diff --git a/backend/library/libraries/nist-csf-2.0.yaml b/backend/library/libraries/nist-csf-2.0.yaml index 6452a17c4..3afa51af2 100644 --- a/backend/library/libraries/nist-csf-2.0.yaml +++ b/backend/library/libraries/nist-csf-2.0.yaml @@ -14,6 +14,101 @@ objects: ref_id: NIST-CSF-2.0 name: NIST CSF v2.0 description: NIST Cybersecurity Framework + scores_definition: + - score: 1 + name: Partial + description: 'Application of the organizational cybersecurity risk strategy + is managed in an ad hoc manner. + + Prioritization is ad hoc and not formally based on objectives or threat environment. + + There is limited awareness of cybersecurity risks at the organizational level. + + The organization implements cybersecurity risk management on an irregular, + case-by-case basis. + + The organization may not have processes that enable cybersecurity information + to be shared within the organization. + + The organization is generally unaware of the cybersecurity risks associated + with its suppliers and the products and services it acquires and uses.' + - score: 2 + name: Risk informed + description: 'Risk management practices are approved by management but may not + be established as organization-wide policy. + + The prioritization of cybersecurity activities and protection needs is directly + informed by organizational risk objectives, the threat environment, or business/mission + requirements. + + There is an awareness of cybersecurity risks at the organizational level, + but an organization-wide approach to managing cybersecurity risks has not + been established. + + Consideration of cybersecurity in organizational objectives and programs may + occur at some but not all levels of the organization. Cyber risk assessment + of organizational and external assets occurs but is not typically repeatable + or reoccurring. + + Cybersecurity information is shared within the organization on an informal + basis. + + The organization is aware of the cybersecurity risks associated with its suppliers + and the products and services it acquires and uses, but it does not act consistently + or formally in response to those risks.' + - score: 3 + name: Repeatable + description: "The organization\u2019s risk management practices are formally\ + \ approved and expressed as policy. \nRisk-informed policies, processes, and\ + \ procedures are defined, implemented as intended, and reviewed.\nOrganizational\ + \ cybersecurity practices are regularly updated based on the application of\ + \ risk management processes to changes in business/mission requirements, threats,\ + \ and technological landscape.\nThere is an organization-wide approach to\ + \ managing cybersecurity risks. Cybersecurity information is routinely shared\ + \ throughout the organization.\nConsistent methods are in place to respond\ + \ effectively to changes in risk. Personnel possess the knowledge and skills\ + \ to perform their appointed roles and responsibilities.\nThe organization\ + \ consistently and accurately monitors the cybersecurity risks of assets.\ + \ Senior cybersecurity and non-cybersecurity executives communicate regularly\ + \ regarding cybersecurity risks. Executives ensure that cybersecurity is considered\ + \ through all lines of operation in the organization.\nThe organization risk\ + \ strategy is informed by the cybersecurity risks associated with its suppliers\ + \ and the products and services it acquires and uses. Personnel formally act\ + \ upon those risks through mechanisms such as written agreements to communicate\ + \ baseline requirements, governance structures (e.g., risk councils), and\ + \ policy implementation and monitoring. These actions are implemented consistently\ + \ and as intended and are continuously monitored and reviewed." + - score: 4 + name: Adaptive + description: 'There is an organization-wide approach to managing cybersecurity + risks that uses risk-informed policies, processes, and procedures to address + potential cybersecurity events. The relationship between cybersecurity risks + and organizational objectives is clearly understood and considered when making + decisions. Executives monitor cybersecurity risks in the same context as financial + and other organizational risks. The organizational budget is based on an understanding + of the current and predicted risk environment and risk tolerance. Business + units implement executive vision and analyze system-level risks in the context + of the organizational risk tolerances. + + Cybersecurity risk management is part of the organizational culture. It evolves + from an awareness of previous activities and continuous awareness of activities + on organizational systems and networks. The organization can quickly and efficiently + account for changes to business/mission objectives in how risk is approached + and communicated. + + The organization adapts its cybersecurity practices based on previous and + current cybersecurity activities, including lessons learned and predictive + indicators. Through a process of continuous improvement that incorporates + advanced cybersecurity technologies and practices, the organization actively + adapts to a changing technological landscape and responds in a timely and + effective manner to evolving, sophisticated threats. + + The organization uses real-time or near real-time information to understand + and consistently act upon the cybersecurity risks associated with its suppliers + and the products and services it acquires and uses. + + Cybersecurity information is constantly shared throughout the organization + and with authorized third parties.' requirement_nodes: - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv assessable: false diff --git a/tools/nist/nist-csf-2.0.xlsx b/tools/nist/nist-csf-2.0.xlsx new file mode 100644 index 000000000..576c02764 Binary files /dev/null and b/tools/nist/nist-csf-2.0.xlsx differ diff --git a/tools/nist/nist_csf-2.0-en.xlsx b/tools/nist/nist_csf-2.0-en.xlsx deleted file mode 100644 index 850428a2e..000000000 Binary files a/tools/nist/nist_csf-2.0-en.xlsx and /dev/null differ diff --git a/tools/nist/nist_csf-2.0-en.yaml b/tools/nist/nist_csf-2.0-en.yaml deleted file mode 100644 index 6452a17c4..000000000 --- a/tools/nist/nist_csf-2.0-en.yaml +++ /dev/null @@ -1,2779 +0,0 @@ -urn: urn:intuitem:risk:library:nist-csf-2.0 -locale: en -ref_id: NIST-CSF-2.0 -name: NIST CSF version 2.0 -description: National Institute of Standards and Technology - Cybersecurity Framework -copyright: With the exception of material marked as copyrighted, information presented - on NIST sites are considered public information and may be distributed or copied. -version: 1 -provider: NIST -packager: intuitem -objects: - framework: - urn: urn:intuitem:risk:framework:nist-csf-2.0 - ref_id: NIST-CSF-2.0 - name: NIST CSF v2.0 - description: NIST Cybersecurity Framework - requirement_nodes: - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - assessable: false - depth: 1 - ref_id: GV - name: GOVERN - description: The organization's cybersecurity risk management strategy, expectations, - and policy are established, communicated, and monitored - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.OC - name: Organizational Context - description: The circumstances - mission, stakeholder expectations, dependencies, - and legal, regulatory, and contractual requirements - surrounding the organization's - cybersecurity risk management decisions are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-01 - description: The organizational mission is understood and informs cybersecurity - risk management - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Share the organization''s mission (e.g., through vision and mission statements, - marketing, and service strategies) to provide a basis for identifying risks - that may impede that mission' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-02 - description: Internal and external stakeholders are understood, and their needs - and expectations regarding cybersecurity risk management are understood and - considered - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify relevant internal stakeholders and their cybersecurity-related - expectations (e.g., performance and risk expectations of officers, directors, - and advisors; cultural expectations of employees) - - Ex2: Identify relevant external stakeholders and their cybersecurity-related - expectations (e.g., privacy expectations of customers, business expectations - of partnerships, compliance expectations of regulators, ethics expectations - of society)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-03 - description: Legal, regulatory, and contractual requirements regarding cybersecurity - - including privacy and civil liberties obligations - are understood and managed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine a process to track and manage legal and regulatory requirements - regarding protection of individuals'' information (e.g., Health Insurance - Portability and Accountability Act, California Consumer Privacy Act, General - Data Protection Regulation) - - Ex2: Determine a process to track and manage contractual requirements for - cybersecurity management of supplier, customer, and partner information - - Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, - and contractual requirements' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-04 - description: Critical objectives, capabilities, and services that stakeholders - depend on or expect from the organization are understood and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Establish criteria for determining the criticality of capabilities and - services as viewed by internal and external stakeholders - - Ex2: Determine (e.g., from a business impact analysis) assets and business - operations that are vital to achieving mission objectives and the potential - impact of a loss (or partial loss) of such operations - - Ex3: Establish and communicate resilience objectives (e.g., recovery time - objectives) for delivering critical capabilities and services in various operating - states (e.g., under attack, during recovery, normal operation)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-05 - description: Outcomes, capabilities, and services that the organization depends - on are understood and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 - name: Examples - description: 'Ex1: Create an inventory of the organization''s dependencies on - external resources (e.g., facilities, cloud-based hosting providers) and their - relationships to organizational assets and business functions - - Ex2: Identify and document external dependencies that are potential points - of failure for the organization''s critical capabilities and services, and - share that information with appropriate personnel - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.RM - name: Risk Management Strategy - description: The organization's priorities, constraints, risk tolerance and - appetite statements, and assumptions are established, communicated, and used - to support operational risk decisions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-01 - description: Risk management objectives are established and agreed to by organizational - stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Update near-term and long-term cybersecurity risk management objectives - as part of annual strategic planning and when major changes occur - - Ex2: Establish measurable objectives for cybersecurity risk management (e.g., - manage the quality of user training, ensure adequate risk protection for industrial - control systems) - - Ex3: Senior leaders agree about cybersecurity objectives and use them for - measuring and managing risk and performance' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-02 - description: Risk appetite and risk tolerance statements are established, communicated, - and maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine and communicate risk appetite statements that convey expectations - about the appropriate level of risk for the organization - - Ex2: Translate risk appetite statements into specific, measurable, and broadly - understandable risk tolerance statements - - Ex3: Refine organizational objectives and risk appetite periodically based - on known risk exposure and residual risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-03 - description: Cybersecurity risk management activities and outcomes are included - in enterprise risk management processes - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks - (e.g., compliance, financial, operational, regulatory, reputational, safety) - - Ex2: Include cybersecurity risk managers in enterprise risk management planning - - Ex3: Establish criteria for escalating cybersecurity risks within enterprise - risk management' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-04 - description: Strategic direction that describes appropriate risk response options - is established and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various - classifications of data - - Ex2: Determine whether to purchase cybersecurity insurance - - Ex3: Document conditions under which shared responsibility models are acceptable - (e.g., outsourcing certain cybersecurity functions, having a third party perform - financial transactions on behalf of the organization, using public cloud-based - services)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-05 - description: Lines of communication across the organization are established - for cybersecurity risks, including risks from suppliers and other third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine how to update senior executives, directors, and management - on the organization''s cybersecurity posture at agreed-upon intervals - - Ex2: Identify how all departments across the organization - such as management, - operations, internal auditors, legal, acquisition, physical security, and - HR - will communicate with each other about cybersecurity risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-06 - description: A standardized method for calculating, documenting, categorizing, - and prioritizing cybersecurity risks is established and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish criteria for using a quantitative approach to cybersecurity - risk analysis, and specify probability and exposure formulas - - Ex2: Create and use templates (e.g., a risk register) to document cybersecurity - risk information (e.g., risk description, exposure, treatment, and ownership) - - Ex3: Establish criteria for risk prioritization at the appropriate levels - within the enterprise - - Ex4: Use a consistent list of risk categories to support integrating, aggregating, - and comparing cybersecurity risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-07 - description: Strategic opportunities (i.e., positive risks) are characterized - and are included in organizational cybersecurity risk discussions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Define and communicate guidance and methods for identifying opportunities - and including them in risk discussions (e.g., strengths, weaknesses, opportunities, - and threats [SWOT] analysis) - - Ex2: Identify stretch goals and document them - - Ex3: Calculate, document, and prioritize positive risks alongside negative - risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.RR - name: Roles, Responsibilities, and Authorities - description: Cybersecurity roles, responsibilities, and authorities to foster - accountability, performance assessment, and continuous improvement are established - and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-01 - description: Organizational leadership is responsible and accountable for cybersecurity - risk and fosters a culture that is risk-aware, ethical, and continually improving - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in - developing, implementing, and assessing the organization''s cybersecurity - strategy - - Ex2: Share leaders'' expectations regarding a secure and ethical culture, - especially when current events present the opportunity to highlight positive - or negative examples of cybersecurity risk management - - Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk - strategy and review and update it at least annually and after major events - - Ex4: Conduct reviews to ensure adequate authority and coordination among those - responsible for managing cybersecurity risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-02 - description: Roles, responsibilities, and authorities related to cybersecurity - risk management are established, communicated, understood, and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Document risk management roles and responsibilities in policy - - Ex2: Document who is responsible and accountable for cybersecurity risk management - activities and how those teams and individuals are to be consulted and informed - - Ex3: Include cybersecurity responsibilities and performance requirements in - personnel descriptions - - Ex4: Document performance goals for personnel with cybersecurity risk management - responsibilities, and periodically measure performance to identify areas for - improvement - - Ex5: Clearly articulate cybersecurity responsibilities within operations, - risk functions, and internal audit functions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-03 - description: Adequate resources are allocated commensurate with the cybersecurity - risk strategy, roles, responsibilities, and policies - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Conduct periodic management reviews to ensure that those given cybersecurity - risk management responsibilities have the necessary authority - - Ex2: Identify resource allocation and investment in line with risk tolerance - and response - - Ex3: Provide adequate and sufficient people, process, and technical resources - to support the cybersecurity strategy' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-04 - description: Cybersecurity is included in human resources practices - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Integrate cybersecurity risk management considerations into human resources - processes (e.g., personnel screening, onboarding, change notification, offboarding) - - Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, - and retention decisions - - Ex3: Conduct background checks prior to onboarding new personnel for sensitive - roles, and periodically repeat background checks for personnel with such roles - - Ex4: Define and enforce obligations for personnel to be aware of, adhere to, - and uphold security policies as they relate to their roles' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.PO - name: Policy - description: Organizational cybersecurity policy is established, communicated, - and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - ref_id: GV.PO-01 - description: Policy for managing cybersecurity risks is established based on - organizational context, cybersecurity strategy, and priorities and is communicated - and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Create, disseminate, and maintain an understandable, usable risk management - policy with statements of management intent, expectations, and direction - - Ex2: Periodically review policy and supporting processes and procedures to - ensure that they align with risk management strategy objectives and priorities, - as well as the high-level direction of the cybersecurity policy - - Ex3: Require approval from senior management on policy - - Ex4: Communicate cybersecurity risk management policy and supporting processes - and procedures across the organization - - Ex5: Require personnel to acknowledge receipt of policy when first hired, - annually, and whenever policy is updated' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - ref_id: GV.PO-02 - description: Policy for managing cybersecurity risks is reviewed, updated, communicated, - and enforced to reflect changes in requirements, threats, technology, and - organizational mission - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Update policy based on periodic reviews of cybersecurity risk management - results to ensure that policy and supporting processes and procedures adequately - maintain risk at an acceptable level - - Ex2: Provide a timeline for reviewing changes to the organization''s risk - environment (e.g., changes in risk or in the organization''s mission objectives), - and communicate recommended policy updates - - Ex3: Update policy to reflect changes in legal and regulatory requirements - - Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial - intelligence) and changes to the business (e.g., acquisition of a new business, - new contract requirements)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.OV - name: Oversight - description: Results of organization-wide cybersecurity risk management activities - and performance are used to inform, improve, and adjust the risk management - strategy - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-01 - description: Cybersecurity risk management strategy outcomes are reviewed to - inform and adjust strategy and direction - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Measure how well the risk management strategy and risk results have helped - leaders make decisions and achieve organizational objectives - - Ex2: Examine whether cybersecurity risk strategies that impede operations - or innovation should be adjusted' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-02 - description: The cybersecurity risk management strategy is reviewed and adjusted - to ensure coverage of organizational requirements and risks - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review audit findings to confirm whether the existing cybersecurity strategy - has ensured compliance with internal and external requirements - - Ex2: Review the performance oversight of those in cybersecurity-related roles - to determine whether policy changes are necessary - - Ex3: Review strategy in light of cybersecurity incidents' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-03 - description: Organizational cybersecurity risk management performance is evaluated - and reviewed for adjustments needed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review key performance indicators (KPIs) to ensure that organization-wide - policies and procedures achieve objectives - - Ex2: Review key risk indicators (KRIs) to identify risks the organization - faces, including likelihood and potential impact - - Ex3: Collect and communicate metrics on cybersecurity risk management with - senior leadership' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.SC - name: Cybersecurity Supply Chain Risk Management - description: Cyber supply chain risk management processes are identified, established, - managed, monitored, and improved by organizational stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-01 - description: A cybersecurity supply chain risk management program, strategy, - objectives, policies, and processes are established and agreed to by organizational - stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 - name: Examples - description: 'Ex1: Establish a strategy that expresses the objectives of the - cybersecurity supply chain risk management program - - Ex2: Develop the cybersecurity supply chain risk management program, including - a plan (with milestones), policies, and procedures that guide implementation - and improvement of the program, and share the policies and procedures with - the organizational stakeholders - - Ex3: Develop and implement program processes based on the strategy, objectives, - policies, and procedures that are agreed upon and performed by the organizational - stakeholders - - Ex4: Establish a cross-organizational mechanism that ensures alignment between - functions that contribute to cybersecurity supply chain risk management, such - as cybersecurity, IT, operations, legal, human resources, and engineering - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-02 - description: Cybersecurity roles and responsibilities for suppliers, customers, - and partners are established, communicated, and coordinated internally and - externally - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 - name: Examples - description: 'Ex1: Identify one or more specific roles or positions that will - be responsible and accountable for planning, resourcing, and executing cybersecurity - supply chain risk management activities - - Ex2: Document cybersecurity supply chain risk management roles and responsibilities - in policy - - Ex3: Create responsibility matrixes to document who will be responsible and - accountable for cybersecurity supply chain risk management activities and - how those teams and individuals will be consulted and informed - - Ex4: Include cybersecurity supply chain risk management responsibilities and - performance requirements in personnel descriptions to ensure clarity and improve - accountability - - Ex5: Document performance goals for personnel with cybersecurity risk management-specific - responsibilities, and periodically measure them to demonstrate and improve - performance - - Ex6: Develop roles and responsibilities for suppliers, customers, and business - partners to address shared responsibilities for applicable cybersecurity risks, - and integrate them into organizational policies and applicable third-party - agreements - - Ex7: Internally communicate cybersecurity supply chain risk management roles - and responsibilities for third parties - - Ex8: Establish rules and protocols for information sharing and reporting processes - between the organization and its suppliers - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-03 - description: Cybersecurity supply chain risk management is integrated into cybersecurity - and enterprise risk management, risk assessment, and improvement processes - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 - name: Examples - description: 'Ex1: Identify areas of alignment and overlap with cybersecurity - and enterprise risk management - - Ex2: Establish integrated control sets for cybersecurity risk management and - cybersecurity supply chain risk management - - Ex3: Integrate cybersecurity supply chain risk management into improvement - processes - - Ex4: Escalate material cybersecurity risks in supply chains to senior management, - and address them at the enterprise risk management level - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-04 - description: Suppliers are known and prioritized by criticality - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 - name: Examples - description: 'Ex1: Develop criteria for supplier criticality based on, for example, - the sensitivity of data processed or possessed by suppliers, the degree of - access to the organization''s systems, and the importance of the products - or services to the organization''s mission - - Ex2: Keep a record of all suppliers, and prioritize suppliers based on the - criticality criteria - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-05 - description: Requirements to address cybersecurity risks in supply chains are - established, prioritized, and integrated into contracts and other types of - agreements with suppliers and other relevant third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 - name: Examples - description: 'Ex1: Establish security requirements for suppliers, products, - and services commensurate with their criticality level and potential impact - if compromised - - Ex2: Include all cybersecurity and supply chain requirements that third parties - must follow and how compliance with the requirements may be verified in default - contractual language - - Ex3: Define the rules and protocols for information sharing between the organization - and its suppliers and sub-tier suppliers in agreements - - Ex4: Manage risk by including security requirements in agreements based on - their criticality and potential impact if compromised - - Ex5: Define security requirements in service-level agreements (SLAs) for monitoring - suppliers for acceptable security performance throughout the supplier relationship - lifecycle - - Ex6: Contractually require suppliers to disclose cybersecurity features, functions, - and vulnerabilities of their products and services for the life of the product - or the term of service - - Ex7: Contractually require suppliers to provide and maintain a current component - inventory (e.g., software or hardware bill of materials) for critical products - - Ex8: Contractually require suppliers to vet their employees and guard against - insider threats - - Ex9: Contractually require suppliers to provide evidence of performing acceptable - security practices through, for example, self-attestation, conformance to - known standards, certifications, or inspections - - Ex10: Specify in contracts and other agreements the rights and responsibilities - of the organization, its suppliers, and their supply chains, with respect - to potential cybersecurity risks - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-06 - description: Planning and due diligence are performed to reduce risks before - entering into formal supplier or other third-party relationships - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 - name: Examples - description: 'Ex1: Perform thorough due diligence on prospective suppliers that - is consistent with procurement planning and commensurate with the level of - risk, criticality, and complexity of each supplier relationship - - Ex2: Assess the suitability of the technology and cybersecurity capabilities - and the risk management practices of prospective suppliers - - Ex3: Conduct supplier risk assessments against business and applicable cybersecurity - requirements - - Ex4: Assess the authenticity, integrity, and security of critical products - prior to acquisition and use - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-07 - description: The risks posed by a supplier, their products and services, and - other third parties are understood, recorded, prioritized, assessed, responded - to, and monitored over the course of the relationship - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 - name: Examples - description: 'Ex1: Adjust assessment formats and frequencies based on the third - party''s reputation and the criticality of the products or services they provide - - Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity - requirements, such as self-attestations, warranties, certifications, and other - artifacts - - Ex3: Monitor critical suppliers to ensure that they are fulfilling their security - obligations throughout the supplier relationship lifecycle using a variety - of methods and techniques, such as inspections, audits, tests, or other forms - of evaluation - - Ex4: Monitor critical suppliers, services, and products for changes to their - risk profiles, and reevaluate supplier criticality and risk impact accordingly - - Ex5: Plan for unexpected supplier and supply chain-related interruptions to - ensure business continuity - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-08 - description: Relevant suppliers and other third parties are included in incident - planning, response, and recovery activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 - name: Examples - description: 'Ex1: Define and use rules and protocols for reporting incident - response and recovery activities and the status between the organization and - its suppliers - - Ex2: Identify and document the roles and responsibilities of the organization - and its suppliers for incident response - - Ex3: Include critical suppliers in incident response exercises and simulations - - Ex4: Define and coordinate crisis communication methods and protocols between - the organization and its critical suppliers - - Ex5: Conduct collaborative lessons learned sessions with critical suppliers - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-09 - description: Supply chain security practices are integrated into cybersecurity - and enterprise risk management programs, and their performance is monitored - throughout the technology product and service life cycle - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 - name: Examples - description: 'Ex1: Policies and procedures require provenance records for all - acquired technology products and services - - Ex2: Periodically provide risk reporting to leaders about how acquired components - are proven to be untampered and authentic - - Ex3: Communicate regularly among cybersecurity risk managers and operations - personnel about the need to acquire software patches, updates, and upgrades - only from authenticated and trustworthy software providers - - Ex4: Review policies to ensure that they require approved supplier personnel - to perform maintenance on supplier products - - Ex5: Policies and procedure require checking upgrades to critical hardware - for unauthorized changes - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-10 - description: Cybersecurity supply chain risk management plans include provisions - for activities that occur after the conclusion of a partnership or service - agreement - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 - name: Examples - description: 'Ex1: Establish processes for terminating critical relationships - under both normal and adverse circumstances - - Ex2: Define and implement plans for component end-of-life maintenance support - and obsolescence - - Ex3: Verify that supplier access to organization resources is deactivated - promptly when it is no longer needed - - Ex4: Verify that assets containing the organization''s data are returned or - properly disposed of in a timely, controlled, and safe manner - - Ex5: Develop and execute a plan for terminating or transitioning supplier - relationships that takes supply chain security risk and resiliency into account - - Ex6: Mitigate risks to data and systems created by supplier termination - - Ex7: Manage data leakage risks associated with supplier termination - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - assessable: false - depth: 1 - ref_id: ID - name: IDENTIFY - description: The organization's current cybersecurity risks are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.AM - name: Asset Management - description: Assets (e.g., data, hardware, software, systems, facilities, services, - people) that enable the organization to achieve business purposes are identified - and managed consistent with their relative importance to organizational objectives - and the organization's risk strategy - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-01 - description: Inventories of hardware managed by the organization are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, - and mobile devices - - Ex2: Constantly monitor networks to detect new hardware and automatically - update inventories' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-02 - description: Inventories of software, services, and systems managed by the organization - are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain inventories for all types of software and services, including - commercial-off-the-shelf, open-source, custom applications, API services, - and cloud-based applications and services - - Ex2: Constantly monitor all platforms, including containers and virtual machines, - for software and service inventory changes - - Ex3: Maintain an inventory of the organization''s systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-03 - description: Representations of the organization's authorized network communication - and internal and external network data flows are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Maintain baselines of communication and data flows within the organization''s - wired and wireless networks - - Ex2: Maintain baselines of communication and data flows between the organization - and third parties - - Ex3: Maintain baselines of communication and data flows for the organization''s - infrastructure-as-a-service (IaaS) usage - - Ex4: Maintain documentation of expected network ports, protocols, and services - that are typically used among authorized systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-04 - description: Inventories of services provided by suppliers are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 - name: Examples - description: 'Ex1: Inventory all external services used by the organization, - including third-party infrastructure-as-a-service (IaaS), platform-as-a-service - (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally - hosted application services - - Ex2: Update the inventory when a new external service is going to be utilized - to ensure adequate cybersecurity risk management monitoring of the organization''s - use of that service - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-05 - description: Assets are prioritized based on classification, criticality, resources, - and impact on the mission - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Define criteria for prioritizing each class of assets - - Ex2: Apply the prioritization criteria to assets - - Ex3: Track the asset priorities and update them periodically or when significant - changes to the organization occur' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-07 - description: Inventories of data and corresponding metadata for designated data - types are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain a list of the designated data types of interest (e.g., personally - identifiable information, protected health information, financial account - numbers, organization intellectual property, operational technology data) - - Ex2: Continuously discover and analyze ad hoc data to identify new instances - of designated data types - - Ex3: Assign data classifications to designated data types through tags or - labels - - Ex4: Track the provenance, data owner, and geolocation of each instance of - designated data types' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-08 - description: Systems, hardware, software, services, and data are managed throughout - their life cycles - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Integrate cybersecurity considerations throughout the life cycles of - systems, hardware, software, and services - - Ex2: Integrate cybersecurity considerations into product life cycles - - Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., - shadow IT) - - Ex4: Periodically identify redundant systems, hardware, software, and services - that unnecessarily increase the organization''s attack surface - - Ex5: Properly configure and secure systems, hardware, software, and services - prior to their deployment in production - - Ex6: Update inventories when systems, hardware, software, and services are - moved or transferred within the organization - - Ex7: Securely destroy stored data based on the organization''s data retention - policy using the prescribed destruction method, and keep and manage a record - of the destructions - - Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, - reassigned, or sent for repairs or replacement - - Ex9: Offer methods for destroying paper, storage media, and other physical - forms of data storage' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.RA - name: Risk Assessment - description: The cybersecurity risk to the organization, assets, and individuals - is understood by the organization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-01 - description: Vulnerabilities in assets are identified, validated, and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use vulnerability management technologies to identify unpatched and misconfigured - software - - Ex2: Assess network and system architectures for design and implementation - weaknesses that affect cybersecurity - - Ex3: Review, analyze, or test organization-developed software to identify - design, coding, and default configuration vulnerabilities - - Ex4: Assess facilities that house critical computing assets for physical vulnerabilities - and resilience issues - - Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities - in products and services - - Ex6: Review processes and procedures for weaknesses that could be exploited - to affect cybersecurity' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-02 - description: Cyber threat intelligence is received from information sharing - forums and sources - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Configure cybersecurity tools and technologies with detection or response - capabilities to securely ingest cyber threat intelligence feeds - - Ex2: Receive and review advisories from reputable third parties on current - threat actors and their tactics, techniques, and procedures (TTPs) - - Ex3: Monitor sources of cyber threat intelligence for information on the types - of vulnerabilities that emerging technologies may have' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-03 - description: Internal and external threats to the organization are identified - and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Use cyber threat intelligence to maintain awareness of the types of threat - actors likely to target the organization and the TTPs they are likely to use - - Ex2: Perform threat hunting to look for signs of threat actors within the - environment - - Ex3: Implement processes for identifying internal threat actors' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-04 - description: Potential impacts and likelihoods of threats exploiting vulnerabilities - are identified and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Business leaders and cybersecurity risk management practitioners work - together to estimate the likelihood and impact of risk scenarios and record - them in risk registers - - Ex2: Enumerate the potential business impacts of unauthorized access to the - organization''s communications, systems, and data processed in or by those - systems - - Ex3: Account for the potential impacts of cascading failures for systems of - systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-05 - description: Threats, vulnerabilities, likelihoods, and impacts are used to - understand inherent risk and inform risk response prioritization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Develop threat models to better understand risks to the data and identify - appropriate risk responses - - Ex2: Prioritize cybersecurity resource allocations and investments based on - estimated likelihoods and impacts' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-06 - description: Risk responses are chosen, prioritized, planned, tracked, and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Apply the vulnerability management plan''s criteria for deciding whether - to accept, transfer, mitigate, or avoid risk - - Ex2: Apply the vulnerability management plan''s criteria for selecting compensating - controls to mitigate risk - - Ex3: Track the progress of risk response implementation (e.g., plan of action - and milestones [POA&M], risk register, risk detail report) - - Ex4: Use risk assessment findings to inform risk response decisions and actions - - Ex5: Communicate planned risk responses to affected stakeholders in priority - order' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-07 - description: Changes and exceptions are managed, assessed for risk impact, recorded, - and tracked - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 - name: Examples - description: 'Ex1: Implement and follow procedures for the formal documentation, - review, testing, and approval of proposed changes and requested exceptions - - Ex2: Document the possible risks of making or not making each proposed change, - and provide guidance on rolling back changes - - Ex3: Document the risks related to each requested exception and the plan for - responding to those risks - - Ex4: Periodically review risks that were accepted based upon planned future - actions or milestones' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-08 - description: Processes for receiving, analyzing, and responding to vulnerability - disclosures are established - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Conduct vulnerability information sharing between the organization and - its suppliers following the rules and protocols defined in contracts - - Ex2: Assign responsibilities and verify the execution of procedures for processing, - analyzing the impact of, and responding to cybersecurity threat, vulnerability, - or incident disclosures by suppliers, customers, partners, and government - cybersecurity organizations' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-09 - description: The authenticity and integrity of hardware and software are assessed - prior to acquisition and use - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 - name: Examples - description: 'Ex1: Assess the authenticity and cybersecurity of critical technology - products and services prior to acquisition and use - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-10 - description: Critical suppliers are assessed prior to acquisition - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 - name: Examples - description: 'Ex1: Conduct supplier risk assessments against business and applicable - cybersecurity requirements, including the supply chain' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.IM - name: Improvement - description: Improvements to organizational cybersecurity risk management processes, - procedures and activities are identified across all CSF Functions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-01 - description: Improvements are identified from evaluations - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Perform self-assessments of critical services that take current threats - and TTPs into consideration - - Ex2: Invest in third-party assessments or independent audits of the effectiveness - of the organization''s cybersecurity program to identify areas that need improvement - - Ex3: Constantly evaluate compliance with selected cybersecurity requirements - through automated means' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-02 - description: Improvements are identified from security tests and exercises, - including those done in coordination with suppliers and relevant third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify improvements for future incident response activities based on - findings from incident response assessments (e.g., tabletop exercises and - simulations, tests, internal reviews, independent audits) - - Ex2: Identify improvements for future business continuity, disaster recovery, - and incident response activities based on exercises performed in coordination - with critical service providers and product suppliers - - Ex3: Involve internal stakeholders (e.g., senior executives, legal department, - HR) in security tests and exercises as appropriate - - Ex4: Perform penetration testing to identify opportunities to improve the - security posture of selected high-risk systems as approved by leadership - - Ex5: Exercise contingency plans for responding to and recovering from the - discovery that products or services did not originate with the contracted - supplier or partner or were altered before receipt - - Ex6: Collect and analyze performance metrics using security tools and services - to inform improvements to the cybersecurity program' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-03 - description: Improvements are identified from execution of operational processes, - procedures, and activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Conduct collaborative lessons learned sessions with suppliers - - Ex2: Annually review cybersecurity policies, processes, and procedures to - take lessons learned into account - - Ex3: Use metrics to assess operational cybersecurity performance over time' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-04 - description: Incident response plans and other cybersecurity plans that affect - operations are established, communicated, maintained, and improved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish contingency plans (e.g., incident response, business continuity, - disaster recovery) for responding to and recovering from adverse events that - can interfere with operations, expose confidential information, or otherwise - endanger the organization''s mission and viability - - Ex2: Include contact and communication information, processes for handling - common scenarios, and criteria for prioritization, escalation, and elevation - in all contingency plans - - Ex3: Create a vulnerability management plan to identify and assess all types - of vulnerabilities and to prioritize, test, and implement risk responses - - Ex4: Communicate cybersecurity plans (including updates) to those responsible - for carrying them out and to affected parties - - Ex5: Review and update all cybersecurity plans annually or when a need for - significant improvements is identified' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - assessable: false - depth: 1 - ref_id: PR - name: PROTECT - description: Safeguards to manage the organization's cybersecurity risks are - used - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.AA - name: Identity Management, Authentication, and Access Control - description: Access to physical and logical assets is limited to authorized - users, services, and hardware and managed commensurate with the assessed - risk of unauthorized access - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-01 - description: Identities and credentials for authorized users, services, and - hardware are managed by the organization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Initiate requests for new access or additional access for employees, - contractors, and others, and track, review, and fulfill the requests, with - permission from system or data owners when needed - - Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, - cryptographic keys (i.e., key management), and other credentials - - Ex3: Select a unique identifier for each device from immutable hardware characteristics - or an identifier securely provisioned to the device - - Ex4: Physically label authorized hardware with an identifier for inventory - and servicing purposes' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-02 - description: Identities are proofed and bound to credentials based on the context - of interactions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Verify a person''s claimed identity at enrollment time using government-issued - identity credentials (e.g., passport, visa, driver''s license) - - Ex2: Issue a different credential for each person (i.e., no credential sharing)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-03 - description: Users, services, and hardware are authenticated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Require multifactor authentication - - Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar - authenticators - - Ex3: Periodically reauthenticate users, services, and hardware based on risk - (e.g., in zero trust architectures) - - Ex4: Ensure that authorized personnel can access accounts essential for protecting - safety under emergency conditions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-04 - description: Identity assertions are protected, conveyed, and verified - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Protect identity assertions that are used to convey authentication and - user information through single sign-on systems - - Ex2: Protect identity assertions that are used to convey authentication and - user information between federated systems - - Ex3: Implement standards-based approaches for identity assertions in all contexts, - and follow all guidance for the generation (e.g., data models, metadata), - protection (e.g., digital signing, encryption), and verification (e.g., signature - validation) of identity assertions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-05 - description: Access permissions, entitlements, and authorizations are defined - in a policy, managed, enforced, and reviewed, and incorporate the principles - of least privilege and separation of duties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review logical and physical access privileges periodically and whenever - someone changes roles or leaves the organization, and promptly rescind privileges - that are no longer needed - - Ex2: Take attributes of the requester and the requested resource into account - for authorization decisions (e.g., geolocation, day/time, requester endpoint''s - cyber health) - - Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust - architecture) - - Ex4: Periodically review the privileges associated with critical business - functions to confirm proper separation of duties' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-06 - description: Physical access to assets is managed, monitored, and enforced commensurate - with risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Use security guards, security cameras, locked entrances, alarm systems, - and other physical controls to monitor facilities and restrict access - - Ex2: Employ additional physical security controls for areas that contain high-risk - assets - - Ex3: Escort guests, vendors, and other third parties within areas that contain - business-critical assets' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.AT - name: Awareness and Training - description: The organization's personnel are provided with cybersecurity awareness - and training so that they can perform their cybersecurity-related tasks - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - ref_id: PR.AT-01 - description: Personnel are provided with awareness and training so that they - possess the knowledge and skills to perform general tasks with cybersecurity - risks in mind - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Provide basic cybersecurity awareness and training to employees, contractors, - partners, suppliers, and all other users of the organization''s non-public - resources - - Ex2: Train personnel to recognize social engineering attempts and other common - attacks, report attacks and suspicious activity, comply with acceptable use - policies, and perform basic cyber hygiene tasks (e.g., patching software, - choosing passwords, protecting credentials) - - Ex3: Explain the consequences of cybersecurity policy violations, both to - individual users and the organization as a whole - - Ex4: Periodically assess or test users on their understanding of basic cybersecurity - practices - - Ex5: Require annual refreshers to reinforce existing practices and introduce - new practices' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - ref_id: PR.AT-02 - description: Individuals in specialized roles are provided with awareness and - training so that they possess the knowledge and skills to perform relevant - tasks with cybersecurity risks in mind - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify the specialized roles within the organization that require additional - cybersecurity training, such as physical and cybersecurity personnel, finance - personnel, senior leadership, and anyone with access to business-critical - data - - Ex2: Provide role-based cybersecurity awareness and training to all those - in specialized roles, including contractors, partners, suppliers, and other - third parties - - Ex3: Periodically assess or test users on their understanding of cybersecurity - practices for their specialized roles - - Ex4: Require annual refreshers to reinforce existing practices and introduce - new practices' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.DS - name: Data Security - description: Data are managed consistent with the organization's risk strategy - to protect the confidentiality, integrity, and availability of information - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-01 - description: The confidentiality, integrity, and availability of data-at-rest - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use encryption, digital signatures, and cryptographic hashes to protect - the confidentiality and integrity of stored data in files, databases, virtual - machine disk images, container images, and other resources - - Ex2: Use full disk encryption to protect data stored on user endpoints - - Ex3: Confirm the integrity of software by validating signatures - - Ex4: Restrict the use of removable media to prevent data exfiltration - - Ex5: Physically secure removable media containing unencrypted sensitive information, - such as within locked offices or file cabinets' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-02 - description: The confidentiality, integrity, and availability of data-in-transit - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use encryption, digital signatures, and cryptographic hashes to protect - the confidentiality and integrity of network communications - - Ex2: Automatically encrypt or block outbound emails and other communications - that contain sensitive data, depending on the data classification - - Ex3: Block access to personal email, file sharing, file storage services, - and other personal communications applications and services from organizational - systems and networks - - Ex4: Prevent reuse of sensitive data from production environments (e.g., customer - records) in development, testing, and other non-production environments' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-10 - description: The confidentiality, integrity, and availability of data-in-use - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Remove data that must remain confidential (e.g., from processors and - memory) as soon as it is no longer needed - - Ex2: Protect data in use from access by other users and processes of the same - platform' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-11 - description: Backups of data are created, protected, maintained, and tested - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Continuously back up critical data in near-real-time, and back up other - data frequently at agreed-upon schedules - - Ex2: Test backups and restores for all types of data sources at least annually - - Ex3: Securely store some backups offline and offsite so that an incident or - disaster will not damage them - - Ex4: Enforce geographic separation and geolocation restrictions for data backup - storage' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.PS - name: Platform Security - description: The hardware, software (e.g., firmware, operating systems, applications), - and services of physical and virtual platforms are managed consistent with - the organization's risk strategy to protect their confidentiality, integrity, - and availability - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-01 - description: Configuration management practices are established and applied - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish, test, deploy, and maintain hardened baselines that enforce - the organization''s cybersecurity policies and provide only essential capabilities - (i.e., principle of least functionality) - - Ex2: Review all default configuration settings that may potentially impact - cybersecurity when installing or upgrading software - - Ex3: Monitor implemented software for deviations from approved baselines' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-02 - description: Software is maintained, replaced, and removed commensurate with - risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Perform routine and emergency patching within the timeframes specified - in the vulnerability management plan - - Ex2: Update container images, and deploy new container instances to replace - rather than update existing instances - - Ex3: Replace end-of-life software and service versions with supported, maintained - versions - - Ex4: Uninstall and remove unauthorized software and services that pose undue - risks - - Ex5: Uninstall and remove any unnecessary software components (e.g., operating - system utilities) that attackers might misuse - - Ex6: Define and implement plans for software and service end-of-life maintenance - support and obsolescence' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-03 - description: Hardware is maintained, replaced, and removed commensurate with - risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Replace hardware when it lacks needed security capabilities or when it - cannot support software with needed security capabilities - - Ex2: Define and implement plans for hardware end-of-life maintenance support - and obsolescence - - Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-04 - description: Log records are generated and made available for continuous monitoring - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Configure all operating systems, applications, and services (including - cloud-based services) to generate log records - - Ex2: Configure log generators to securely share their logs with the organization''s - logging infrastructure systems and services - - Ex3: Configure log generators to record the data needed by zero-trust architectures' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-05 - description: Installation and execution of unauthorized software are prevented - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: When risk warrants it, restrict software execution to permitted products - only or deny the execution of prohibited and unauthorized software - - Ex2: Verify the source of new software and the software''s integrity before - installing it - - Ex3: Configure platforms to use only approved DNS services that block access - to known malicious domains - - Ex4: Configure platforms to allow the installation of organization-approved - software only' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-06 - description: Secure software development practices are integrated, and their - performance is monitored throughout the software development life cycle - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Protect all components of organization-developed software from tampering - and unauthorized access - - Ex2: Secure all software produced by the organization, with minimal vulnerabilities - in their releases - - Ex3: Maintain the software used in production environments, and securely dispose - of software once it is no longer needed' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.IR - name: Technology Infrastructure Resilience - description: Security architectures are managed with the organization's risk - strategy to protect asset confidentiality, integrity, and availability, and - organizational resilience - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-01 - description: Networks and environments are protected from unauthorized logical - access and usage - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Logically segment organization networks and cloud-based platforms according - to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), - and permit required communications only between segments - - Ex2: Logically segment organization networks from external networks, and permit - only necessary communications to enter the organization''s networks from the - external networks - - Ex3: Implement zero trust architectures to restrict network access to each - resource to the minimum necessary - - Ex4: Check the cyber health of endpoints before allowing them to access and - use production resources' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-02 - description: The organization's technology assets are protected from environmental - threats - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Protect organizational equipment from known environmental threats, such - as flooding, fire, wind, and excessive heat and humidity - - Ex2: Include protection from environmental threats and provisions for adequate - operating infrastructure in requirements for service providers that operate - systems on the organization''s behalf' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-03 - description: Mechanisms are implemented to achieve resilience requirements in - normal and adverse situations - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Avoid single points of failure in systems and infrastructure - - Ex2: Use load balancing to increase capacity and improve reliability - - Ex3: Use high-availability components like redundant storage and power supplies - to improve system reliability' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-04 - description: Adequate resource capacity to ensure availability is maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 - name: Examples - description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, - and other resources - - Ex2: Forecast future needs, and scale resources accordingly' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - assessable: false - depth: 1 - ref_id: DE - name: DETECT - description: Possible cybersecurity attacks and compromises are found and analyzed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - ref_id: DE.CM - name: Continuous Monitoring - description: Assets are monitored to find anomalies, indicators of compromise, - and other potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-01 - description: Networks and network services are monitored to find potentially - adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 - name: Examples - description: 'Ex1: Monitor DNS, BGP, and other network services for adverse - events - - Ex2: Monitor wired and wireless networks for connections from unauthorized - endpoints - - Ex3: Monitor facilities for unauthorized or rogue wireless networks - - Ex4: Compare actual network flows against baselines to detect deviations - - Ex5: Monitor network communications to identify changes in security postures - for zero trust purposes - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-02 - description: The physical environment is monitored to find potentially adverse - events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 - name: Examples - description: 'Ex1: Monitor logs from physical access control systems (e.g., - badge readers) to find unusual access patterns (e.g., deviations from the - norm) and failed access attempts - - Ex2: Review and monitor physical access records (e.g., from visitor registration, - sign-in sheets) - - Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) - for signs of tampering - - Ex4: Monitor the physical environment using alarm systems, cameras, and security - guards - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-03 - description: Personnel activity and technology usage are monitored to find potentially - adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 - name: Examples - description: 'Ex1: Use behavior analytics software to detect anomalous user - activity to mitigate insider threats - - Ex2: Monitor logs from logical access control systems to find unusual access - patterns and failed access attempts - - Ex3: Continuously monitor deception technology, including user accounts, for - any usage - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-06 - description: External service provider activities and services are monitored - to find potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 - name: Examples - description: 'Ex1: Monitor remote and onsite administration and maintenance - activities that external providers perform on organizational systems - - Ex2: Monitor activity from cloud-based services, internet service providers, - and other service providers for deviations from expected behavior - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-09 - description: Computing hardware and software, runtime environments, and their - data are monitored to find potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 - name: Examples - description: 'Ex1: Monitor email, web, file sharing, collaboration services, - and other common attack vectors to detect malware, phishing, data leaks and - exfiltration, and other adverse events - - Ex2: Monitor authentication attempts to identify attacks against credentials - and unauthorized credential reuse - - Ex3: Monitor software configurations for deviations from security baselines - - Ex4: Monitor hardware and software for signs of tampering - - Ex5: Use technologies with a presence on endpoints to detect cyber health - issues (e.g., missing patches, malware infections, unauthorized software), - and redirect the endpoints to a remediation environment before access is authorized - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - ref_id: DE.AE - name: Adverse Event Analysis - description: Anomalies, indicators of compromise, and other potentially adverse - events are analyzed to characterize the events and detect cybersecurity incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-02 - description: Potentially adverse events are analyzed to better understand associated - activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 - name: Examples - description: 'Ex1: Use security information and event management (SIEM) or other - tools to continuously monitor log events for known malicious and suspicious - activity - - Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to - improve detection accuracy and characterize threat actors, their methods, - and indicators of compromise - - Ex3: Regularly conduct manual reviews of log events for technologies that - cannot be sufficiently monitored through automation - - Ex4: Use log analysis tools to generate reports on their findings - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-03 - description: Information is correlated from multiple sources - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 - name: Examples - description: 'Ex1: Constantly transfer log data generated by other sources to - a relatively small number of log servers - - Ex2: Use event correlation technology (e.g., SIEM) to collect information - captured by multiple sources - - Ex3: Utilize cyber threat intelligence to help correlate events among log - sources - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-04 - description: The estimated impact and scope of adverse events are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 - name: Examples - description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and - review and refine the estimates - - Ex2: A person creates their own estimates of impact and scope - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-06 - description: Information on adverse events is provided to authorized staff and - tools - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 - name: Examples - description: 'Ex1: Use cybersecurity software to generate alerts and provide - them to the security operations center (SOC), incident responders, and incident - response tools - - Ex2: Incident responders and other authorized personnel can access log analysis - findings at all times - - Ex3: Automatically create and assign tickets in the organization''s ticketing - system when certain types of alerts occur - - Ex4: Manually create and assign tickets in the organization''s ticketing system - when technical staff discover indicators of compromise - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-07 - description: Cyber threat intelligence and other contextual information are - integrated into the analysis - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 - name: Examples - description: 'Ex1: Securely provide cyber threat intelligence feeds to detection - technologies, processes, and personnel - - Ex2: Securely provide information from asset inventories to detection technologies, - processes, and personnel - - Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s - technologies from suppliers, vendors, and third-party security advisories - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-08 - description: Incidents are declared when adverse events meet the defined incident - criteria - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 - name: Examples - description: 'Ex1: Apply incident criteria to known and assumed characteristics - of activity in order to determine whether an incident should be declared - - Ex2: Take known false positives into account when applying incident criteria - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - assessable: false - depth: 1 - ref_id: RS - name: RESPOND - description: Actions regarding a detected cybersecurity incident are taken - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.MA - name: Incident Management - description: Responses to detected cybersecurity incidents are managed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-01 - description: The incident response plan is executed in coordination with relevant - third parties once an incident is declared - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 - name: Examples - description: 'Ex1: Detection technologies automatically report confirmed incidents - - Ex2: Request incident response assistance from the organization''s incident - response outsourcer - - Ex3: Designate an incident lead for each incident - - Ex4: Initiate execution of additional cybersecurity plans as needed to support - incident response (for example, business continuity and disaster recovery) - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-02 - description: Incident reports are triaged and validated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related - and necessitate incident response activities - - Ex2: Apply criteria to estimate the severity of an incident' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-03 - description: Incidents are categorized and prioritized - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Further review and categorize incidents based on the type of incident - (e.g., data breach, ransomware, DDoS, account compromise) - - Ex2: Prioritize incidents based on their scope, likely impact, and time-critical - nature - - Ex3: Select incident response strategies for active incidents by balancing - the need to quickly recover from an incident with the need to observe the - attacker or conduct a more thorough investigation' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-04 - description: Incidents are escalated or elevated as needed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Track and validate the status of all ongoing incidents - - Ex2: Coordinate incident escalation or elevation with designated internal - and external stakeholders' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-05 - description: The criteria for initiating incident recovery are applied - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Apply incident recovery criteria to known and assumed characteristics - of the incident to determine whether incident recovery processes should be - initiated - - Ex2: Take the possible operational disruption of incident recovery activities - into account' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.AN - name: Incident Analysis - description: Investigations are conducted to ensure effective response and support - forensics and recovery activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-03 - description: Analysis is performed to establish what has taken place during - an incident and the root cause of the incident - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Determine the sequence of events that occurred during the incident and - which assets and resources were involved in each event - - Ex2: Attempt to determine what vulnerabilities, threats, and threat actors - were directly or indirectly involved in the incident - - Ex3: Analyze the incident to find the underlying, systemic root causes - - Ex4: Check any cyber deception technology for additional information on attacker - behavior' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-06 - description: Actions performed during an investigation are recorded, and the - records' integrity and provenance are preserved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Require each incident responder and others (e.g., system administrators, - cybersecurity engineers) who perform incident response tasks to record their - actions and make the record immutable - - Ex2: Require the incident lead to document the incident in detail and be responsible - for preserving the integrity of the documentation and the sources of all information - being reported' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-07 - description: Incident data and metadata are collected, and their integrity and - provenance are preserved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident - data and metadata (e.g., data source, date/time of collection) based on evidence - preservation and chain-of-custody procedures' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-08 - description: An incident's magnitude is estimated and validated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review other potential targets of the incident to search for indicators - of compromise and evidence of persistence - - Ex2: Automatically run tools on targets to look for indicators of compromise - and evidence of persistence' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.CO - name: Incident Response Reporting and Communication - description: Response activities are coordinated with internal and external - stakeholders as required by laws, regulations, or policies - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - ref_id: RS.CO-02 - description: Internal and external stakeholders are notified of incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Follow the organization''s breach notification procedures after discovering - a data breach incident, including notifying affected customers - - Ex2: Notify business partners and customers of incidents in accordance with - contractual requirements - - Ex3: Notify law enforcement agencies and regulatory bodies of incidents based - on criteria in the incident response plan and management approval' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - ref_id: RS.CO-03 - description: Information is shared with designated internal and external stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Securely share information consistent with response plans and information - sharing agreements - - Ex2: Voluntarily share information about an attacker''s observed TTPs, with - all sensitive data removed, with an Information Sharing and Analysis Center - (ISAC) - - Ex3: Notify HR when malicious insider activity occurs - - Ex4: Regularly update senior leadership on the status of major incidents - - Ex5: Follow the rules and protocols defined in contracts for incident information - sharing between the organization and its suppliers - - Ex6: Coordinate crisis communication methods between the organization and - its critical suppliers' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.MI - name: Incident Mitigation - description: Activities are performed to prevent expansion of an event and mitigate - its effects - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - ref_id: RS.MI-01 - description: Incidents are contained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity - features of other technologies (e.g., operating systems, network infrastructure - devices) automatically perform containment actions - - Ex2: Allow incident responders to manually select and perform containment - actions - - Ex3: Allow a third party (e.g., internet service provider, managed security - service provider) to perform containment actions on behalf of the organization - - Ex4: Automatically transfer compromised endpoints to a remediation virtual - local area network (VLAN)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - ref_id: RS.MI-02 - description: Incidents are eradicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Cybersecurity technologies and cybersecurity features of other technologies - (e.g., operating systems, network infrastructure devices) automatically perform - eradication actions - - Ex2: Allow incident responders to manually select and perform eradication - actions - - Ex3: Allow a third party (e.g., managed security service provider) to perform - eradication actions on behalf of the organization' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - assessable: false - depth: 1 - ref_id: RC - name: RECOVER - description: Assets and operations affected by a cybersecurity incident are - restored - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - ref_id: RC.RP - name: Incident Recovery Plan Execution - description: Restoration activities are performed to ensure operational availability - of systems and services affected by cybersecurity incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-01 - description: The recovery portion of the incident response plan is executed - once initiated from the incident response process - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Begin recovery procedures during or after incident response processes - - Ex2: Make all individuals with recovery responsibilities aware of the plans - for recovery and the authorizations required to implement each aspect of the - plans' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-02 - description: Recovery actions are selected, scoped, prioritized, and performed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Select recovery actions based on the criteria defined in the incident - response plan and available resources - - Ex2: Change planned recovery actions based on a reassessment of organizational - needs and resources' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-03 - description: The integrity of backups and other restoration assets is verified - before using them for restoration - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Check restoration assets for indicators of compromise, file corruption, - and other integrity issues before use' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-04 - description: Critical mission functions and cybersecurity risk management are - considered to establish post-incident operational norms - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use business impact and system categorization records (including service - delivery objectives) to validate that essential services are restored in the - appropriate order - - Ex2: Work with system owners to confirm the successful restoration of systems - and the return to normal operations - - Ex3: Monitor the performance of restored systems to verify the adequacy of - the restoration' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-05 - description: The integrity of restored assets is verified, systems and services - are restored, and normal operating status is confirmed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Check restored assets for indicators of compromise and remediation of - root causes of the incident before production use - - Ex2: Verify the correctness and adequacy of the restoration actions taken - before putting a restored system online' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-06 - description: The end of incident recovery is declared based on criteria, and - incident-related documentation is completed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Prepare an after-action report that documents the incident itself, the - response and recovery actions taken, and lessons learned - - Ex2: Declare the end of incident recovery once the criteria are met' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - ref_id: RC.CO - name: Incident Recovery Communication - description: Restoration activities are coordinated with internal and external - parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - ref_id: RC.CO-03 - description: Recovery activities and progress in restoring operational capabilities - are communicated to designated internal and external stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Securely share recovery information, including restoration progress, - consistent with response plans and information sharing agreements - - Ex2: Regularly update senior leadership on recovery status and restoration - progress for major incidents - - Ex3: Follow the rules and protocols defined in contracts for incident information - sharing between the organization and its suppliers - - Ex4: Coordinate crisis communication between the organization and its critical - suppliers' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - ref_id: RC.CO-04 - description: Public updates on incident recovery are shared using approved methods - and messaging - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Follow the organization''s breach notification procedures for recovering - from a data breach incident - - Ex2: Explain the steps being taken to recover from the incident and to prevent - a recurrence'