hEKQ(*L%#4;deTC~@@H%m5IG_Gz+F1cc2gv<5eO^}aG5}_sk=JMj!KzRxly#@1b zPus?(&aPVSY*+q}hazr{AwZm^iSC6BBstR9e)?0&ZP>=7)SkItO(xQLQ2erpAKa&0 zoq#XUE=Y$u2P5t5+LNbq3-aXY>!(Mr_x7JW?bxDEo<4fqeg5$k3N2K4#eqF#GQH!v z*k{P)N~lbwx7L+Hmz#VnM0KV*=z2uBPF$=6ANLNg>vew#YG4~RPw`E0oU?Mv3@px| zWvz-)_ROyD%kbxjy~SSe&~u^m!pF0-4DqDFTa#6M_@IZ^h^AWNTZCO_rKJu36hh8! zMn305S0kNc;Q`!!6a=|UwK}sNVy6j zNd!O>yZYDcuyS`E)R}}}kqXcgg=2;vu)0#@U9XaTBTuU-Cq#nj1|VDo{DftFe;o}- zbayblKpKlEGyYX6?1I#~acnSpbjEgohqXhq%7Rnu=Np`kKXayXh<*LR_2pWTM(aIH z$&Tpfs{^8wMH`R%PNZeh2ln=lpFMrb3qH z(gGNbn~hxuwKM~rzxN>Uu!TJC{9<6`mhD?*Y=5I3fz1=C6dE%qD(`4-Te6oM>dTv~~m~t=a)!>eWTPwm@h2>u@7;@TrQc>cEinBQpK5N}%%r94R=swnWeEw5mV5fE z$oeb)OB(~Axet(`VK{&9q!^V>Y_N-O?{9EZ!<)E*UMH?@I-8+MhhL{*gu-GeSXQ>v z5}#pl7G|#ljwnn3Jv15+5K7@ z$pVV<#Rt0DK(_?ONk6_C56-$0i3%482lNAc)+9|SUq5GEA1$_;}J$|2J0j5|kz z8)Lef#ZlqLH((Qg1mv;^<9fe@2Cv5G-muP4RXCncB0)xcN)mR$J*ixhU@cvpNw9RR zO!zc@%RQo$R3mE7JC#3rG>c7oWd-{Z0msmyyz@5M8u0`m!}~?B=Pl9@85oqv)o%KA z>37Y;BDDt%NTqQ_1mHOC$g>C&i3$HC;&a@9fSZkM zi}2gwG2fdKq2%x%q^FNBqXu45Q_4nn_?urDkhX=;|2cH)W25{e4hfcrbvHWRzvopzl=HJL1ZKr6i0fxQLwjM+GrY|qmUMX0e<{F?(9-I+ZJ-WOEa?j9P!3^1zL=Ff6{&aLnQ-ZLD4 zrx(-9PrtR@>RhM??D&Bz4ku!PQZtXbn1P;F6%1Qe#5EYBMY$sca@W^hZ`U+kyI?Lz z%kjc$^6a}InCyM?f22*YZ>)`N+xCVV+qP}nwry-Sb~16YF*mlgv7Ov`-}^b|T>S_4 z%nv>Dsi*tts_Ji7SNBwRi}6rrY9vy-G4~DmGFekfx?(Ao7*DELhgDVLfo(qG&~!cY z&_pi5lVobJ!K!v~cSO+!7!G1+WZS6q}9|B!=x@6uld;S5GICCGDi2=`-X)}}B{aEH3+2mSLx)fQ8_pBADghKC&KX0Vl%*y85i@%Uk3rln?gL=eV7`l9#c)vRZ zTs#t1iI$fxyq0MTM5l2Lz`~It$8AHlL=POz7?S&dfl`4+Ik8Sn?K>am{ki;14*Qc^ z4RYAay=E2#AaldV5OcrKYE+tTl{3C3b=$?{R!K|rW4(Z+n~-KuK%K`E*5yzOVuQSZ zja_niX1q|j-Da3g4v65#9=DG=eqBM`sqin465uO=tw67vO5Jz|Mj8k+fXzS?}TnEp0G@PZXE5`#vc@EREeUMn8@js_fU`qU|bJ zTxgH=ukY9QDEf;;E3}x7d0GhVR1YoRWoe#qhhS;IDdZe_ArplUk7ZIdQE7Obg{6#| z_(6Z}AY-)j6;3^dqrCVi@JP@aWMCxVn#7_IY&*I#A!S1TaN#l$=f=C8v|*HDZi;e= z$t^srR$e^YRC49Bj8=Pz!?(3!>=*|H6yJ)HH%H#$ zyUJ3>IOHgamT({C{T-9C7n$BZKs;Fz@;!Q2`z-+#P8IK&)dOKmQtD7iKKLZqM7m9e z+PP`PN)}xC8MAj*!ak1sxR9lGn~{Q<4#8-)BE;v&7_{r!kk6>|wZX{W>&L?_B7MQH zM-79^Al2tL2RrrNuQmS+mP48iO=&iHi~wjf`2nAs7pKTz!avjRq5P}CNk@B$nDJGZ zUL+P&SHKIKr{$gHw$_rSnn09Nx&^0gP-1nG{44aHw2+C!6WNd6{Wam48r#^DJoC)* zGkzPL<6eZ`7eM`BN8+N=EhxC$nVI=3U6yK3cJAg7CHNA3&p}nEro~UIfjNat1E#JVdS*#6$tZk`SeK#iDxra14~BOz zmnW1U7B^3qOSNJYy>`avrs3rB35s$p)Zp(_3-A0pbu95$h+>p^0kxs9kJ@`#e#wYAgY|6TO5BLOuiGd8}VR9A> zG9rboM`3UoEne6{pl^SWsh9Ijw&ip-|ExZ+MkEHUv^IHQ z$<$?GMCmy}Be6eWzTDW_$^6=Q$5NLBUu+yg>B4$i%~@c6ktPq$InN^oFFTw1ona&I zh2kHSK|{Zf`+k4^X%?69i;^y`v(Mw&@S5&%OGG_h!N#!l{Ws-7%E=0oy%pwEZdOm!oZ3cvB$|o}N&6wHejyd|&A8!>q zer(^B>C_!b+!lT#(8?3t83@$zz%7v!+)|YpG7EFTFu|BT9!61F4U$Do<0=FDfjEB&7WkD;3 zjkT`r6ZGE6e1O;1(GlCQOs`a};h~_>Sl&Qu z7{TD5qwKIQq(Jesos}HBeHN33k)Zn(=6ikZ*^Ds8c~Br+@eGDbiyeT5E^38uh?c7r zazZXBZs3~S{p9;0B-28%zMiPll_B`%KSfKxp@ak`HfQ?m|8Y*SW_GIWOq_hVdYH{W z7B;m>!Y-p8h-RNkR{XR?WiI-Qa(xTD5~>ss@npn0y>Y=n^7^NXvUBx1&cZGWL|vTb zrIc5j*J4T+&=OSkVYo6d+e$se=ALg8-@J=z}g7y4kViA2YjU5diUSG2^{j^#~L4?Vw3_Bfhle>M9m0mKG~>p{+e? z3tJrg7ZlnzBTHgqNb|q*zv|+Tmydo`j4&DaK0z>C#RJA`G)5Bi-Tbv4-HkH9Isuzp z<`Fs9>!zUQ@>(LE<^--<6ydDsFh=lc|GCxPGtr=o`cfEKIuKBi7cp z3QIfv$!%~TvT$eTBV#1WrW|RPEb2BVOOJ$2jX@gmL%>71&Wpw8YnwFS)TX8H`J>yp_vO!o=S^Q5CzvsCMVXP zNJs*lt0#R8z}MyzeEW_Ju9}8n)Ikvz3oexa`-cWmhRv@azYt|=q*DgXQi<+V_q{B% zn)RN{_9i#f?B;&lOAf-n14ZH6LD|s5VxU&eYb3nb-ii1fO=ZiTF#EQ?gjI1XJK=t{ zi3p9nL4J9YZHSWKwnfUa5*FN_&P~8c{3NYwId4imTv!kxP_!a`3yR%F)Tdt=aHBv0CR;Uhpdz2 zC%AnliU>}dA0%W!ay z@5>Z6CY#$9zXg;9zS_BVXzKq@_`fePiD#+RZRghCAJaHUX&TpK@v{J)zP@ zA-v3@&6lKB1Ebs)QNW9-^wffKGLifQ62b3Z9;4PY27T0-O5d31SV}St2gMa-G~@v8 zkhL6H0K8H@HAdg?*X)NsaF0gefnmuHp0l)%fbER7SWlcAB2QVzEUfUYnWwjiwhkIi z4>d7TuMEyF^=j5k~&@yNq<<6oE9_MG1AVs{$JX9Nwj>f-ntIuAqr!n9~BAaFBAc zzqLWW|7kWYJP#_Jy9sJM{RMIHPr?V^ob3$L&bG?tSE&3Kdo=X#Z^km|PL^Ytb{Z#_ z&A;r#`$!XBonfx-$4~NwD(k8oy_d^(f3bExsY)rMuFN59%FTwvWk7`_^P)^t*mBd5 z{knYyyvTkp?}R%4{by#3>smHx^JhNHM0>?c&-iV-XnvCA-OI@SX}4o2<*Mf_#R6__ z=6FQ4nHBpvf+6GN+WwXJ?8E?r;@D;kn?Lg2QKZ0xAs%=ay70UvQ`FDjJMIi<8_G75 za%>FP(=>3kJ~b%;J7)~^JC5ga`c`0>vOm%}3AL+NXRq{f*6ei3)GL02xwd07;v{lo zLksof-Z-lW4L3eLpMJk2Mw4TMipT)5>zxnhLKhkwV?L=dtPc%@-?8%}24jm#Ql-eN z!qkY1Lt-S6XOrOf5=mIkNXb*}cP!+BsH+F5G%dRblIPK>*eLE)TYO&qVbKyIoMvZd=54~t{i_Y z2fgyJ?Vh_rARFi~vCmX&^bh2c*rWlWP}z_zqp_hvkv{}zn*M=uu7S>MV1-KJWXAM# zDp(T|T)|KE7yzFaVV^>q=@%Ozw&G5iU?M5GS`T zv0K;}g7xDC>D==ZKJlOVzn*RJf-f;YkA*r#+bguub zmMOT}0ILv)TpUiQMX;~ry1G;^~X=LLE4u!xFbL-*pD)xm&~!xg`_a2sWg{QhiT3^ z&RK6*sFu&GPf@+`EL1z(rEP6PEq7%3130(6XHv}8erJ~5Xgw%Z$4^~q1-^jLogTzE zT4f13vKN2zu%Z3?+ZSZx&njXLvv%t7%b-W8Kuk`gqxWtEM8+hp`5<}V(731>z);C`dNAcEo>aE;Gxh$hSN2U+@9kn&-{2WMshH0Dbs{5 z;p@h?K?ZMzP;795SBPsLNbYG~cBr$7}6R&_r;c_@#z&ID&qriy`<=_v@MIPr(Nq_l(>m*xL+vZzP00o7{dweylA^NC+ za&HU=vXmY7{?+x-hK?-K{x3I^^`|p$sslsqQM?ayyKqGPSIh=vm8;5`2pA20{hmZC z8NAQIVr3gK>exY>9Vx7i;8eTIocD#DF{>#D}EX0^-{q6tAk4fW!TI!0QVk?wNrkc9^K@YC+*cRFA< z5Nceo0P3ndvlqmD9%+v3h#QjGe7ppCx>O^-&qaoln^P{CP^} zNSW~ZZP#)%>;8MgWY#^BExoDMj;uUQiY*_;6f2k(mHa+j%pb|-?6SO{slH{?4Y(ti z9dB)SbQV&D{7v7UA`yyvB?!5oDM#n;n^sO>@DZ@~w?RX#-)$ExYZ)7+CNZ0(3QB{Z zE*1HEFkObYoFp56VkwG>Xy~MoYLdt`KK-C70f7p#TMSV;K=x<(477e3MHRvN_=|3_ zH}x^aH_EZwi_B6ei?W9B*;6&hrQmvG*;>e|chdXC$1-LCjzk*&6yPP6T{T(!1{OBB z(q|O=YF>Gs?O7!6WH1u4F%BFly zON5Tx3@~9B*}M48)Fd)Ylwb;6+K8!@!G`|r_dIR0xr2hgOF@)+r0XkrjQe&%c^I@} z&L%;tQLL|^ujK{FHD7rfWzORyi$jy&2fLUifbsZd3Fh-iBP*wGS|GvlAkAixVax=T z7c7B6C8U}}ugxodteMUV%3(_TgB^8FN|pqbo+HnR3u7myu;LJM@m99_^yGQ<*D|6y zcbaLR;&)s&)vGzGlZAI$3b|_YGy*=(vc8K6_k>@{B68*Y6((jyA}kT9&DNHwdcoxj z;>b))Hm$i%kEs763QzJdENL*I4U( z+%?5;K@nrykOa>@zs*t<<~H6Q7;ppJ<*LBm!b@_9o?k14HnHXXi|8x`Yx}o$F`x2; z3I7YSiJ;mpmoE>58RKl4417Nb#jKtQCLS#qiE)ph*s zExIA-@%r0b`793~cZfJ2;leoU%F6ZecsnIWCez`941~|c<9gr;aUhw} z3U`(B;Bs~(=Wu(#gWa=M1LU{WT%jf5A)+K*xISXMD5o_tmf`7GELKu8mAZ0ztr8q# zM?~vQeG5YvBj2Fj!1YK`(6@BEI@)UXU19Lx5!;Q`DFNLn7U@#5(aEQ{R`^iYh8UOK zW}-dyb2*I-t?U=vWRD)-*1ISAD^lk4WWvy6xYmoVi&AeqEv3`h&3iM&qJG)Cq6}|r zdBI;%HK^MmJ?qBbyc12=npGHK!+gRC8d4vogQLn}{DcNdBS9`rmeE`oivR3mzT~F+ z5=2@`SmkL~cOliKe>JEbVqgHjGfz5gu{Vge%ToN@dCNiBhx(C)#KGt+YN8WkqSlvb6wzdwvriIGw(`a1i*IzrW8bPVTe`^x#^-MMT5Fb6S zh?U+w7s*|8EBiYr%z!lk-O_ipRcDi9b}!7FLW?PQHOyp}e1F5zcO!Br#uAdpCj0ua zb<&!o5}?H#2I65vd+|;Ci*48-+Kn765!otf?l6@VcdU&DL18)PSGmoDXQ$HFY5nK> zYZ7;nfW$ppp)y>-^Cdyl*faFTX?l@Gpb}Yb|J=4|UfMb(Iq7lIYUz1-skMS$BNh^( zmP%c0FpA+gueG3<3N#kk6nK~wiw~C7%c5;@c)F_B}=Q9F&4KO7t z-dTXrv;R9J2*}qLIEbPQI0QNf6bK9m2nY$tqJRDvA{ht>^cx5WHjv_J%jDtUY~x~S zX6EX`^zRodqo4cH@~C7}WOQn<61}Wt`D`zU(^YI^bQ`QdQn z{vx#MeaLrG5n9sSK^1?zT?n-cqDCs6YcD8zN?26O_8N<(H*%zX)j5gfOZ5ZgjExtC zF_&NHixbl!z-RTiUBxuy;NnBff8XalhJ>f>y7J7R(GkPDFW_fj@|BH8o-Ra;6~26l zCnvrC;)nuqTiPIc?gK#@W}Si|WGnY8d>1q@)MhA&diA4frRe=&|E9XFlpOkuvk_d0 z^l{0`?dFdf%Ym_%0G3GsAE1E)HQ47b3AT@9GkmcZ>NH>t7#mCoJb#M3=_|Z2*MpUa z_{P>(crsum00@t-uYZ$Ny^Ht*&SYPVK_tidQUMB zemx~T92b1HP4<31CVYMNK5YlQKfd*Tz8@ZEd{qesyuIdd_%*dghygxJ^ghnkCzhE4 z{N7#<+nRpM>7d)*=;@rF#oKMQ$o&xsS@w=dj6 zC{STq-haQcx80Z89(39cnw@Y}6ETCQc?#uiTjF)zVDo9{el#>SH8Q0)@7q50v^01; z)%^$IUbCYM_R>(Q-O}dm1-L6sw(YR}`zyE~G@3g*h?OA{NS*!e(K_41{oUf)FjsFU z7ZPQL4*^;LbmGPy=*}UQ>p*f$wlEy-1+@WX<>5yx93>3KIG8d zWYS4zL6*n>>F7=E{eI+V!O*QrXV<3fuXAV8Mqgs@4rKmdihg;AB~Rv1q}$|P5eIhI zd9ZO5WPe9E5ksl#^&AdD_}!3CQ<(0#AtU6@Ty8{CT!?{W!+tIse(V8gsc~fQlBf_8 zR~{#J2v@`bBdOVw8je=z^sJ57c1&LUd*p6>*bg4jNVCyM1h*1t2ljd7%h^NOfH3G{ zCBw;CW1L%K(M^(j@g@jyAqr+NT*zT~o^%pE&IJM>D>8=Xb7Ej*g}|JOrZ+r|dOh!6 zzzrUj&0eGRrUZ?qqTN{#C1F|kN^pKiKbRy2J`}(H>+cG{Vtu*0!|ru#)e@NvZo5W&_iY+CceyGKGtj|AExH zM?s2h*Y)E^YDQ$>Wk0IZxMLPae8jBcj7h)cF(i3$mmL)QnvE@fW*e>HDIYBN=85^QJ>?@?wAfAX5O>H}Li z?Q`i{?4!mJUGNRa9q5V8y`kBoeoF6?bw*uL_jn1oCGvCyJek&hzv^o&g!mgBv~r+< zmtU~uy{Q?s)oUU7&3L~0{S|`cy`w3o;=CjHq9T{-qj=rz3CQ>v+H?Q1p&zRm%mgk{ zS3ea!yZ0_6Tz{7c3HS9W&!E;4H=&qlw;%*=H!~6PBo!P4v`r?Ds7_5o+iasiZGX2T zZls|*aADh2(Y%1;?XB9qqgP=Jh6E1^#cle$x%y^j=JKj}G!mS#ze|&Zo0~tAZNoec zy5zbeF4i+kh`A082GMvo*9fR(9TzR4&7C1Wl=v>TL5I7OhA}HVyg*=^$F0;v-g84%w*|l*_`u2UYj3=Wqk}CvT@u_!%t0# zW&;6`XQ=wy1I4^{xZqq_G824ec7wIFBiy@0h)iC66V|+ulAHL9Le!WCXXbb3^hds&f@q1sI8+6~NNK zR)Q-ynzaPJE^{nk}T@7*d~`&?rhKYao5L{vUWzB*wEV%Y3hq= zEkfpK^W*A0IR}y~EZn`%pvRm9D)lZaQhc8XjHIkl@L%l157Y||)($TP0Pw3X_7nsC z*+x@|xg3Q2KLo~#<|wyd{p`EUiO&qbwU|FT*EGDLgFe}Hnb#Mz4{uSlU7M{<>e~}s z9^(EL5HoC+GKFlPDDktszM%rVWA>=!7O}Sx)D1X&w$)y`RCKll-Fw zad%b&0euXw6JAk$V~E}l_%s~)&FgXAB%|dAJo?clLu#Ned-vzm@lW>`TwTB26o}vu zms*BF6(A<^1Qddl(n`_$b5lvVHJdK8HZwWmCFT?p2>U9X$N$PR*J;5b?p@}S@ch%% z3eJYA2Hdn{8yGx(?VNo|?dxph%eX!VMt;8WHO@{8c{_bgPm@7FTuqh-5W|YMICiEP zKH3J8%}guq2$c4Pcjj;6Ee-%!PMR=pY@6fx`38dkGeH;5SLk~Hkcc#O9K?+X{1rtH zUZ0YxLv@(DXfXfA^idjC{B|Us`l3r}?~?JT7QTC}4)ZfmM{H_V^!5NnVyBHK_l`SQ zc|bQB{yEOmWR|hbIm1Lv0-dpw@kO4YKS}b=4nyYhq9h0gISEScj9|G#sMzOb;!t z_QxLLZoLae!m4cUT`)87Oypv2Q`1}-7)NFe)# zxqYW{C0mE>GeOf+nsYveFv5-u=dSK`1&2Tu))0)O04Vs76S8X;Zkg^jm3Z_) z5EK_seoJD(6xtH~tW9#h1ominf8)Whn`Hog_{O3IX-!5*!6AlP`mAq5C2r>`P(I+o zP2+0DHJbR`nJUILy7!&41d zPtY|Ai5XrSBAv!#91i*I<~64Hcg~wVy%2uGzZCD=RcHPBxR}9|)T{tZ(IJIswZz$+ zX0W&8TarD!vTzJH)%cobpZ_;7E3dKHGhjK)0>im#X~sCG`0`lj-R3US$D)5r{B?dy zI=dRcX?g4-p8lpdJXn~$bE@NY^Nrx#JD{mc%$R?L49M2zzigq$0@*^F=xE^tPEYV6 zV6J=4HN>QVl6aPd*s13Z(PrP1y z)ha2!6#R$)Ze08Dss3bv2?1{`)1s?2Iya1*`Xf~&+%jtG{;ZcEG4;3>ne|nR-Ow`KZm4}!r z%CQm_#!vajIn<#8EmRYnd3RzW6(Ml*WLw<*MhKEOOITxErl z*?wN!YG#&0jI+CU_iDg?g#xc+ym6$aSt9thkSbI(T>B)7;!do)0{SoUdzf{on{bS| zGK<6zfSm}Ivs@Fa+050<{qG`-O3*6%7%bUtt~X66bVo)qN{iJ@e!=i}?~Zhk&E&@w zwQjcB&#k7H1sd+XA&UbW`$N@A6egjpEGho<>qr?^5q7zI=gF7~#W+vUOgY^=j}iL{ zMg>oMi@BbO?YW_HPbYc{72NY=*i5-5TMO6>Hj#l6#U!N`tAGq6`(?ubdZE}RZgy9` zhQ5990M2wZITRDLDkm2VVna45^#)|ZSD$EX;Ysn5Et;T`PsE|hs^r;=($3__2*%{G z#q@IR{TVvuZBi861^aTwe#seqN&}tjohf1?oBFG|?$x2yNlXdkjBc>qIsJZ9t9%24 z1T`0F;vAD@07iuBGYg{+WFykY_ZA|8iQ`nLw*V|+fuDD50Q+j?lM&BUaA~WP)P~6T z{!7h1+hl9Ob9dAm>EXeKQq=Z})OdO@Aq0!$>|PPigKJ8+yRN|!W<3m?;YC=l9uD zOJ4oj z?RX=tE6)j{GmocattTYpaW0s$r0z~#kygTZ?`JPr3b=vQURd%%5C2P=038U;zIzapp=MsYDA1 ztpcqo`l(u%WJU{V`Q&l7;_w7ssp~De%&BSU=fGEPi#1Bj8|vVS=8$ns{!v2@3K;XI zBUzN?T$){_Es7H2g|H7ui1F@3_b54tVsw2-d3BPtyDMa|VrqQV3 z*A>{%Pa2gI_a$DXfs$u?TEUq*>k(d23S`{IGXjU&WF;}(vmdYtdjMESiec6TBkBt5 zq*v_g@};O??YT*<>Bp`@KkP_ltx1(+NpO^NoEBts)rcd;iKuV5DGySz=g*J@LY|d@ z?z8lNf5lGNw3`w^EuvoqCnlmr79)KFzp~DwcI9(HZRQzM>B{-TL|YM<^a_LgYqU9A z@9ElIO7T7^R&q`Uw3{SvS!GC)P=Gl{>=yJ&e%VK%AXJ`lReD9T{>5_L+~)td`2Ej3U)pK7Uu^9vK_T!Egs0y9sftqC&^j4;2b zG&N>ivvbrifLbUwJ0Z;8Vrm5SADhiR0w(_NX#UK;47E9(odC)I*;MMurpQ8DsKV~@ zVdL_YuaO~n)>0Z88@~iD7rc}uSoeLCu^1|5lQFl}kC<@ACYp1^S)5{)t?^6)U90&s z%~7itoDhk^Es<}Doi?a4N$)Cxv~C%V@j)q2Lez?OFe*gX<^uAmBtv0Dr<6ba#*l6< zG!pICKd#yZl+RYYIq;q}R7UC6SZJN7>|_pJ?S$byDxo=B8eRDT?q11$&-ygW@d+BL zo9$@e@R$3eu_YE-RYj%q2hf`udTov}|0c7%g>zhnvETovs@ydyeyOD48Ay&PHNiP{ zrQh#=kwt5j=ZP{++^IWz!QX<$41f@ zti;hP&S`1QIn-UBli_MOXt;{KgZ;Lvq-Ti+rQj9xl~q%cab`{tHRgGcOmkSstB%OJ z@&LxH!yV-{Vvkk(4Tw{G98Q`$c&^~k1aH?ueAjnLuB&$_=6zkWe$S!1|0weXxW^k8 z8y9a_2PQZPo&sg~3#nTGvAjEv8?I8zR>@WB{eipdCYg-%P_)c!Wkg?gQmv zE-3hMGchBlDfn=LWWd-s{XPQ8S(-~?X9Vx0MZpiOUH~kyC_;$mT#`{43Zm@%6HNXkXRhfN^boJ?;93WpZ{4o?dt3!CYlg0?pAYATNlyH(?x)}LJ& zwn~O$0Q7!XW8FCVZWUF}{Fg zCz8O5p`faN;O!c+&R&n z`=jVu5qnFeVziRDa1Kg>Sl2|7aj7H?_+kTVVn1V6;3}=b`;fiHbP`Zok8m_*g}Bt< zs}GlTy42^JI7oV|Vs<8Gg^vvNhQ>bDI${YcKt)NyK=GHh#i1h0;tu07g5#&$T1*|;QI=y%u^L{HS;Yr2o}-kBKp zBI*6gg%ob1!|G}+;#c{rtWqVqwD#QvM6F1zhtB(b{P0qb5qtA{8L#R{l_(V84$l0S zuP!=3j|b~rh#x)*XRb)+yIPp3%Qxd6bjNvD=F8tZH>t#}^wF+9yILF|5Rrty7Kzz) z%39N%if~mCqSe!A<_dW+5m;9|Pz=Rrx_{ei$jfkHd5OOlma~Ucx4g;2Sc28$f&~cr zA9~-H-lyMC*BLs0pP4tdxfqG^A8DIT)&Nl|Whws|}UW z54yIjOH{(>TvXwd1mhn4tj^}4dhdrHfTaHp+N5S}L$~|)s=nwvxdj_trBMXq-Y>TS!r>DLrIwbJ z3t$o}!8BfG8n$L(^PvVZ3RR=bZ{xmM)k>FN7A41Wtf^iJ)hGh={jqq?Npx9zLnTft zQmYjq{fI`Sf(a-xYyPb{H_i^}N`-G6_~g4;SSYtJrsd|rJ?f2QO}n{i$X5JP$imf6 zTJj;-D&b#|I3{g$$0|gz5_HM2e`jm_04o8{LYS6mdsglWF|~AObf5c$}Hdi_bBS+*DM-^MW9uDu% zy}2B;w}Dchb7h-* z>&pdTJP)IpNo7{}9_AHlDeP&npKA`l*v*s;+Fw&o9s|++=gcXmm^c`car?mZvAIXiT*5+qHf8glM*l~D{W6q=CF48j=*&4v{0^DsE}^@I7+*gG55SZHVz6>)=O z^O|n7{F00r7W?Eg6aMQJ8j3`hWfC?Ix8Lk*eHZ`O-)b-Y6ZjUO!FnkzzJE@efaRUi_w7{v%RR42Fk;AM z9kfb`QMPh1?DZRZuL!Ml$f>-6JHG!@(NKdDvI0oA8sSXc5+IZ=&b;Q#+vCawYdOmk zlo6xZ@6Q@dMQ!8JM%w#vHd&xS%t?a-1Ue0l8NcR*0*zA+kVE>Ej-fPX!I9@JNdz#G0XDrvPlkR`~*jNl8Y1U8TdBUK*?eP>@~--8c#fVR zCS#KMKOK>O%8vKJf?OozbCS_ZtO;Q6o)9fi5!*MpKIgsDQ1JWrgqJI;=d6}!>OH2rr9P2H2mxN?~Aj$*SdIRY$xt(r@ zaBM^(;B7g!;bpTg1^LL*yNyQMol7PwV`9@fOA>|l5nx`YsEgdZd`DS0g7}!Z)T>Rv z=XF`*$pd5k3;B`nV6nMz1Q~gkBM;P0bZYPBk)o^dxMMsI2bYIUY1arn>UT1<8q7tf;J9HW%V> zvyrP}Tu;wwGZEeix6vx%;71ph-y_j0e#9ygNe-PSYYf?YjM1?YzW9iXl*^q%w>jz0 z)q2Pidx;H~Am`2nT5+KzVnsFsGqM9d%{%gAZY;BMl)S9C@Di~`|ASm&R!dXK|5X{X z6&+rqGAyQtIw}EFf-68qKj|M4SeejHYPd~cTit-#T>Dp>?m%tU4ztoSO-Tqm+6@d6 z4>mTzTme=e7O41TALnq4#D~i^ZR;Jt^V0MLegHeklsFM-o~#JP?(BD19(m;Rb)gEg z45TDNE~lFy-$?YESy*LOMit_HNlm&)^1=!lGE|tVdcqXRU zXN@z{g?Gm?F>H+~XL1L)L<3iNeqiC?WVFE^XfG5gq+vzP8n)g^C|v;+jkCasSvY(t zQ`+9m9F$h!@;Og)M+%KXJl_axsq0x2l?ARPU=0Mo8hDzIgkUpNga%45e56OrtZO#S z7*E>Im9H$_KMX|@dR%rU&_(+8n{66=8hY}rjP$Kb|77gK zQ0f9{qIKb3^ZPq0w#4?dcrSl1HGrFpqh$#3-{^<`Glu3G7h!t<6a-`q7-5430t0I5 zV4~>k;ON3+;^yM&VE0e>3~@08D0LwSFw_6vpXOAVn003Ku&1z3=#uW?M*4~L1~yqj zaPU0V#O4_LVEue-+c8b)HO1HMU-uZwC&RxBrw*e_u5@eV-M-4Mic<*nY~&D<`5;K` zO4Vw-YWgEK$>@a+__?AzmQHYUTfm=U+8nAf<`BK_YuuF*nQNh-uOe9E^Y~Bl0f1S~ zqWP7EV}aCt8{3@nG;h1ZhUMWAY!cjwlDpQ3K_Z@Ol{)^HpULCn-}2tt`H(<8ls-@e zCFHJj)I#dcY+Lj#s6#vl)tQCIP#aSZkuhL)DfGWLMoe)bBV;El?_ebC}~B#bDbGrGSR(xZFxI*|@+wm8$vI*@{>TBPF zz(NkX-vVMxzsI}9;yHgXD=&g6F9eInoWIf*v6i<4Td2t>mP1@;n0+M4+zy!aw0dqhOMwvnx;8q{*2p;;BmL#1E63_mo>$um1$^nkwM*Q*A@vtfelb zH)1b`i~Om!beM6`AbnlB!cb4TcHq7YKwa_6vAcEaVN6H#vM5C7aU|{2vX6oITGI9> zvhak+G(i{^&2>5E@b;uvr~dZgc=Y->8MDKPXmPU%I#F}80yCtbBgitG4Y?v&C#vL6HI5K6Mf>_%{3mF zkq%abd2%cx*+XQSSky=2?;ASz+Hz*uJQ|iBV{`rJ+HwirX8rpNZOk0cvD$u=_uwLe zJrwP!ahH~JMP->k+yguVU1;=4Opw&a5tBoN;8!Mw2a(@6Ral?eUAFE*>CiW3FR_!t zOq^gUwq;E`td2qgLsX0$n8BQO(cLa0bG|RiNZvEu1{oa?I(7NTB_j6P!FMTU2NNdQ z=>>H3G2@B9{CZ)++PZZC#Cr%mvj8VK`W%V%d)@dMjKsAWd4htK+B_ny7*Dd5#fZdHHMjh z?ugHu825((9Uuo(%8R1;7tk}nh04Vxl{u-!*gXDnnd*)-pq;_epcWZ2s0KO%sI?>` zH8&MP8e%hm>B@i6D?qz918o8=i$(w;F}TB#7fE9^C8fe`vU)261M3k+V6-9w8DOY_ ze2|e?l$sJ;Qk0pOj@2XR%d-(?l+MTM4)9`a^pHetpd!p*VAy$xfdNZ%72N>TY985u qEk}_JfL8kG+EGhpWbFTt5VAL@%@Bkq@Fb?=ngLnX7l`?Sv literal 0 HcmV?d00001 From 833c62e18d2308f7985a6c95f4b04504e4b00793 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Fri, 5 Apr 2024 22:27:34 +0200 Subject: [PATCH 2/2] update Readme to mention CCB and HIPAA addition --- README.md | 24 ++++++++++--------- .../library/libraries/ccb-cff-2023-03-01.yaml | 1 + 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bb7e3ecf3..8d793cb1a 100644 --- a/README.md +++ b/README.md @@ -40,29 +40,31 @@ You can also have a look at our [data model](documentation/architecture/data-mod ## Supported frameworks - ISO 27001:2022 -- NIST Cyber Security Framework (CSF) v1.1 -- NIST Cyber Security Framework (CSF) v2.0 -- NIS2 +- NIST Cyber Security Framework (CSF) v1.1 πŸ‡ΊπŸ‡Έ +- NIST Cyber Security Framework (CSF) v2.0 πŸ‡ΊπŸ‡Έ +- NIS2 πŸ‡ͺπŸ‡Ί - SOC2 - PCI DSS 4.0 -- CMMC v2 -- PSPF -- GDPR checklist from GDPR.EU -- Essential Eight +- CMMC v2 πŸ‡ΊπŸ‡Έ +- PSPF πŸ‡¦πŸ‡Ί +- GDPR checklist from GDPR.EU πŸ‡ͺπŸ‡Ί +- Essential Eight πŸ‡¦πŸ‡Ί - DFS 500 with 2023-11 amendments -- DORA +- DORA πŸ‡ͺπŸ‡Ί - NIST AI Risk Management Framework - NIST SP 800-53 rev5 -- France LPM/OIV rules +- France LPM/OIV rules πŸ‡«πŸ‡· +- CCB CyberFundamentals Framework πŸ‡§πŸ‡ͺ +- NIST SP-800-66 (HIPAA) Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the Domain Specific Language used and how you can define your own. ### Coming soon - ANSSI hygiene guide -- CCB CyberFundamentals Framework +- HDS/HDH - CRA -- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, free of charge πŸ˜‰ +- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, *free of charge* πŸ˜‰ ### Add your own framework diff --git a/backend/library/libraries/ccb-cff-2023-03-01.yaml b/backend/library/libraries/ccb-cff-2023-03-01.yaml index 629c806a4..dbb930645 100644 --- a/backend/library/libraries/ccb-cff-2023-03-01.yaml +++ b/backend/library/libraries/ccb-cff-2023-03-01.yaml @@ -3,6 +3,7 @@ locale: en ref_id: CCB-CFF-2023-03-01 name: CCB CyberFundamentals Framework description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + https://ccb.belgium.be copyright: All texts, layouts, designs and other elements of any nature in this document are subject to copyright law. version: 1