diff --git a/backend/library/libraries/ccb-cff-2023-03-01.yaml b/backend/library/libraries/ccb-cff-2023-03-01.yaml new file mode 100644 index 000000000..629c806a4 --- /dev/null +++ b/backend/library/libraries/ccb-cff-2023-03-01.yaml @@ -0,0 +1,3377 @@ +urn: urn:intuitem:risk:library:ccb-cff-2023-03-01 +locale: en +ref_id: CCB-CFF-2023-03-01 +name: CCB CyberFundamentals Framework +description: Centre For Cybersecurity Belgium - CyberFundamentals Framework +copyright: All texts, layouts, designs and other elements of any nature in this document + are subject to copyright law. +version: 1 +provider: CCB +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01 + ref_id: CCB-CFF-2023-03-01 + name: CCB CyberFundamentals Framework + description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY (ID) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.AM + name: Asset Management + description: "The data, personnel, devices, systems, and facilities that enable\ + \ the organization to achieve business purposes are identified and managed\ + \ consistent with their relative importance to organizational objectives and\ + \ the organization\u2019s risk strategy." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-1 + description: Physical devices and systems within the organization are inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: BASIC_ID.AM-1.1 + description: An inventory of assets associated with information and information + processing facilities within the organization shall be documented, reviewed, + and updated when changes occur. + annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\ + \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\ + \ robots, machine tools, firmware, network switches, routers, power supplies,\ + \ and other networked components or devices. \n\u2022\tThis inventory must\ + \ include all assets, whether or not they are connected to the organization's\ + \ network.\n\u2022\tThe use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.2 + description: "The inventory of assets associated with information and information\ + \ processing facilities shall reflect changes in the organization\u2019s\ + \ context and include all information necessary for effective accountability." + annotation: "\u2022\tInventory specifications include for example, manufacturer,\ + \ device type, model, serial number, machine names and network addresses,\ + \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\ + \ justify, and take responsibility for one's actions, it implies answerability\ + \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\ + \ of material." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.3 + description: When unauthorized hardware is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported hardware without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: ID.AM-1.4 + description: Mechanisms for detecting the presence of unauthorized hardware + and firmware components within the organization's network shall be identified. + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to address unauthorized assets on a frequently\ + \ basis; The organization may choose to remove the asset from the network,\ + \ deny the asset from connecting remotely to the network, or quarantine the\ + \ asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-2 + description: Software platforms and applications within the organization are + inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: BASIC_ID.AM-2.1 + description: An inventory that reflects what software platforms and applications + are being used in the organization shall be documented, reviewed, and updated + when changes occur. + annotation: "\u2022\tThis inventory includes software programs, software platforms\ + \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\ + \ should be part of the contractual agreements with the provider.\n\u2022\t\ + Information in the inventory should include for example: name, description,\ + \ version, number of users, data processed, etc.\n\u2022\tA distinction should\ + \ be made between unsupported software and unauthorized software.\n\u2022\t\ + The use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.2 + description: "The inventory of software platforms and applications associated\ + \ with information and information processing shall reflect changes in the\ + \ organization\u2019s context and include all information necessary for effective\ + \ accountability." + annotation: The inventory of software platforms and applications should include + the title, publisher, initial install/use date, and business purpose for each + entry; where appropriate, include the Uniform Resource Locator (URL), app + store(s), version(s), deployment mechanism, and decommission date. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.3 + description: Individuals who are responsible and who are accountable for administering + software platforms and applications within the organization shall be identified. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.4 + description: When unauthorized software is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported software without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: ID.AM-2.5 + description: "Mechanisms for detecting the presence of unauthorized software\ + \ within the organization\u2019s ICT/OT environment shall be identified. " + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to regularly address unauthorised assets;\ + \ The organization may choose to remove the asset from the network, deny the\ + \ asset from connecting remotely to the network, or quarantine the asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-3 + description: Organizational communication and data flows are mapped + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: BASIC_ID.AM-3.1 + description: Information that the organization stores and uses shall be identified. + annotation: "\u2022\tStart by listing all the types of information your business\ + \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\ + \ makes sense to your business. You may want to have your employees make a\ + \ list of all the information they use in their regular activities. List everything\ + \ you can think of, but you do not need to be too specific. For example, you\ + \ may keep customer names and email addresses, receipts for raw material,\ + \ your banking information, or other proprietary information.\n\u2022\tConsider\ + \ mapping this information with the associated assets identified in the inventories\ + \ of physical devices, systems, software platforms and applications used within\ + \ the organization (see ID.AM-1 & ID.AM-2)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: IMPORTANT_ID.AM-3.2 + description: All connections within the organization's ICT/OT environment, and + to other organization-internal platforms shall be mapped, documented, approved, + and updated as appropriate. + annotation: "\u2022\tConnection information includes, for example, the interface\ + \ characteristics, data characteristics, ports, protocols, addresses, description\ + \ of the data, security requirements, and the nature of the connection.\n\u2022\ + \tConfiguration management can be used as supporting asset.\n\u2022\tThis\ + \ documentation should not be stored only on the network it represents.\n\u2022\ + \tConsider keeping a copy of this documentation in a safe offline environment\ + \ (e.g. offline hard disk, paper hardcopy, \u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: ID.AM-3.3 + description: "The information flows/data flows within the organization\u2019\ + s ICT/OT environment, as well as to other organization-internal systems shall\ + \ be mapped, documented, authorized, and updated when changes occur." + annotation: "\u2022\tWith knowledge of the information/data flows within a system\ + \ and between systems, it is possible to determine where information can and\ + \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\ + \ to only authorized interfaces.\no\tHeightening system monitoring activity\ + \ whenever there is an indication of increased risk to organization's critical\ + \ operations and assets.\no\tProtecting the system from information leakage\ + \ due to electromagnetic signals emanations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-4 + description: External information systems are catalogued + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: IMPORTANT_ID.AM-4.1 + description: The organization shall map, document, authorize and when changes + occur, update, all external services and the connections made with them. + annotation: "\u2022\tOutsourcing of systems, software platforms and applications\ + \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\ + \ information systems are systems or components of systems for which organizations\ + \ typically have no direct supervision and authority over the application\ + \ of security requirements and controls, or the determination of the effectiveness\ + \ of implemented controls on those systems i.e., services that are run in\ + \ cloud, SaaS, hosting or other external environments, API (Application Programming\ + \ Interface)\u2026\n\u2022\tMapping external services and the connections\ + \ made to them and authorizing them in advance avoids wasting unnecessary\ + \ resources investigating a supposedly non-authenticated connection to external\ + \ systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: ID.AM-4.2 + description: The flow of information to/from external systems shall be mapped, + documented, authorized, and update when changes occur. + annotation: Consider requiring external service providers to identify and document + the functions, ports, protocols, and services necessary for the connection + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-5 + description: 'Resources (e.g., hardware, devices, data, time, personnel, and + software) are prioritized based on their classification, criticality, and + business value ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + ref_id: BASIC_ID.AM-5.1 + description: "The organization\u2019s resources (hardware, devices, data, time,\ + \ personnel, information, and software) shall be prioritized based on their\ + \ classification, criticality, and business value." + annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\ + \ devices, data, time, personnel, information, and software):\no\tWhat would\ + \ happen to my business if these resources were made public, damaged, lost\u2026\ + ?\no\tWhat would happen to my business when the integrity of resources is\ + \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\ + \ couldn\u2019t access these resources? And rank these resources based on\ + \ their classification, criticality, and business value.\n\u2022\tResources\ + \ should include enterprise assets. \u2022\tCreate a classification for sensitive\ + \ information by first determining categories, e.g.\no\tPublic - freely accessible\ + \ to all, even externally\no\tInternal - accessible only to members of your\ + \ organization\no\tConfidential - accessible only to those whose duties require\ + \ access.\n\u2022\tCommunicate these categories and identify what types of\ + \ data fall into these categories (HR data, financial data, legal data, personal\ + \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\ + \u2022\tData classification should apply to the three aspects: C-I-A. Consider\ + \ implementing an automated tool, such as a host-based Data Loss Prevention\ + \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\ + \ through enterprise assets, including those located onsite or at a remote\ + \ service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-6 + description: Cybersecurity roles, responsibilities, and authorities for the + entire workforce and third-party stakeholders are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: IMPORTANT_ID.AM-6.1 + description: Information security and cybersecurity roles, responsibilities + and authorities within the organization shall be documented, reviewed, authorized, + and updated and alignment with organization-internal roles and external partners. Key + Measure + annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\ + \ and authorities: who in your organization should be consulted, informed,\ + \ and held accountable for all or part of your assets.\n\u2022\tProvide security\ + \ roles, responsibilities, and authority for all key functions in information/cyber\ + \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\ + \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\ + \ partners) with physical or logical access to the organization\u2019s ICT/OT\ + \ environment." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: ID.AM-6.2 + description: The organization shall appoint an information security officer. + annotation: The information security officer should be responsible for monitoring + the implementation of the organization's information/cyber security strategy + and safeguards. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.BE + name: Business Environment + description: "The organization\u2019s mission, objectives, stakeholders, and\ + \ activities are understood and prioritized; this information is used to inform\ + \ cybersecurity roles, responsibilities, and risk management decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-1 + description: "The organization\u2019s role in the supply chain is identified\ + \ and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: IMPORTANT_ID.BE-1.1 + description: "The organization\u2019s role in the supply chain shall be identified,\ + \ documented, and communicated. " + annotation: "\u2022\tThe organisation should be able to clearly identify who\ + \ is upstream and downstream of the organisation and which suppliers provide\ + \ services, capabilities, products and items to the organisation.\n\u2022\t\ + The organisation should communicate its position to its upstream and downstream\ + \ so that it is understood where they sit in terms of critical importance\ + \ to the organisation's operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: ID.BE-1.2 + description: The organization shall protect its ICT/OT environment from supply + chain threats by applying security safeguards as part of a documented comprehensive + security strategy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-2 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector is identified and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + ref_id: IMPORTANT_ID.BE-2.1 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector shall be identified and communicated." + annotation: The organisation covered by NIS legislation has a responsibility + to know the other organisations in the same sector in order to work with them + to achieve the objectives set by NIS for that particular sector. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-3 + description: Priorities for organizational mission, objectives, and activities + are established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + ref_id: IMPORTANT_ID.BE-3.1 + description: Priorities for organizational mission, objectives, and activities + are established and communicated. + annotation: Information protection needs should be determined, and the related + processes revised as necessary. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-4 + description: Dependencies and critical functions for delivery of critical services + are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + ref_id: IMPORTANT_ID.BE-4.1 + description: Dependencies and mission-critical functions for the delivery of + critical services shall be identified, documented, and prioritized according + to their criticality as part of the risk assessment process. + annotation: Dependencies and business critical functions should include support + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-5 + description: Resilience requirements to support delivery of critical services + are established for all operating states (e.g. under duress/attack, during + recovery, normal operations) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: IMPORTANT_ID.BE-5.1 + description: To support cyber resilience and secure the delivery of critical + services, the necessary requirements are identified, documented and their + implementation tested and approved. + annotation: "\u2022\tConsider implementing resiliency mechanisms to support\ + \ normal and adverse operational situations (e.g., failsafe, load balancing,\ + \ hot swap).\n\u2022\tConsider aspects of business continuity management in\ + \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\ + \ Continuity Plan (BCP)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.2 + description: Information processing & supporting facilities shall implement + redundancy to meet availability requirements, as defined by the organization + and/or regulatory frameworks. + annotation: "\u2022\tConsider provisioning adequate data and network redundancy\ + \ (e.g. redundant network devices, servers with load balancing, raid arrays,\ + \ backup services, 2 separate datacentres, fail-over network connections,\ + \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\ + \ from power outages and other failures due to utility interruptions (e.g.\ + \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\ + \ redundant power cabling, 2 different power service providers...)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.3 + description: Recovery time and recovery point objectives for the resumption + of essential ICT/OT system processes shall be defined. + annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\ + \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\ + \ locations and one copy should be stored at an off-site location).\n\u2022\ + \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\ + \ to increase resilience." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.GV + name: Governance + description: "The policies, procedures, and processes to manage and monitor\ + \ the organization\u2019s regulatory, legal, risk, environmental, and operational\ + \ requirements are understood and inform the management of cybersecurity risk." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-1 + description: Organizational cybersecurity policy is established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: BASIC_ID.GV-1.1 + description: Policies and procedures for information security and cyber security + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\ + \ and expectations for business operations, can be used to train new employees\ + \ on your information security expectations, and can aid an investigation\ + \ in case of an incident. These policies and procedures should be readily\ + \ accessible to employees.\n\u2022\tPolicies and procedures for information-\ + \ and cybersecurity should clearly describe your expectations for protecting\ + \ the organization\u2019s information and systems, and how management expects\ + \ the company\u2019s resources to be used and protected by all employees.\n\ + \u2022\tPolicies and procedures should be reviewed and updated at least annually\ + \ and every time there are changes in the organization or technology. Whenever\ + \ the policies are changed, employees should be made aware of the changes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: IMPORTANT_ID.GV-1.2 + description: An organization-wide information security and cybersecurity policy + shall be established, documented, updated when changes occur, disseminated, + and approved by senior management. + annotation: "The policy should include, for example:\n\u2022\tThe identification\ + \ and assignment of roles, responsibilities, management commitment, coordination\ + \ among organizational entities, and compliance. Guidance on role profiles\ + \ along with their identified titles, missions, tasks, skills, knowledge,\ + \ competences is available in the \"European Cybersecurity Skills Framework\ + \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\ + \u2022\tThe coordination among organizational entities responsible for the\ + \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\ + \ information, access control, media protection, vulnerability management,\ + \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\ + \ the ICT/OT systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-3 + description: Legal and regulatory requirements regarding cybersecurity, including + privacy and civil liberties obligations, are understood and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: BASIC_ID.GV-3.1 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be understood and implemented. + annotation: There are no additional guidelines. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: IMPORTANT_ID.GV-3.2 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be managed. + annotation: "\u2022\tThere should be regular reviews to ensure the continuous\ + \ compliance with legal and regulatory requirements regarding information/cybersecurity,\ + \ including privacy obligations.\n\u2022\tThis requirement also applies to\ + \ contractors and service providers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-4 + description: Governance and risk management processes address cybersecurity + risks + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: BASIC_ID.GV-4.1 + description: As part of the company's overall risk management, a comprehensive + strategy to manage information security and cybersecurity risks shall be developed + and updated when changes occur. + annotation: This strategy should include determining and allocating the required + resources to protect the organisation's business-critical assets. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: IMPORTANT_ID.GV-4.2 + description: "Information security and cybersecurity risks shall be documented,\ + \ formally approved, and updated when changes occur.\t" + annotation: Consider using Risk Management tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RA + name: Risk Assessment + description: The organization understands the cybersecurity risk to organizational + operations (including mission, functions, image, or reputation), organizational + assets, and individuals. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-1 + description: Asset vulnerabilities are identified and documented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: BASIC_ID.RA-1.1 + description: Threats and vulnerabilities shall be identified. + annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\ + s hardware, software, or procedures. It is a gap through which a bad actor\ + \ can gain access to the organization\u2019s assets. A vulnerability exposes\ + \ an organization to threats.\n\u2022\tA threat is a malicious or negative\ + \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\ + \ potential for loss and damage when the threat does occur." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: IMPORTANT_ID.RA-1.2 + description: A process shall be established to monitor, identify, and document + vulnerabilities of the organisation's business critical systems in a continuous + manner. + annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\ + \ should be considered.\n\u2022\tThe organization should establish and maintain\ + \ a testing program appropriate to its size, complexity, and maturity." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: ID.RA-1.3 + description: "To ensure that organization's operations are not adversely impacted\ + \ by the testing process, performance/load testing and penetration testing\ + \ on the organization\u2019s systems shall be conducted with care." + annotation: Consider validating security measures after each penetration test. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-2 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: IMPORTANT_ID.RA-2.1 + description: ' A threat and vulnerability awareness program that includes a + cross-organization information-sharing capability shall be implemented. ' + annotation: A threat and vulnerability awareness program should include ongoing + contact with security groups and associations to receive security alerts and + advisories. (Security groups and associations include, for example, special + interest groups, forums, professional associations, news groups, and/or peer + groups of security professionals in similar organizations).This contact can + include the sharing of information about potential vulnerabilities and incidents. + This sharing capability should have an unclassified and classified information + sharing capability. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: ID.RA-2.2 + description: It shall be identified where automated mechanisms can be implemented + to make security alert and advisory information available to relevant organization + stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-5 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + determine risk + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: BASIC_ID.RA-5.1 + description: The organization shall conduct risk assessments in which risk is + determined by threats, vulnerabilities and impact on business processes and + assets. + annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\ + \tIdentify the consequences that losses of confidentiality, integrity and\ + \ availability may have on the assets and related business processes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: IMPORTANT_ID.RA-5.2 + description: The organization shall conduct and document risk assessments in + which risk is determined by threats, vulnerabilities, impact on business processes + and assets, and the likelihood of their occurrence. + annotation: "\u2022\tRisk assessment should include threats from insiders and\ + \ external parties.\n\u2022\tQualitative and/or quantitative risk analysis\ + \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\ + \ software tooling." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: ID.RA-5.3 + description: Risk assessment results shall be disseminated to relevant stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-6 + description: Risk responses are identified and prioritized + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + ref_id: IMPORTANT_ID.RA-6.1 + description: "A comprehensive strategy shall be developed and implemented to\ + \ manage risks to the organization\u2019s critical systems, that includes\ + \ the identification and prioritization of risk responses." + annotation: "\u2022\tManagement and employees should be involved in information-\ + \ and cybersecurity.\n\u2022\tIt should be identified what the most important\ + \ assets are, and how they are protected.\n\u2022\tIt should be clear what\ + \ impact will be if these assets are compromised.\n\u2022\tIt should be established\ + \ how the implementation of adequate mitigation measures will be organized." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RM + name: Risk Management Strategy + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support operational risk decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-1 + description: Risk management processes are established, managed, and agreed + to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + ref_id: IMPORTANT_ID.RM-1.1 + description: A cyber risk management process that identifies key internal and + external stakeholders and facilitates addressing risk-related issues and information + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: 'External stakeholders include customers, investors and shareholders, + suppliers, government agencies and the wider community. ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-2 + description: Organizational risk tolerance is determined and clearly expressed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + ref_id: IMPORTANT_ID.RM-2.1 + description: "The organization shall clearly determine it\u2019s risk appetite." + annotation: Determination and expression of risk tolerance (risk appetite) should + be in line with the policies on information security and cybersecurity, to + facilitate demonstration of coherence between policies, risk tolerance and + measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-3 + description: "The organization\u2019s determination of risk tolerance is informed\ + \ by its role in critical infrastructure and sector specific risk analysis" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + ref_id: IMPORTANT_ID.RM-3.1 + description: "The organization\u2019s role in critical infrastructure and its\ + \ sector shall determine the organization\u2019s risk appetite." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.SC + name: Supply Chain Risk Management + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support risk decisions associated\ + \ with managing supply chain risk. The organization has established and implemented\ + \ the processes to identify, assess and manage supply chain risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-1 + description: Cyber supply chain risk management processes are identified, established, + assessed, managed, and agreed to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + ref_id: ID.SC-1.1 + description: The organization shall document, review, approve, update when changes + occur, and implement a cyber supply chain risk management process that supports + the identification, assessment, and mitigation of the risks associated with + the distributed and interconnected nature of ICT/OT product and service supply + chains. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-2 + description: 'Suppliers and third party partners of information systems, components, + and services are identified, prioritized, and assessed using a cyber supply + chain risk assessment process ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: IMPORTANT_ID.SC-2.1 + description: "The organization shall conduct cyber supply chain risk assessments\ + \ at least annually or when a change to the organization\u2019s critical systems,\ + \ operational environment, or supply chain occurs; These assessments shall\ + \ be documented, and the results disseminated to relevant stakeholders including\ + \ those responsible for ICT/OT systems." + annotation: This assessment should identify and prioritize potential negative + impacts to the organization from the risks associated with the distributed + and interconnected nature of ICT/OT product and service supply chains. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: ID.SC-2.2 + description: "A documented list of all the organization\u2019s suppliers, vendors\ + \ and partners who may be involved in a major incident shall be established,\ + \ kept up-to-date and made available online and offline." + annotation: This list should include suppliers, vendors and partners contact + information and the services they provide, so they can be contacted for assistance + in the event of an outage or service degradation. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-3 + description: "Contracts with suppliers and third-party partners are used to\ + \ implement appropriate measures designed to meet the objectives of an organization\u2019\ + s cybersecurity program and Cyber Supply Chain Risk Management Plan." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: IMPORTANT_ID.SC-3.1 + description: Based on the results of the cyber supply chain risk assessment, + a contractual framework for suppliers and external partners shall be established + to address sharing of sensitive information and distributed and interconnected + ICT/OT products and services. + annotation: "\u2022\tEntities not subject to the NIS legislation should consider\ + \ business critical suppliers and third-party partners only.\n\u2022\tKeep\ + \ in mind that GDPR requirements need to be fulfilled when business information\ + \ contains personal data (applicable on all levels), i.e. security measures\ + \ need to be addressed in the contractual framework." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.2 + description: "Contractual information security and cybersecurity\u2019 requirements\ + \ for suppliers and third-party partners shall be implemented to ensure a\ + \ verifiable flaw remediation process, and to ensure the correction of flaws\ + \ identified during \u2018information security and cybersecurity\u2019 testing\ + \ and evaluation." + annotation: "\u2022\tInformation systems containing software (or firmware) affected\ + \ by recently announced software flaws (and potential vulnerabilities resulting\ + \ from those flaws) should be identified.\n\u2022\tNewly released security\ + \ relevant patches, service packs, and hot fixes should be installed, and\ + \ these patches, service packs, and hot fixes are tested for effectiveness\ + \ and potential side effects on the organization\u2019s information systems\ + \ before installation. Flaws discovered during security assessments, continuous\ + \ monitoring, incident response activities, or information system error handling\ + \ are also addressed expeditiously. Flaw remediation should be incorporated\ + \ into configuration management as an emergency change." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.3 + description: "The organization shall establish contractual requirements permitting\ + \ the organization to review the \u2018information security and cybersecurity\u2019\ + \ programs implemented by suppliers and third-party partners." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-4 + description: Suppliers and third-party partners are routinely assessed using + audits, test results, or other forms of evaluations to confirm they are meeting + their contractual obligations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: IMPORTANT_ID.SC-4.1 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing audits, test results, and other evaluations." + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: ID.SC-4.2 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing third-party independent audits, test results, and other evaluations." + annotation: The depth of the review should depend on the criticality of delivered + products and services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-5 + description: Response and recovery planning and testing are conducted with suppliers + and third-party providers + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: IMPORTANT_ID.SC-5.1 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in response + and recovery planning activities. + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: ID.SC-5.2 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in testing + and execution of the response and recovery plans. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT (PR) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AC + name: Identity Management, Authentication and Access Control + description: Access to physical and logical assets and associated facilities + is limited to authorized users, processes, and devices, and is managed consistent + with the assessed risk of unauthorized access to authorized activities and + transactions. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-1 + description: Identities and credentials are issued, managed, verified, revoked, + and audited for authorized devices, users and processes + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: BASIC_PR.AC-1.1 + description: 'Identities and credentials for authorized devices and users shall + be managed.' + annotation: "Identities and credentials for authorized devices and users could\ + \ be managed through a password policy. A password policy is a set of rules\ + \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ + (Not limitative list and measures to be considered as appropriate)\n\u2022\ + \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\ + \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\ + \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\ + \ must be longer than a state-of-the-art number of characters with a combination\ + \ of character types and changed periodically or when there is any suspicion\ + \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\ + \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\ + \ are managed by user groups." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: IMPORTANT_PR.AC-1.2 + description: Identities and credentials for authorized devices and users shall + be managed, where feasible through automated mechanisms. + annotation: "\u2022\tAutomated mechanisms can help to support the management\ + \ and auditing of information system credentials.\n\u2022\tConsider strong\ + \ user authentication, meaning an authentication based on the use of at least\ + \ two authentication factors from different categories of either knowledge\ + \ (something only the user knows), possession (something only the user possesses)\ + \ or inherence (something the user is) that are independent, in that the breach\ + \ of one does not compromise the reliability of the others, and is designed\ + \ in such a way to protect the confidentiality of the authentication data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.3 + description: System credentials shall be deactivated after a specified period + of inactivity unless it would compromise the safe operation of (critical) + processes. + annotation: "\u2022\tTo guarantee the safe operation, service accounts should\ + \ be used for running processes and services.\n\u2022\tConsider the use of\ + \ a formal access procedure for external parties." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.4 + description: "For transactions within the organization's critical systems, the\ + \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\ + \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\ + \ for system-to-system communications" + annotation: Consider the use of SSO (Single Sign On) in combination with MFA + for the organization's internal and external critical systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.5 + description: "The organization\u2019s critical systems shall be monitored for\ + \ atypical use of system credentials. Credentials associated with significant\ + \ risk shall be disabled." + annotation: "\u2022\tConsider limiting the number of failed login attempts by\ + \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\ + \ accessible until it has been reset or the account lockout duration elapses." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-2 + description: Physical access to assets is managed and protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: BASIC_PR.AC-2.1 + description: Physical access to the facility, servers and network components + shall be managed. + annotation: "\u2022\tConsider to strictly manage keys to access the premises\ + \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\ + \ an employee's keys or badges when they leave the company permanently.\n\ + o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\ + \ to external service providers (cleaning agents, etc.), unless it is possible\ + \ to trace these accesses and restrict them technically to given time slots.\n\ + \u2022\tConsider to not leaving internal network access outlets accessible\ + \ in public areas. These public places can be waiting rooms, corridors..." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: IMPORTANT_PR.AC-2.2 + description: The management of physical access shall include measures related + to access in emergency situations. + annotation: "\u2022\tPhysical access controls may include, for example: lists\ + \ of authorized individuals, identity credentials, escort requirements, guards,\ + \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\ + \u2022\tThe following measures should be considered:\no\tImplement a badge\ + \ system and create different security zones.\no\tLimit physical access to\ + \ servers and network components to authorized personnel.\no\tLog all access\ + \ to servers and network components.\n\u2022\tVisitor access records should\ + \ be maintained, reviewed and acted upon as required." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.3 + description: Physical access to critical zones shall be controlled in addition + to the physical access to the facility. + annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\ + \ (server rooms\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.4 + description: 'Assets related to critical zones shall be physically protected. ' + annotation: "\u2022\tConsider protecting power equipment, power cabling, network\ + \ cabling, and network access interfaces from accidental damage, disruption,\ + \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\ + \ separated power systems for organization\u2019s critical operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-3 + description: Remote access is managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.1 + description: The organisation's wireless access points shall be secured. + annotation: "Consider the following when wireless networking is used:\n\u2022\ + \tChange the administrative password upon installation of a wireless access\ + \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\ + \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\ + \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\ + \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\ + \ internet access to customers is separated from your business network.\n\u2022\ + \tConnecting to unknown or unsecured / guest wireless access points, should\ + \ be avoided, and if unavoidable done through an encrypted virtual private\ + \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\ + \ mobile) according to the organization's security policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.2 + description: The organization's networks when accessed remotely shall be secured, + including through multi-factor authentication (MFA). + annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, + remote desktop, and Virtual Private Network (VPNs). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: IMPORTANT_PR.AC-3.3 + description: "Usage restrictions, connection requirements, implementation guidance,\ + \ and authorizations for remote access to the organization\u2019s critical\ + \ systems environment shall be identified, documented and implemented. " + annotation: "Consider the following:\n\u2022\tRemote access methods include,\ + \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\ + \ mobile device connections, and communications through external networks.\n\ + \u2022\tLogin credentials should be in line with company's user authentication\ + \ policies.\n\u2022\tRemote access for support activities or maintenance of\ + \ organizational assets should be approved, logged, and performed in a manner\ + \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\ + \ of any remote connection to its device by a visual indication." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.4 + description: "Remote access to the organization\u2019s critical systems shall\ + \ be monitored and cryptographic mechanisms shall be implemented where determined\ + \ necessary." + annotation: This should include that only authorized use of privileged functions + from remote access is allowed. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.5 + description: The security for connections with external systems shall be verified + and framed by documented agreements. + annotation: Access from pre-defined IP addresses could be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-4 + description: Access permissions and authorizations are managed, incorporating + the principles of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.1 + description: "Access permissions for users to the organization\u2019s systems\ + \ shall be defined and managed." + annotation: "The following should be considered:\n\u2022\tDraw up and review\ + \ regularly access lists per system (files, servers, software, databases,\ + \ etc.), possibly through analysis of the Active Directory in Windows-based\ + \ systems, with the objective of determining who needs what kind of access\ + \ (privileged or not), to what, to perform their duties in the organization.\n\ + \u2022\tSet up a separate account for each user (including any contractors\ + \ needing access) and require that strong, unique passwords be used for each\ + \ account.\n\u2022\tEnsure that all employees use computer accounts without\ + \ administrative privileges to perform typical work functions. This includes\ + \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\ + \ consider using the minimal privileges (e.g. internet access only) as required\ + \ for your business needs.\n\u2022\tPermission management should be documented\ + \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\ + \ (SSO) when appropriate." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.2 + description: It shall be identified who should have access to the organization's + business's critical information and technology and the means to get access. + annotation: 'Means to get access may include: a key, password, code, or administrative + privilege.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.3 + description: 'Employee access to data and information shall be limited to the + systems and specific information they need to do their jobs (the principle + of Least Privilege).' + annotation: "The principle of Least Privilege should be understood as the principle\ + \ that a security architecture should be designed so that each employee is\ + \ granted the minimum system resources and authorizations that the employee\ + \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\ + \ to have access to all the business\u2019s information.\n\u2022\tLimit the\ + \ number of Internet accesses and interconnections with partner networks to\ + \ the strict necessary to be able to centralize and homogenize the monitoring\ + \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\ + \ business, all access to the business\u2019s information or systems is blocked\ + \ instantly." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.4 + description: 'Nobody shall have administrator privileges for daily tasks.' + annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ + \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ + \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ + \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\ + \ from administrative accounts." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.5 + description: Where feasible, automated mechanisms shall be implemented to support + the management of user accounts on the organisation's critical systems, including + disabling, monitoring, reporting and deleting user accounts. + annotation: Consider separately identifying each person with access to the organization's + critical systems with a username to remove generic and anonymous accounts + and access. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.6 + description: Separation of duties (SoD) shall be ensured in the management of + access rights. + annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\ + \ functions and system support functions among different roles.\n\u2022\t\ + conducting system support functions with different individuals.\n\u2022\t\ + not allow a single individual to both initiate and approve a transaction (financial\ + \ or otherwise).\n\u2022\tensuring that security personnel administering access\ + \ control functions do not also administer audit functions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.7 + description: Priviliged users shall be managed and monitored. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.8 + description: Account usage restrictions for specific time periods and locations + shall be taken into account in the organization's security access policy and + applied accordingly. + annotation: Specific restrictions can include, for example, restricting usage + to certain days of the week, time of day, or specific durations of time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.9 + description: Priviliged users shall be managed, monitored and audited. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-5 + description: Network integrity is protected (e.g., network segregation, network + segmentation) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.1 + description: Firewalls shall be installed and activated on all the organization's + networks. + annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\ + \ between your internal network and the Internet. This may be a function of\ + \ a (wireless) access point/router, or it may be a function of a router provided\ + \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\ + \ software installed on purchased firewall solutions and ensure that the administrator\u2019\ + s log-in and administrative password is changed upon installation and regularly\ + \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\ + \ computer system (including smart phones and other networked devices).\n\u2022\ + \tHave firewalls on each of your computers and networks even if you use a\ + \ cloud service provider or a virtual private network (VPN). Ensure that for\ + \ telework home network and systems have hardware and software firewalls installed,\ + \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\ + \ Detection / Prevention System (IDPS). These devices analyze network traffic\ + \ at a more detailed level and can provide a greater level of protection." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.2 + description: Where appropriate, network integrity of the organization's critical + systems shall be protected by incorporating network segmentation and segregation. + annotation: "\u2022\tConsider creating different security zones in the network\ + \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\ + \ control mechanisms) and control/monitor the traffic between these zones.\n\ + \u2022\tWhen the network is \"flat\", the compromise of a vital network component\ + \ can lead to the compromise of the entire network." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.3 + description: 'Where appropriate, network integrity of the organization''s critical + systems shall be protected by + (1) Identifying, documenting, and controlling connections between system components. + (2) Limiting external connections to the organization''s critical systems.' + annotation: Boundary protection mechanisms include, for example, routers, gateways, + unidirectional gateways, data diodes, and firewalls separating system components + into logically separate networks or subnetworks. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.4 + description: 'The organization shall monitor and control connections and communications + at the external boundary and at key internal boundaries within the organization''s + critical systems by implementing boundary protection devices where appropriate. ' + annotation: "Consider implementing the following recommendations:\n\u2022\t\ + Separate your public WIFI network from your business network.\n\u2022\tProtect\ + \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\ + \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\ + \ your corporate network.\n\u2022\tDivide your network according to security\ + \ levels and apply firewall rules. Isolate your networks for server administration.\n\ + \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\ + \ security gateways (deny all policy: only allow/open connections that have\ + \ been explicitly pre-authorized)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.5 + description: The organization shall implement, where feasible, authenticated + proxy servers for defined communications traffic between the organization's + critical systems and external networks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.6 + description: The organization shall ensure that the organization's critical + systems fail safely when a border protection device fails operationally. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-6 + description: Identities are proofed and bound to credentials and asserted in + interactions + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: IMPORTANT_PR.AC-6.1 + description: The organization shall implement documented procedures for verifying + the identity of individuals before issuing credentials that provide access + to organization's systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: PR.AC-6.2 + description: The organization shall ensure the use of unique credentials bound + to each verified user, device, and process interacting with the organization's + critical systems; make sure that they are authenticated, and that the unique + identifiers are captured when performing system interactions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-7 + description: "Users, devices, and other assets are authenticated (e.g., single-factor,\ + \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\ + \ security and privacy risks and other organizational risks)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + ref_id: IMPORTANT_PR.AC-7.1 + description: "The organization shall perform a documented risk assessment on\ + \ organization's critical system transactions and authenticate users, devices,\ + \ and other assets (e.g., single-factor, multi-factor) commensurate with the\ + \ risk of the transaction (e.g., individuals\u2019 security and privacy risks\ + \ and other organizational risks)." + annotation: Consider a security-by-design approach for new systems; For existing + systems a separate risk assessment should be used. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AT + name: Awareness and Training + description: "The organization\u2019s personnel and partners are provided cybersecurity\ + \ awareness education and are trained to perform their cybersecurity-related\ + \ duties and responsibilities consistent with related policies, procedures,\ + \ and agreements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-1 + description: 'All users are informed and trained ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: BASIC_PR.AT-1.1 + description: Employees shall be trained as appropriate. + annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\ + \ systems, and they should be trained immediately when hired and regularly\ + \ thereafter about the company\u2019s information security policies and what\ + \ they will be expected to do to protect company\u2019s business information\ + \ and technology.\n\u2022\tTraining should be continually updated and reinforced\ + \ by awareness campaigns." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: IMPORTANT_PR.AT-1.2 + description: The organization shall incorporate insider threat recognition and + reporting into security awareness training. + annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\ + \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\ + \ program by gathering in a document the messages you want to convey to your\ + \ staff (topics, audiences, objectives, etc.) and your communication rhythm\ + \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\ + \ and in an engaging way, involving management, IT colleagues, the ICT service\ + \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\ + \ recognition of fraud attempts, phishing, management of sensitive information,\ + \ incidents, etc. The goal is for all employees to understand ways to protect\ + \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\ + \ or your ICT service provider some practice scenarios (e.g. what to do if\ + \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\ + \ if an account is hacked, etc.), determine what behaviours to adopt, document\ + \ and communicate them to all your staff. The central point of contact in\ + \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\ + \ of a scenario to test your knowledge. Consider performing the exercise for\ + \ example at least once a year." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: PR.AT-1.3 + description: The organization shall implement an evaluation method to measure + the effectiveness of the awareness trainings. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-2 + description: 'Privileged users understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + ref_id: IMPORTANT_PR.AT-2.1 + description: Privileged users shall be qualified before privileges are granted, + and these users shall be able to demonstrate the understanding of their roles, + responsibilities, and authorities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-3 + description: 'Third-party stakeholders (e.g., suppliers, customers, partners) + understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.1 + description: "The organization shall establish and enforce security requirements\ + \ for business-critical third-party providers and users.\t" + annotation: "Enforcement should include that \u2018third party stakeholder\u2019\ + -users (e.g. suppliers, customers, partners) can demonstrate the understanding\ + \ of their roles and responsibilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.2 + description: "Third-party providers shall be required to notify any personnel\ + \ transfers, termination, or transition involving personnel with physical\ + \ or logical access to organization's business critical system's components.\t" + annotation: Third-party providers include, for example, service providers, contractors, + and other organizations providing system development, technology services, + outsourced applications, or network and security management. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.3 + description: The organization shall monitor business critical service providers + and users for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: PR.AT-3.4 + description: The organization shall audit business-critical external service + providers for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-4 + description: 'Senior executives understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + ref_id: IMPORTANT_PR.AT-4.1 + description: Senior executives shall demonstrate the understanding of their + roles, responsibilities, and authorities. + annotation: Guidance on role profiles along with their identified titles, missions, + tasks, skills, knowledge, competences is available in the "European Cybersecurity + Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles + ) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-5 + description: 'Physical and cybersecurity personnel understand their roles and + responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + ref_id: IMPORTANT_PR.AT-5.1 + description: The organization shall ensure that personnel responsible for the + physical protection and security of the organization's critical systems and + facilities are qualified through training before privileges are granted, and + that they understand their responsibilities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.DS + name: Data Security + description: "Information and records (data) are managed consistent with the\ + \ organization\u2019s risk strategy to protect the confidentiality, integrity,\ + \ and availability of information." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-1 + description: Data-at-rest is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + ref_id: PR.DS-1.1 + description: "The organization shall protect its critical system information\ + \ determined to be critical/ sensitive while at rest.\t" + annotation: "\u2022\tConsider using encryption techniques for data storage,\ + \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\ + \ encrypting end-user devices and removable media containing sensitive data\ + \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\ + \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt, Apple FileVault\xAE\ + , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\ + \ in the cloud. The below measures should be considered:\n\u2022\tImplement\ + \ dedicated safeguards to prevent unauthorized access, distortion, or modification\ + \ of system data and audit records (e.g. restricted access rights, daily backups,\ + \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\ + \ media, stored files, configuration files and data stored in the cloud." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-2 + description: Data-in-transit is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + ref_id: PR.DS-2.1 + description: The organization shall protect its critical system information + determined to be critical when in transit. + annotation: When the organization often sends sensitive documents or e-mails, + it is recommended to encrypt those documents and/or e-mails with appropriate, + supported, and authorized software tools. If you send sensitive documents + or emails, you may want to consider encrypting those documents and/or emails + with appropriate, supported, and authorized software tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-3 + description: Assets are formally managed throughout removal, transfers, and + disposition + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: BASIC_PR.DS-3.1 + description: Assets and media shall be disposed of safely. + annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\ + \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\ + ), ensure that all sensitive business or personal data are securely deleted\ + \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\ + \ physically destroyed (or re-commissioned). This is also known as \u201C\ + sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\ + \u2022\tConsider installing a remote-wiping application on company laptops,\ + \ tablets, cell phones, and other mobile devices." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.2 + description: The organization shall enforce accountability for all its business-critical + assets throughout the system lifecycle, including removal, transfers, and + disposition. + annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\ + \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\ + \ documentation related to the movements of business-critical assets." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.3 + description: The organization shall ensure that the necessary measures are taken + to deal with loss, misuse, damage, or theft of assets. + annotation: "This can be done by policies, processes & procedures (reporting),\ + \ technical & organizational means (encryption, Access Control (AC), Mobile\ + \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\ + \ agreement, guidelines & manuals, backups, inventory update \u2026)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: PR.DS-3.4 + description: The organization shall ensure that disposal actions are approved, + tracked, documented, and verified. + annotation: Disposal actions include media sanitization actions (See PR.IP-6) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-4 + description: Adequate capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.1 + description: Capacity planning shall ensure adequate resources for organization's + critical system information processing, networking, telecommunications, and + data storage. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.2 + description: Audit data from the organization's critical systems shall be moved + to an alternative system. + annotation: Be aware that log services can become a bottleneck and hinder the + correct functioning of the source systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: PR.DS-4.3 + description: "The organization\u2019s critical systems shall be protected against\ + \ denial-of-service attacks or at least the effect of such attacks will be\ + \ limited." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-5 + description: Protections against data leaks are implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + ref_id: IMPORTANT_PR.DS-5.1 + description: The organization shall take appropriate actions resulting in the + monitoring of its critical systems at external borders and critical internal + points when unauthorized access and activities, including data leakage, is + detected. + annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\ + \ access rights, daily backups, data encryption, installation of firewalls,\ + \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ + \ configuration of the central directory (Active Directory in Windows environment),\ + \ with specific focus on the access to data of key persons in the company." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-6 + description: Integrity checking mechanisms are used to verify software, firmware, + and information integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: IMPORTANT_PR.DS-6.1 + description: The organization shall implement software, firmware, and information + integrity checks to detect unauthorized changes to its critical system components + during storage, transport, start-up and when determined necessary. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.2 + description: The organization shall implement automated tools where feasible + to provide notification upon discovering discrepancies during integrity verification. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.3 + description: The organization shall implement automatic response capability + with pre-defined security safeguards when integrity violations are discovered. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-7 + description: The development and testing environment(s) are separate from the + production environment + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + ref_id: PR.DS-7.1 + description: The development and test environment(s) shall be isolated from + the production environment. + annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\ + \ should first be tested in an environment that is different and separate\ + \ from the production environment (operational environment) before that change\ + \ is effectively implemented . That way, the effect of those changes can be\ + \ analysed and adjustments can be made without disrupting operational activities.\n\ + \u2022\tConsider adding and testing cybersecurity features as early as during\ + \ development (secure development lifecycle principles). \u2022\tAny change\ + \ one wants to make to the ICT/OT environment should first be tested in an\ + \ environment that is different and separate from the production environment\ + \ (operational environment) before that change is effectively implemented\ + \ . That way, the effect of those changes can be analysed and adjustments\ + \ can be made without disrupting operational activities.\n\u2022\tConsider\ + \ adding and testing cybersecurity features as early as during development\ + \ (secure development lifecycle principles)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-8 + description: Integrity checking mechanisms are used to verify hardware integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.1 + description: The organization shall implement hardware integrity checks to detect + unauthorized tampering to its critical system's hardware. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.2 + description: The organization shall incorporate the detection of unauthorized + tampering to its critical system's hardware into the organization incident + response capability. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.IP + name: Information Protection Processes and Procedures + description: 'Security policies (that address purpose, scope, roles, responsibilities, + management commitment, and coordination among organizational entities), processes, + and procedures are maintained and used to manage protection of information + systems and assets.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-1 + description: A baseline configuration of information technology/industrial control + systems is created and maintained incorporating security principles (e.g. + concept of least functionality) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: IMPORTANT_PR.IP-1.1 + description: 'The organization shall develop, document, and maintain a baseline + configuration for the its business critical systems. ' + annotation: "\u2022\tThis control includes the concept of least functionality.\n\ + \u2022\tBaseline configurations include for example, information about organization's\ + \ business critical systems, current version numbers and patch information\ + \ on operating systems and applications, configuration settings/parameters,\ + \ network topology, and the logical placement of those components within the\ + \ system architecture.\n\u2022\tNetwork topology should include the nerve\ + \ points of the IT/OT environment (external connections, servers hosting data\ + \ and/or sensitive functions, DNS services security, etc.)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: PR.IP-1.2 + description: The organization shall configure its business-critical systems + to provide only essential capabilities; Therefore the baseline configuration + shall be reviewed, and unnecessary capabilities disabled. + annotation: "\u2022\tConfiguration of a system to provide only organization-defined\ + \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\ + .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\ + \ services." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-2 + description: A System Development Life Cycle to manage systems is implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: IMPORTANT_PR.IP-2.1 + description: The system and application development life cycle shall include + security considerations. + annotation: "\u2022\tSystem and application development life cycle should include\ + \ the acquisition process of the organization's business critical systems\ + \ and its components.\n\u2022\tVulnerability awareness and prevention training\ + \ for (web application) developers, and advanced social engineering awareness\ + \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\ + \ internet facing applications the implementation of a web application firewall\ + \ (WAF) should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: PR.IP-2.2 + description: The development process for critical systems and system components + shall cover the full design cycle and shall provide a description of the functional + properties of security controls, and design and implementation information + for security-relevant system interfaces. + annotation: "The development cycle includes:\n\u2022\tAll development phases:\ + \ specification , design, development, implementation.\n\u2022\tConfiguration\ + \ management for planned and unplanned changes and change control during the\ + \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-3 + description: Configuration change control processes are in place + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: IMPORTANT_PR.IP-3.1 + description: Changes shall be tested and validated before being implemented + into operational systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: PR.IP-3.2 + description: For planned changes to the organization's critical systems, a security + impact analysis shall be performed in a separate test environment before implementation + in an operational environment. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-4 + description: 'Backups of information are conducted, maintained, and tested ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: BASIC_PR.IP-4.1 + description: Backups for organization's business critical data shall be conducted + and stored on a system different from the device on which the original data + resides + annotation: "\u2022\tOrganization's business critical system's data includes\ + \ for example software, configurations and settings, documentation, system\ + \ configuration data including computer configuration backups, application\ + \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\ + \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\ + \ should be considered.\n\u2022\tConsider not storing the organization's data\ + \ backup on the same network as the system on which the original data resides\ + \ and provide an offline copy. Among other things, this prevents file encryption\ + \ by hackers (risk of ransomware)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.2 + description: The reliability and integrity of backups shall be verified and + tested on regular basis. + annotation: This should include regularly testing of the backup restore procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.3 + description: A separate alternate storage site for system backups shall be operated + and the same security safeguards as the primary storage location shall be + employed. + annotation: An offline backup of your data is ideally stored in a separate physical + location from the original data source and where feasible offsite for extra + protection and security. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.4 + description: Backup verification shall be coordinated with the functions in + the organization that are responsible for related plans. + annotation: "\u2022\tRelated plans include, for example, Business Continuity\ + \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\ + \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\ + \u2022\tRestoration of backup data during contingency plan testing should\ + \ be provided." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.5 + description: Critical system backup shall be separated from critical information + backup. + annotation: Seperation of critical system backup from critical information backup + should lead to a shorter recovery time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-5 + description: Policy and regulations regarding the physical operating environment + for organizational assets are met + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: IMPORTANT_PR.IP-5.1 + description: The organization shall define, implement, and enforce policy and + procedures regarding emergency and safety systems, fire protection systems, + and environment controls for its critical systems. + annotation: "The below measures should be considered:\n\u2022\tProtect unattended\ + \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\ + \ suppression mechanisms should take the organization's critical system environment\ + \ into account (e.g., water sprinkler systems could be hazardous in specific\ + \ environments)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: PR.IP-5.2 + description: The organization shall implement fire detection devices that activate + and notify key personnel automatically in the event of a fire. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-6 + description: Data is destroyed according to policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: IMPORTANT_PR.IP-6.1 + description: The organization shall ensure that its critical system's data is + destroyed according to policy. + annotation: "\u2022\tDisposal actions include media sanitization actions (See\ + \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\ + o\tHard copy media (physical representations of information)\no\tElectronic\ + \ or soft copy media (the bits and bytes contained in hard drives, random\ + \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\ + \ mobile computing devices, networking equipment\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: PR.IP-6.2 + description: Sanitation processes shall be documented and tested. + annotation: "\u2022\tSanitation processes include procedures and equipment.\n\ + \u2022\tConsider applying non-destructive sanitization techniques to portable\ + \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\ + \ confidentiality requirements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-7 + description: Protection processes are improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: IMPORTANT_PR.IP-7.1 + description: The organization shall incorporate improvements derived from the + monitoring, measurements, assessments, and lessons learned into protection + process updates (continuous improvement). + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.2 + description: The organization shall implement independent teams to assess the + protection process(es). + annotation: 'Independent teams, for example, may include internal or external + impartial personnel. + + Impartiality implies that assessors are free from any perceived or actual + conflicts of interest regarding the development, operation, or management + of the organization''s critical system under assessment or to the determination + of security control effectiveness.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.3 + description: The organization shall ensure that the security plan for its critical + systems facilitates the review, testing, and continual improvement of the + security protection processes. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-8 + description: 'Effectiveness of protection technologies is shared ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.1 + description: The organization shall collaborate and share information about + its critical system's related security incidents and mitigation measures with + designated partners. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.2 + description: Communication of effectiveness of protection technologies shall + be shared with appropriate parties. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.3 + description: The organization shall implement, where feasible, automated mechanisms + to assist in information collaboration. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-9 + description: Response plans (Incident Response and Business Continuity) and + recovery plans (Incident Recovery and Disaster Recovery) are in place and + managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: IMPORTANT_PR.IP-9.1 + description: Incident response plans (Incident Response and Business Continuity) + and recovery plans (Incident Recovery and Disaster Recovery) shall be established, + maintained, approved, and tested to determine the effectiveness of the plans, + and the readiness to execute the plans. + annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\ + \ objectives, restoration priorities, metrics, contingency roles, personnel\ + \ assignments and contact information.\n\u2022\tMaintaining essential functions\ + \ despite system disruption, and the eventual restoration of the organization\u2019\ + s systems, should be addressed.\n\u2022\tConsider defining incident types,\ + \ resources and management support needed to effectively maintain and mature\ + \ the incident response and contingency capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: PR.IP-9.2 + description: The organization shall coordinate the development and the testing + of incident response plans and recovery plans with stakeholders responsible + for related plans. + annotation: Related plans include, for example, Business Continuity Plans, Disaster + Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, + Critical Infrastructure Plans, Cyber incident response plans, and Occupant + Emergency Plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-11 + description: Cybersecurity is included in human resources practices (e.g., deprovisioning, + personnel screening) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: BASIC_PR.IP-11.1 + description: "Personnel having access to the organization\u2019s most critical\ + \ information or technology shall be verified." + annotation: "\u2022\tThe access to critical information or technology should\ + \ be considered when recruiting, during employment and at termination.\n\u2022\ + \tBackground verification checks should take into consideration applicable\ + \ laws, regulations, and ethics in proportion to the business requirements,\ + \ the classification of the information to be accessed and the perceived risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: IMPORTANT_PR.IP-11.2 + description: Develop and maintain a human resource information/cyber security + process that is applicable when recruiting, during employment and at termination + of employment. + annotation: "The human resource information/cyber security process should include\ + \ access to critical information or technology; background verification checks;\ + \ code of conduct; roles, authorities, and responsibilities\u2026" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-12 + description: A vulnerability management plan is developed and implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + ref_id: IMPORTANT_PR.IP-12.1 + description: The organization shall establish and maintain a documented process + that allows continuous review of vulnerabilities and strategies to mitigate + them. + annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\ + \ in the identified components and distribute updates (software publisher\ + \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\ + \ identify where its critical system's vulnerabilities may be exposed to adversaries." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.MA + name: Maintenance + description: Maintenance and repairs of industrial control and information system + components are performed consistent with policies and procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-1 + description: Maintenance and repair of organizational assets are performed and + logged, with approved and controlled tools + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: BASIC_PR.MA-1.1 + description: Patches and security updates for Operating Systems and critical + system components shall be installed. + annotation: "The following should be considered:\n\u2022\tLimit yourself to\ + \ only install those applications (operating systems, firmware, or plugins\ + \ ) that you need to run your business and patch/update them regularly.\n\u2022\ + \tYou should only install a current and vendor-supported version of software\ + \ you choose to use. It may be useful to assign a day each month to check\ + \ for patches.\n\u2022\tThere are products which can scan your system and\ + \ notify you when there is an update for an application you have installed.\ + \ If you use one of these products, make sure it checks for updates for every\ + \ application you use.\n\u2022\tInstall patches and security updates in a\ + \ timely manner." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.2 + description: The organization shall plan, perform and document preventive maintenance + and repairs on its critical system components according to approved processes + and tools. + annotation: 'Consider the below measures: + (1) Perform security updates on all software in a timely manner. + (2) Automate the update process and audit its effectiveness. + (3) Introduce an internal patching culture on desktops, mobile devices, servers, + network components, etc. to ensure updates are tracked.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.3 + description: The organization shall enforce approval requirements, control, + and monitoring of maintenance tools for use on the its critical systems. + annotation: Maintenance tools can include, for example, hardware/software diagnostic + test equipment, hardware/software packet sniffers and laptops. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.4 + description: The organization shall verify security controls following hardware + maintenance or repairs, and take action as appropriate. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.5 + description: The organization shall prevent the unauthorized removal of maintenance + equipment containing organization's critical system information. + annotation: This requirement maily focuses mainly on OT/ICS environments. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.6 + description: 'Maintenance tools and portable storage devices shall be inspected + when brought into the facility and shall be protected by anti-malware solutions + so that they are scanned for malicious code before they are used on organization''s + systems.' + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.7 + description: The organization shall verify security controls following hardware + and software maintenance or repairs/patching and take action as appropriate. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-2 + description: Remote maintenance of organizational assets is approved, logged, + and performed in a manner that prevents unauthorized access + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.1 + description: Remote maintenance shall only occur after prior approval, monitoring + to avoid unauthorised access, and approval of the outcome of the maintenance + activities as described in approved processes or procedures. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.2 + description: The organization shall make sure that strong authenticators, record + keeping, and session termination for remote maintenance is implemented. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: PR.MA-2.3 + description: The organization shall require that diagnostic services pertaining + to remote maintenance be performed from a system that implements a security + capability comparable to the capability implemented on the equivalent organization's + critical system. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.PT + name: Protective Technology + description: Technical security solutions are managed to ensure the security + and resilience of systems and assets, consistent with related policies, procedures, + and agreements. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-1 + description: Audit/log records are determined, documented, implemented, and + reviewed in accordance with policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: BASIC_PR.PT-1.1 + description: ' Logs shall be maintained, documented, and reviewed.' + annotation: "\u2022\tEnsure the activity logging functionality of protection\ + \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\ + \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\ + \tThe logs should be reviewed for any unusual or unwanted trends, such as\ + \ a large use of social media websites or an unusual number of viruses consistently\ + \ found on a particular computer. These trends may indicate a more serious\ + \ problem or signal the need for stronger protections in a particular area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: IMPORTANT_PR.PT-1.2 + description: 'The organization shall ensure that the log records include an + authoritative time source or internal clock time stamp that are compared and + synchronized to an authoritative time source. ' + annotation: Authoritative time sources include for example, an internal Network + Time Protocol (NTP) server, radio clock, atomic clock, GPS time source. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.3 + description: "The organization shall ensure that audit processing failures on\ + \ the organization's systems generate alerts and trigger defined responses.\t" + annotation: The use of System Logging Protocol (Syslog) servers can be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.4 + description: The organization shall enable authorized individuals to extend + audit capabilities when required by events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-2 + description: Removable media is protected and its use restricted according to + policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.1 + description: The usage restriction of portable storage devices shall be ensured + through an appropriate documented policy and supporting safeguards. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.2 + description: The organisation should technically prohibit the connection of + removable media unless strictly necessary; in other instances, the execution + of autoruns from such media should be disabled. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: PR.PT-2.3 + description: Portable storage devices containing system data shall be controlled + and protected while in transit and in storage. + annotation: Protection and control should include the scanning of all portable + storage devices for malicious code before they are used on organization's + systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-3 + description: The principle of least functionality is incorporated by configuring + systems to provide only essential capabilities + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: IMPORTANT_PR.PT-3.1 + description: The organization shall configure the business critical systems + to provide only essential capabilities. + annotation: Consider applying the principle of least functionality to access + systems and assets (see also PR.AC-4). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.2 + description: The organization shall disable defined functions, ports, protocols, + and services within its critical systems that it deems unnecessary. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.3 + description: The organization shall implement technical safeguards to enforce + a deny-all, permit-by-exception policy to only allow the execution of authorized + software programs. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-4 + description: Communications and control networks are protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: BASIC_PR.PT-4.1 + description: Web and e-mail filters shall be installed and used. + annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\ + \ should be configured based on the type of message attachments so that files\ + \ of the specified types are automatically processed (e.g. deleted).\n\u2022\ + \tWeb-filters should notify the user if a website may contain malware and\ + \ potentially preventing users from accessing that website." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.2 + description: The organization shall control the information flows/data flows + within its critical systems and between interconnected systems. + annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\ + \ for example, by labelling or colouring physical connectors as an aid to\ + \ manual hook-up.\n\u2022\tInspection of message content may enforce information\ + \ flow policy. For example, a message containing a command to an actuator\ + \ may not be permitted to flow between the control network and any other network.\n\ + \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\ + \ associated with labels or attributes (e.g., hardware I/O address). Manual\ + \ methods are typically static. Label or attribute policy mechanisms may be\ + \ implemented in hardware, firmware, and software that controls or has device\ + \ access, such as device drivers and communications controllers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.3 + description: The organization shall manage the interface for external communication + services by establishing a traffic flow policy, protecting the confidentiality + and integrity of the information being transmitted; This includes the review + and documenting of each exception to the traffic flow policy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT (DE) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.AE + name: Anomalies and Events + description: Anomalous activity is detected and the potential impact of events + is understood. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-1 + description: A baseline of network operations and expected data flows for users + and systems is established and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + ref_id: DE.AE-1.1 + description: The organization shall ensure that a baseline of network operations + and expected data flows for its critical systems is developed, documented + and maintained to track events. + annotation: "\u2022\tConsider enabling local logging on all your systems and\ + \ network devices and keep them for a certain period, for example up to 6\ + \ months.\n\u2022\tEnsure that your logs contain enough information (source,\ + \ date, user, timestamp, etc.) and that you have enough storage space for\ + \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\ + \ deploying a Security Information and Event Management tool (SIEM) that will\ + \ facilitate the correlation and analysis of your data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-2 + description: Detected events are analyzed to understand attack targets and methods + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: IMPORTANT_DE.AE-2.1 + description: The organization shall review and analyze detected events to understand + attack targets and methods. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: DE.AE-2.2 + description: 'The organization shall implement automated mechanisms where feasible + to review and analyze detected events. ' + annotation: Consider to review your logs regularly to identify anomalies or + abnormal events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-3 + description: Event data are collected and correlated from multiple sources and + sensors + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: BASIC_DE.AE-3.1 + description: "The activity logging functionality of protection / detection hardware\ + \ or software \n(e.g. firewalls, anti-virus) shall be enabled, backed-up and\ + \ reviewed." + annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\ + \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\ + \ as a large use of social media websites or an unusual number of viruses\ + \ consistently found on a particular computer. These trends may indicate a\ + \ more serious problem or signal the need for stronger protections in a particular\ + \ area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: IMPORTANT_DE.AE-3.2 + description: The organization shall ensure that event data is compiled and correlated + across its critical systems using various sources such as event reports, audit + monitoring, network monitoring, physical access monitoring, and user/administrator + reports. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: DE.AE-3.3 + description: The organization shall integrate analysis of events where feasible + with the analysis of vulnerability scanning information; performance data; + its critical system's monitoring, and facility monitoring to further enhance + the ability to identify inappropriate or unusual activity. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-4 + description: Impact of events is determined + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + ref_id: DE.AE-4.1 + description: "Negative impacts to organization\u2019s operations, assets, and\ + \ individuals resulting from detected events shall be determined and correlated\ + \ with risk assessment outcomes." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-5 + description: Incident alert thresholds are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.1 + description: The organization shall implement automated mechanisms and system + generated alerts to support event detection and to assist in the identification + of security alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.2 + description: The organization shall define incident alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.CM + name: Security Continuous Monitoring + description: The information system and assets are monitored to identify cybersecurity + events and verify the effectiveness of protective measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-1 + description: The network is monitored to detect potential cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: BASIC_DE.CM-1.1 + description: Firewalls shall be installed and operated on the network boundaries + and completed with firewall protection on the endpoints. + annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\ + \tConsider, where feasible, including smart phones and other networked devices\ + \ when installing and operating firewalls.\n\u2022\tConsider limiting the\ + \ number of interconnection gateways to the Internet." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: IMPORTANT_DE.CM-1.2 + description: The organization shall monitor and identify unauthorized use of + its business critical systems through the detection of unauthorized local + connections, network connections and remote connections. + annotation: "\u2022\tMonitoring of network communications should happen at the\ + \ external boundary of the organization's business critical systems and at\ + \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ + \ facing applications the implementation of a web application firewall (WAF)\ + \ should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: DE.CM-1.3 + description: "The organization shall conduct ongoing security status monitoring\ + \ of its network to detect defined information/cybersecurity events and indicators\ + \ of potential information/cybersecurity events.\t" + annotation: "Security status monitoring should include:\n\u2022\tThe generation\ + \ of system alerts when indications of compromise or potential compromise\ + \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\ + \ critical systems.\n\u2022\tThe establishment of audit records for defined\ + \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\ + \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\ + \ personnel, and service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-2 + description: The physical environment is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: IMPORTANT_DE.CM-2.1 + description: The physical environment of the facility shall be monitored for + potential information/cybersecurity events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: DE.CM-2.2 + description: The physical access to organization's critical systems and devices + shall be, on top of the physical access monitoring to the facility, increased + through physical intrusion alarms, surveillance equipment, independent surveillance + teams. + annotation: It is recommended to log all visitors. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-3 + description: Personnel activity is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: BASIC_DE.CM-3.1 + description: End point and network protection tools to monitor end-user behavior + for dangerous activity shall be implemented. + annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.2 + description: End point and network protection tools that monitor end-user behavior + for dangerous activity shall be managed. + annotation: Consider using a centralized log platform for the consolidation + and exploitation of log files. Consider to actively investigate the alerts + generated because of suspicious activities and take the appropriate actions + to remediate the threat, e.g. through the deployment of a security operations + centre (SOC). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.3 + description: Software usage and installation restrictions shall be enforced. + annotation: Only authorized software should be used and user access rights should + be limited to the specific data, resources and applications needed to complete + a required task (least privilege principle). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-4 + description: Malicious code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: BASIC_DE.CM-4.1 + description: Anti-virus, -spyware, and other -malware programs shall be installed + and updated. + annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\ + \ be countered by installing, using, and regularly updating anti-virus and\ + \ anti-spyware software on every device used in company\u2019s business (including\ + \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\ + \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\ + \ or at least daily followed by system scanning as appropriate.\n\u2022\t\ + It should be considered to provide the same malicious code protection mechanisms\ + \ for home computers (e.g. teleworking) or personal devices that are used\ + \ for professional work (BYOD)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: DE.CM-4.2 + description: The organisation shall set up a system to detect false positives + while detecting and eradicating malicious code. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-5 + description: Unauthorized mobile code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + ref_id: IMPORTANT_DE.CM-5.1 + description: The organization shall define acceptable and unacceptable mobile + code and mobile code technologies; and authorize, monitor, and control the + use of mobile code within the system. + annotation: "\u2022\tMobile code includes any program, application, or content\ + \ that can be transmitted across a network (e.g., embedded in an email, document,\ + \ or website) and executed on a remote system. Mobile code technologies include\ + \ for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\ + \tDecisions regarding the use of mobile code in organizational systems should\ + \ be based on the potential for the code to cause damage to the systems if\ + \ used maliciously. Usage restrictions and implementation guidance should\ + \ apply to the selection and use of mobile code installed." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-6 + description: External service provider activity is monitored to detect potential + cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.1 + description: All external connections by vendors supporting IT/OT applications + or infrastructure shall be secured and actively monitored to ensure that only + permissible actions occur during the connection. + annotation: This monitoring includes unauthorized personnel access, connections, + devices, and software. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.2 + description: External service providers' conformance with personnel security + policies and procedures and contract security requirements shall be monitored + relative to their cybersecurity risks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-7 + description: Monitoring for unauthorized personnel, connections, devices, and + software is performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: IMPORTANT_DE.CM-7.1 + description: The organization's business critical systems shall be monitored + for unauthorized personnel access, connections, devices, access points, and + software. + annotation: "\u2022\tUnauthorized personnel access includes access by external\ + \ service providers.\n\u2022\tSystem inventory discrepancies should be included\ + \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\ + \ critical systems should be included in the monitoring." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: DE.CM-7.2 + description: Unauthorized configuration changes to organization's systems shall + be monitored and addressed with the appropriate mitigation actions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-8 + description: Vulnerability scans are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.1 + description: The organization shall monitor and scan for vulnerabilities in + its critical systems and hosted applications ensuring that system functions + are not adversely impacted by the scanning process. + annotation: Consider the implementation of a continuous vulnerability scanning + program; Including reporting and mitigation plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.2 + description: The vulnerability scanning process shall include analysis, remediation, + and information sharing. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.DP + name: Detection Processes + description: Detection processes and procedures are maintained and tested to + ensure awareness of anomalous events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-2 + description: Detection activities comply with all applicable requirements + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + ref_id: IMPORTANT_DE.DP-2.1 + description: The organization shall conduct detection activities in accordance + with applicable federal and regional laws, industry regulations and standards, + policies, and other applicable requirements. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-3 + description: Detection processes are tested + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + ref_id: IMPORTANT_DE.DP-3.1 + description: The organization shall validate that event detection processes + are operating as intended. + annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\ + \ be demonstrable." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-4 + description: Event detection information is communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + ref_id: IMPORTANT_DE.DP-4.1 + description: The organization shall communicate event detection information + to predefined parties. + annotation: Event detection information includes for example, alerts on atypical + account usage, unauthorized remote access, wireless connectivity, mobile device + connection, altered configuration settings, contrasting system component inventory, + use of maintenance tools and nonlocal maintenance, physical access, temperature + and humidity, equipment delivery and removal, communications at the information + system boundaries, use of mobile code, use of Voice over Internet Protocol + (VoIP), and malware disclosure. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-5 + description: Detection processes are continuously improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: IMPORTANT_DE.DP-5.1 + description: Improvements derived from the monitoring, measurement, assessment, + testing, review, and lessons learned, shall be incorporated into detection + process revisions. + annotation: "\u2022\tThis results in a continuous improvement of the detection\ + \ processes.\n\u2022\tThe use of independent teams to assess the detection\ + \ process could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: DE.DP-5.2 + description: The organization shall conduct specialized assessments including + in-depth monitoring, vulnerability scanning, malicious user testing, insider + threat assessment, performance/load testing, and verification and validation + testing on the organization's critical systems. + annotation: These activities can be outsourced, preferably to accredited organizations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND (RS) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.RP + name: Response Planning + description: Response processes and procedures are executed and maintained, + to ensure response to detected cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + ref_id: RS.RP-1 + description: Response plan is executed during or after an incident + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + ref_id: BASIC_RS.RP-1.1 + description: An incident response process, including roles, responsibilities, + and authorities, shall be executed during or after an information/cybersecurity + event on the organization's critical systems. + annotation: "\u2022\tThe incident response process should include a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\ + \ in the incident response plan should be specific on involved people, contact\ + \ info, different roles and responsibilities, and who makes the decision to\ + \ initiate recovery procedures as well as who will be the contact with appropriate\ + \ external stakeholders. It should be considered to determine the causes of\ + \ an information/cybersecurity event and implement a corrective action in\ + \ order that the event does not recur or occur elsewhere (an infection by\ + \ malicious code on one machine did not have spread elsewhere in the network).\ + \ The effectiveness of any corrective action taken should be reviewed. Corrective\ + \ actions should be appropriate to the effects of the information/cybersecurity\ + \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.CO + name: Communications + description: Response activities are coordinated with internal and external + stakeholders (e.g. external support from law enforcement agencies). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-1 + description: Personnel know their roles and order of operations when a response + is needed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + ref_id: IMPORTANT_RS.CO-1.1 + description: The organization shall ensure that personnel understand their roles, + objectives, restoration priorities, task sequences (order of operations) and + assignment responsibilities for event response. + annotation: Consider the use the CCB Incident Management Guide to guide you + through this exercise and consider bringing in outside experts if needed. + Test your plan regularly and adjust it after each incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-2 + description: Incidents are reported consistent with established criteria + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: IMPORTANT_RS.CO-2.1 + description: The organization shall implement reporting on information/cybersecurity + incidents on its critical systems in an organization-defined time frame to + organization-defined personnel or roles. + annotation: All users should have a single point of contact to report any incident + and be encouraged to do so. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: RS.CO-2.2 + description: Events shall be reported consistent with established criteria. + annotation: Criteria to report should be included in the incident response plan. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-3 + description: Information is shared consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: BASIC_RS.CO-3.1 + description: "Information/cybersecurity incident information shall be communicated\ + \ and shared with the organization\u2019s employees in a format that they\ + \ can understand." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: IMPORTANT_RS.CO-3.2 + description: The organization shall share information/cybersecurity incident + information with relevant stakeholders as foreseen in the incident response + plan. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-4 + description: Coordination with stakeholders occurs consistent with response + plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + ref_id: IMPORTANT_RS.CO-4.1 + description: The organization shall coordinate information/cybersecurity incident + response actions with all predefined stakeholders. + annotation: "\u2022\tStakeholders for incident response include for example,\ + \ mission/business owners, organization's critical system owners, integrators,\ + \ vendors, human resources offices, physical and personnel security offices,\ + \ legal departments, operations personnel, and procurement offices.\n\u2022\ + \tCoordination with stakeholders occurs consistent with incident response\ + \ plans." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-5 + description: 'Voluntary information sharing occurs with external stakeholders + to achieve broader cybersecurity situational awareness ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + ref_id: IMPORTANT_RS.CO-5.1 + description: "The organization shall share information/cybersecurity event information\ + \ voluntarily, as appropriate, with external stakeholders, industry security\ + \ groups,\u2026 to achieve broader information/cybersecurity situational awareness." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.AN + name: Analysis + description: Analysis is conducted to ensure effective response and support + recovery activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-1 + description: Notifications from detection systems are investigated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: IMPORTANT_RS.AN-1.1 + description: The organization shall investigate information/cybersecurity-related + notifications generated from detection systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: RS.AN-1.2 + description: The organization shall implement automated mechanisms to assist + in the investigation and analysis of information/cybersecurity-related notifications. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-2 + description: The impact of the incident is understood + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: IMPORTANT_RS.AN-2.1 + description: Thorough investigation and result analysis shall be the base for + understanding the full implication of the information/cybersecurity incident. + annotation: "\u2022\tResult analysis can involve the outcome of determining\ + \ the correlation between the information of the detected event and the outcome\ + \ of risk assessments. In this way, insight is gained into the impact of the\ + \ event across the organization.\n\u2022\tConsider including detection of\ + \ unauthorized changes to its critical systems in its incident response capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: RS.AN-2.2 + description: The organization shall implement automated mechanisms to support + incident impact analysis. + annotation: Implementation could vary from a ticketing system to a Security + Information and Event Management (SIEM). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-3 + description: Forensics are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.1 + description: The organization shall provide on-demand audit review, analysis, + and reporting for after-the-fact investigations of information/cybersecurity + incidents. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.2 + description: The organization shall conduct forensic analysis on collected information/cybersecurity + event information to determine root cause. + annotation: Consider to determine the root cause of an incident. If necessary, + use forensics analysis on collected information/cybersecurity event information + to achieve this. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-4 + description: Incidents are categorized consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + ref_id: IMPORTANT_RS.AN-4.1 + description: Information/cybersecurity incidents shall be categorized according + to the level of severity and impact consistent with the evaluation criteria + included the incident response plan. + annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\ + \ incident and implement a corrective action in order that the incident does\ + \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\ + \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\ + \ to the effects of the information/cybersecurity incident encountered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-5 + description: Processes are established to receive, analyze and respond to vulnerabilities + disclosed to the organization from internal and external sources (e.g. internal + testing, security bulletins, or security researchers) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: IMPORTANT_RS.AN-5.1 + description: 'The organization shall implement vulnerability management processes + and procedures that include processing, analyzing and remedying vulnerabilities + from internal and external sources. ' + annotation: Internal and external sources could be e.g. internal testing, security + bulletins, or security researchers. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: RS.AN-5.2 + description: The organization shall implement automated mechanisms to disseminate + and track remediation efforts for vulnerability information, captured from + internal and external sources, to key stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.MI + name: Mitigation + description: Activities are performed to prevent expansion of an event, mitigate + its effects, and resolve the incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + ref_id: RS.MI-1 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + ref_id: IMPORTANT_RS.MI-1.1 + description: The organization shall implement an incident handling capability + for information/cybersecurity incidents on its business critical systems that + includes preparation, detection and analysis, containment, eradication, recovery + and documented risk acceptance. + annotation: A documented risk acceptance deals with risks that the organisation + assesses as not dangerous to the organisation's business critical systems + and where the risk owner formally accepts the risk (related with the risk + appetite of the organization) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.IM + name: Improvements + description: Organizational response activities are improved by incorporating + lessons learned from current and previous detection/response activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-1 + description: Response plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: BASIC_RS.IM-1.1 + description: The organization shall conduct post-incident evaluations to analyse + lessons learned from incident response and recovery, and consequently improve + processes / procedures / technologies to enhance its cyber resilience. + annotation: Consider bringing involved people together after each incident and + reflect together on ways to improve what happened, how it happened, how we + reacted, how it could have gone better, what should be done to prevent it + from happening again, etc. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: IMPORTANT_RS.IM-1.2 + description: Lessons learned from incident handling shall be translated into + updated or new incident handling procedures that shall be tested, approved + and trained. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-2 + description: Response and Recovery strategies are updated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + ref_id: IMPORTANT_RS.IM-2.1 + description: The organization shall update the response and recovery plans + to address changes in its context. + annotation: "The organization\u2019s context relates to the organizational structure,\ + \ its critical systems, attack vectors, new threats, improved technology,\ + \ environment of operation, problems encountered during plan implementation/execution/testing\ + \ and lessons learned." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER (RC) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.RP + name: Recovery Planning + description: Recovery processes and procedures are executed and maintained to + ensure restoration of systems or assets affected by cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + ref_id: RC.RP-1 + description: 'Recovery plan is executed during or after a cybersecurity incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: BASIC_RC.RP-1.1 + description: A recovery process for disasters and information/cybersecurity + incidents shall be developed and executed as appropriate. + annotation: "A process should be developed for what immediate actions will be\ + \ taken in case of a fire, medical emergency, burglary, natural disaster,\ + \ or an information/cyber security incident.\nThis process should consider:\n\ + \u2022\tRoles and Responsibilities, including of who makes the decision to\ + \ initiate recovery procedures and who will be the contact with appropriate\ + \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\ + \ and information systems in case of an incident. This includes shutting down\ + \ or locking computers, moving to a backup site, physically removing important\ + \ documents, etc.\n\u2022\tWho to call in case of an incident." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: RC.RP-1.2 + description: "The essential organization\u2019s functions and services shall\ + \ be continued with little or no loss of operational continuity and continuity\ + \ shall be sustained until full system restoration." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.IM + name: Improvements + description: Recovery planning and processes are improved by incorporating lessons + learned into future activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + ref_id: RC.IM-1 + description: Recovery plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + ref_id: IMPORTANT_RC.IM-1.1 + description: The organization shall incorporate lessons learned from incident + recovery activities into updated or new system recovery procedures and, after + testing, frame this with appropriate training. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.CO + name: Communications + description: Restoration activities are coordinated with internal and external + parties (e.g. coordinating centers, Internet Service Providers, owners of + attacking systems, victims, other CSIRTs, and vendors). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-1 + description: Public relations are managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: IMPORTANT_RC.CO-1.1 + description: The organization shall centralize and coordinate how information + is disseminated and manage how the organization is presented to the public. + annotation: "Public relations management may include, for example, managing\ + \ media interactions, coordinating and logging all requests for interviews,\ + \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\ + \ media requests with appropriate and available internal experts who are ready\ + \ to be interviewed, screening all of information provided to the media, ensuring\ + \ personnel are familiar with public relations and privacy policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: RC.CO-1.2 + description: A Public Relations Officer shall be assigned. + annotation: "The Public Relations Officer should consider the use of pre-define\ + \ external contacts \n(e.g. press, regulators, interest groups)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-2 + description: 'Reputation is repaired after an incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + ref_id: RC.CO-2.1 + description: The organization shall implement a crisis response strategy to + protect the organization from the negative consequences of a crisis and help + restore its reputation. + annotation: Crisis response strategies include, for example, actions to shape + attributions of the crisis, change perceptions of the organization in crisis, + and reduce the negative effect generated by the crisis. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-3 + description: Recovery activities are communicated to internal and external stakeholders + as well as executive and management teams + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + ref_id: IMPORTANT_RC.CO-3.1 + description: The organization shall communicate recovery activities to predefined + stakeholders, executive and management teams. + annotation: Communication of recovery activities to all relevant stakeholders + applies only to entities subject to the NIS legislation. diff --git a/tools/ccb/ccb-cyberfundamentals.yaml b/tools/ccb/ccb-cyberfundamentals.yaml new file mode 100644 index 000000000..629c806a4 --- /dev/null +++ b/tools/ccb/ccb-cyberfundamentals.yaml @@ -0,0 +1,3377 @@ +urn: urn:intuitem:risk:library:ccb-cff-2023-03-01 +locale: en +ref_id: CCB-CFF-2023-03-01 +name: CCB CyberFundamentals Framework +description: Centre For Cybersecurity Belgium - CyberFundamentals Framework +copyright: All texts, layouts, designs and other elements of any nature in this document + are subject to copyright law. +version: 1 +provider: CCB +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01 + ref_id: CCB-CFF-2023-03-01 + name: CCB CyberFundamentals Framework + description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + assessable: false + depth: 1 + ref_id: ID + name: IDENTIFY (ID) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.AM + name: Asset Management + description: "The data, personnel, devices, systems, and facilities that enable\ + \ the organization to achieve business purposes are identified and managed\ + \ consistent with their relative importance to organizational objectives and\ + \ the organization\u2019s risk strategy." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-1 + description: Physical devices and systems within the organization are inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: BASIC_ID.AM-1.1 + description: An inventory of assets associated with information and information + processing facilities within the organization shall be documented, reviewed, + and updated when changes occur. + annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\ + \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\ + \ robots, machine tools, firmware, network switches, routers, power supplies,\ + \ and other networked components or devices. \n\u2022\tThis inventory must\ + \ include all assets, whether or not they are connected to the organization's\ + \ network.\n\u2022\tThe use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.2 + description: "The inventory of assets associated with information and information\ + \ processing facilities shall reflect changes in the organization\u2019s\ + \ context and include all information necessary for effective accountability." + annotation: "\u2022\tInventory specifications include for example, manufacturer,\ + \ device type, model, serial number, machine names and network addresses,\ + \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\ + \ justify, and take responsibility for one's actions, it implies answerability\ + \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\ + \ of material." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: IMPORTANT_ID.AM-1.3 + description: When unauthorized hardware is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported hardware without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1 + ref_id: ID.AM-1.4 + description: Mechanisms for detecting the presence of unauthorized hardware + and firmware components within the organization's network shall be identified. + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to address unauthorized assets on a frequently\ + \ basis; The organization may choose to remove the asset from the network,\ + \ deny the asset from connecting remotely to the network, or quarantine the\ + \ asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-2 + description: Software platforms and applications within the organization are + inventoried + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: BASIC_ID.AM-2.1 + description: An inventory that reflects what software platforms and applications + are being used in the organization shall be documented, reviewed, and updated + when changes occur. + annotation: "\u2022\tThis inventory includes software programs, software platforms\ + \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\ + \ should be part of the contractual agreements with the provider.\n\u2022\t\ + Information in the inventory should include for example: name, description,\ + \ version, number of users, data processed, etc.\n\u2022\tA distinction should\ + \ be made between unsupported software and unauthorized software.\n\u2022\t\ + The use of an IT asset management tool could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.2 + description: "The inventory of software platforms and applications associated\ + \ with information and information processing shall reflect changes in the\ + \ organization\u2019s context and include all information necessary for effective\ + \ accountability." + annotation: The inventory of software platforms and applications should include + the title, publisher, initial install/use date, and business purpose for each + entry; where appropriate, include the Uniform Resource Locator (URL), app + store(s), version(s), deployment mechanism, and decommission date. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.3 + description: Individuals who are responsible and who are accountable for administering + software platforms and applications within the organization shall be identified. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: IMPORTANT_ID.AM-2.4 + description: When unauthorized software is detected, it shall be quarantined + for possible exception handling, removed, or replaced, and the inventory shall + be updated accordingly. + annotation: "\u2022\tAny unsupported software without an exception documentation,\ + \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\ + \ during inventory, requests for support by the user or other means." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 + ref_id: ID.AM-2.5 + description: "Mechanisms for detecting the presence of unauthorized software\ + \ within the organization\u2019s ICT/OT environment shall be identified. " + annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\ + \u2022\tThere should be a process to regularly address unauthorised assets;\ + \ The organization may choose to remove the asset from the network, deny the\ + \ asset from connecting remotely to the network, or quarantine the asset." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-3 + description: Organizational communication and data flows are mapped + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: BASIC_ID.AM-3.1 + description: Information that the organization stores and uses shall be identified. + annotation: "\u2022\tStart by listing all the types of information your business\ + \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\ + \ makes sense to your business. You may want to have your employees make a\ + \ list of all the information they use in their regular activities. List everything\ + \ you can think of, but you do not need to be too specific. For example, you\ + \ may keep customer names and email addresses, receipts for raw material,\ + \ your banking information, or other proprietary information.\n\u2022\tConsider\ + \ mapping this information with the associated assets identified in the inventories\ + \ of physical devices, systems, software platforms and applications used within\ + \ the organization (see ID.AM-1 & ID.AM-2)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: IMPORTANT_ID.AM-3.2 + description: All connections within the organization's ICT/OT environment, and + to other organization-internal platforms shall be mapped, documented, approved, + and updated as appropriate. + annotation: "\u2022\tConnection information includes, for example, the interface\ + \ characteristics, data characteristics, ports, protocols, addresses, description\ + \ of the data, security requirements, and the nature of the connection.\n\u2022\ + \tConfiguration management can be used as supporting asset.\n\u2022\tThis\ + \ documentation should not be stored only on the network it represents.\n\u2022\ + \tConsider keeping a copy of this documentation in a safe offline environment\ + \ (e.g. offline hard disk, paper hardcopy, \u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 + ref_id: ID.AM-3.3 + description: "The information flows/data flows within the organization\u2019\ + s ICT/OT environment, as well as to other organization-internal systems shall\ + \ be mapped, documented, authorized, and updated when changes occur." + annotation: "\u2022\tWith knowledge of the information/data flows within a system\ + \ and between systems, it is possible to determine where information can and\ + \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\ + \ to only authorized interfaces.\no\tHeightening system monitoring activity\ + \ whenever there is an indication of increased risk to organization's critical\ + \ operations and assets.\no\tProtecting the system from information leakage\ + \ due to electromagnetic signals emanations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-4 + description: External information systems are catalogued + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: IMPORTANT_ID.AM-4.1 + description: The organization shall map, document, authorize and when changes + occur, update, all external services and the connections made with them. + annotation: "\u2022\tOutsourcing of systems, software platforms and applications\ + \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\ + \ information systems are systems or components of systems for which organizations\ + \ typically have no direct supervision and authority over the application\ + \ of security requirements and controls, or the determination of the effectiveness\ + \ of implemented controls on those systems i.e., services that are run in\ + \ cloud, SaaS, hosting or other external environments, API (Application Programming\ + \ Interface)\u2026\n\u2022\tMapping external services and the connections\ + \ made to them and authorizing them in advance avoids wasting unnecessary\ + \ resources investigating a supposedly non-authenticated connection to external\ + \ systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 + ref_id: ID.AM-4.2 + description: The flow of information to/from external systems shall be mapped, + documented, authorized, and update when changes occur. + annotation: Consider requiring external service providers to identify and document + the functions, ports, protocols, and services necessary for the connection + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-5 + description: 'Resources (e.g., hardware, devices, data, time, personnel, and + software) are prioritized based on their classification, criticality, and + business value ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 + ref_id: BASIC_ID.AM-5.1 + description: "The organization\u2019s resources (hardware, devices, data, time,\ + \ personnel, information, and software) shall be prioritized based on their\ + \ classification, criticality, and business value." + annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\ + \ devices, data, time, personnel, information, and software):\no\tWhat would\ + \ happen to my business if these resources were made public, damaged, lost\u2026\ + ?\no\tWhat would happen to my business when the integrity of resources is\ + \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\ + \ couldn\u2019t access these resources? And rank these resources based on\ + \ their classification, criticality, and business value.\n\u2022\tResources\ + \ should include enterprise assets. \u2022\tCreate a classification for sensitive\ + \ information by first determining categories, e.g.\no\tPublic - freely accessible\ + \ to all, even externally\no\tInternal - accessible only to members of your\ + \ organization\no\tConfidential - accessible only to those whose duties require\ + \ access.\n\u2022\tCommunicate these categories and identify what types of\ + \ data fall into these categories (HR data, financial data, legal data, personal\ + \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\ + \u2022\tData classification should apply to the three aspects: C-I-A. Consider\ + \ implementing an automated tool, such as a host-based Data Loss Prevention\ + \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\ + \ through enterprise assets, including those located onsite or at a remote\ + \ service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am + ref_id: ID.AM-6 + description: Cybersecurity roles, responsibilities, and authorities for the + entire workforce and third-party stakeholders are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: IMPORTANT_ID.AM-6.1 + description: Information security and cybersecurity roles, responsibilities + and authorities within the organization shall be documented, reviewed, authorized, + and updated and alignment with organization-internal roles and external partners. Key + Measure + annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\ + \ and authorities: who in your organization should be consulted, informed,\ + \ and held accountable for all or part of your assets.\n\u2022\tProvide security\ + \ roles, responsibilities, and authority for all key functions in information/cyber\ + \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\ + \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\ + \ partners) with physical or logical access to the organization\u2019s ICT/OT\ + \ environment." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 + ref_id: ID.AM-6.2 + description: The organization shall appoint an information security officer. + annotation: The information security officer should be responsible for monitoring + the implementation of the organization's information/cyber security strategy + and safeguards. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.BE + name: Business Environment + description: "The organization\u2019s mission, objectives, stakeholders, and\ + \ activities are understood and prioritized; this information is used to inform\ + \ cybersecurity roles, responsibilities, and risk management decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-1 + description: "The organization\u2019s role in the supply chain is identified\ + \ and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: IMPORTANT_ID.BE-1.1 + description: "The organization\u2019s role in the supply chain shall be identified,\ + \ documented, and communicated. " + annotation: "\u2022\tThe organisation should be able to clearly identify who\ + \ is upstream and downstream of the organisation and which suppliers provide\ + \ services, capabilities, products and items to the organisation.\n\u2022\t\ + The organisation should communicate its position to its upstream and downstream\ + \ so that it is understood where they sit in terms of critical importance\ + \ to the organisation's operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1 + ref_id: ID.BE-1.2 + description: The organization shall protect its ICT/OT environment from supply + chain threats by applying security safeguards as part of a documented comprehensive + security strategy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-2 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector is identified and communicated" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 + ref_id: IMPORTANT_ID.BE-2.1 + description: "The organization\u2019s place in critical infrastructure and its\ + \ industry sector shall be identified and communicated." + annotation: The organisation covered by NIS legislation has a responsibility + to know the other organisations in the same sector in order to work with them + to achieve the objectives set by NIS for that particular sector. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-3 + description: Priorities for organizational mission, objectives, and activities + are established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 + ref_id: IMPORTANT_ID.BE-3.1 + description: Priorities for organizational mission, objectives, and activities + are established and communicated. + annotation: Information protection needs should be determined, and the related + processes revised as necessary. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-4 + description: Dependencies and critical functions for delivery of critical services + are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 + ref_id: IMPORTANT_ID.BE-4.1 + description: Dependencies and mission-critical functions for the delivery of + critical services shall be identified, documented, and prioritized according + to their criticality as part of the risk assessment process. + annotation: Dependencies and business critical functions should include support + services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be + ref_id: ID.BE-5 + description: Resilience requirements to support delivery of critical services + are established for all operating states (e.g. under duress/attack, during + recovery, normal operations) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: IMPORTANT_ID.BE-5.1 + description: To support cyber resilience and secure the delivery of critical + services, the necessary requirements are identified, documented and their + implementation tested and approved. + annotation: "\u2022\tConsider implementing resiliency mechanisms to support\ + \ normal and adverse operational situations (e.g., failsafe, load balancing,\ + \ hot swap).\n\u2022\tConsider aspects of business continuity management in\ + \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\ + \ Continuity Plan (BCP)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.2 + description: Information processing & supporting facilities shall implement + redundancy to meet availability requirements, as defined by the organization + and/or regulatory frameworks. + annotation: "\u2022\tConsider provisioning adequate data and network redundancy\ + \ (e.g. redundant network devices, servers with load balancing, raid arrays,\ + \ backup services, 2 separate datacentres, fail-over network connections,\ + \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\ + \ from power outages and other failures due to utility interruptions (e.g.\ + \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\ + \ redundant power cabling, 2 different power service providers...)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 + ref_id: ID.BE-5.3 + description: Recovery time and recovery point objectives for the resumption + of essential ICT/OT system processes shall be defined. + annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\ + \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\ + \ locations and one copy should be stored at an off-site location).\n\u2022\ + \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\ + \ to increase resilience." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.GV + name: Governance + description: "The policies, procedures, and processes to manage and monitor\ + \ the organization\u2019s regulatory, legal, risk, environmental, and operational\ + \ requirements are understood and inform the management of cybersecurity risk." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-1 + description: Organizational cybersecurity policy is established and communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: BASIC_ID.GV-1.1 + description: Policies and procedures for information security and cyber security + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\ + \ and expectations for business operations, can be used to train new employees\ + \ on your information security expectations, and can aid an investigation\ + \ in case of an incident. These policies and procedures should be readily\ + \ accessible to employees.\n\u2022\tPolicies and procedures for information-\ + \ and cybersecurity should clearly describe your expectations for protecting\ + \ the organization\u2019s information and systems, and how management expects\ + \ the company\u2019s resources to be used and protected by all employees.\n\ + \u2022\tPolicies and procedures should be reviewed and updated at least annually\ + \ and every time there are changes in the organization or technology. Whenever\ + \ the policies are changed, employees should be made aware of the changes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1 + ref_id: IMPORTANT_ID.GV-1.2 + description: An organization-wide information security and cybersecurity policy + shall be established, documented, updated when changes occur, disseminated, + and approved by senior management. + annotation: "The policy should include, for example:\n\u2022\tThe identification\ + \ and assignment of roles, responsibilities, management commitment, coordination\ + \ among organizational entities, and compliance. Guidance on role profiles\ + \ along with their identified titles, missions, tasks, skills, knowledge,\ + \ competences is available in the \"European Cybersecurity Skills Framework\ + \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\ + \u2022\tThe coordination among organizational entities responsible for the\ + \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\ + \ information, access control, media protection, vulnerability management,\ + \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\ + \ the ICT/OT systems." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-3 + description: Legal and regulatory requirements regarding cybersecurity, including + privacy and civil liberties obligations, are understood and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: BASIC_ID.GV-3.1 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be understood and implemented. + annotation: There are no additional guidelines. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 + ref_id: IMPORTANT_ID.GV-3.2 + description: Legal and regulatory requirements regarding information/cybersecurity, + including privacy obligations, shall be managed. + annotation: "\u2022\tThere should be regular reviews to ensure the continuous\ + \ compliance with legal and regulatory requirements regarding information/cybersecurity,\ + \ including privacy obligations.\n\u2022\tThis requirement also applies to\ + \ contractors and service providers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv + ref_id: ID.GV-4 + description: Governance and risk management processes address cybersecurity + risks + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: BASIC_ID.GV-4.1 + description: As part of the company's overall risk management, a comprehensive + strategy to manage information security and cybersecurity risks shall be developed + and updated when changes occur. + annotation: This strategy should include determining and allocating the required + resources to protect the organisation's business-critical assets. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 + ref_id: IMPORTANT_ID.GV-4.2 + description: "Information security and cybersecurity risks shall be documented,\ + \ formally approved, and updated when changes occur.\t" + annotation: Consider using Risk Management tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RA + name: Risk Assessment + description: The organization understands the cybersecurity risk to organizational + operations (including mission, functions, image, or reputation), organizational + assets, and individuals. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-1 + description: Asset vulnerabilities are identified and documented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: BASIC_ID.RA-1.1 + description: Threats and vulnerabilities shall be identified. + annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\ + s hardware, software, or procedures. It is a gap through which a bad actor\ + \ can gain access to the organization\u2019s assets. A vulnerability exposes\ + \ an organization to threats.\n\u2022\tA threat is a malicious or negative\ + \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\ + \ potential for loss and damage when the threat does occur." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: IMPORTANT_ID.RA-1.2 + description: A process shall be established to monitor, identify, and document + vulnerabilities of the organisation's business critical systems in a continuous + manner. + annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\ + \ should be considered.\n\u2022\tThe organization should establish and maintain\ + \ a testing program appropriate to its size, complexity, and maturity." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1 + ref_id: ID.RA-1.3 + description: "To ensure that organization's operations are not adversely impacted\ + \ by the testing process, performance/load testing and penetration testing\ + \ on the organization\u2019s systems shall be conducted with care." + annotation: Consider validating security measures after each penetration test. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-2 + description: Cyber threat intelligence is received from information sharing + forums and sources + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: IMPORTANT_ID.RA-2.1 + description: ' A threat and vulnerability awareness program that includes a + cross-organization information-sharing capability shall be implemented. ' + annotation: A threat and vulnerability awareness program should include ongoing + contact with security groups and associations to receive security alerts and + advisories. (Security groups and associations include, for example, special + interest groups, forums, professional associations, news groups, and/or peer + groups of security professionals in similar organizations).This contact can + include the sharing of information about potential vulnerabilities and incidents. + This sharing capability should have an unclassified and classified information + sharing capability. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 + ref_id: ID.RA-2.2 + description: It shall be identified where automated mechanisms can be implemented + to make security alert and advisory information available to relevant organization + stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-5 + description: Threats, vulnerabilities, likelihoods, and impacts are used to + determine risk + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: BASIC_ID.RA-5.1 + description: The organization shall conduct risk assessments in which risk is + determined by threats, vulnerabilities and impact on business processes and + assets. + annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\ + \tIdentify the consequences that losses of confidentiality, integrity and\ + \ availability may have on the assets and related business processes." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: IMPORTANT_ID.RA-5.2 + description: The organization shall conduct and document risk assessments in + which risk is determined by threats, vulnerabilities, impact on business processes + and assets, and the likelihood of their occurrence. + annotation: "\u2022\tRisk assessment should include threats from insiders and\ + \ external parties.\n\u2022\tQualitative and/or quantitative risk analysis\ + \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\ + \ software tooling." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 + ref_id: ID.RA-5.3 + description: Risk assessment results shall be disseminated to relevant stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra + ref_id: ID.RA-6 + description: Risk responses are identified and prioritized + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 + ref_id: IMPORTANT_ID.RA-6.1 + description: "A comprehensive strategy shall be developed and implemented to\ + \ manage risks to the organization\u2019s critical systems, that includes\ + \ the identification and prioritization of risk responses." + annotation: "\u2022\tManagement and employees should be involved in information-\ + \ and cybersecurity.\n\u2022\tIt should be identified what the most important\ + \ assets are, and how they are protected.\n\u2022\tIt should be clear what\ + \ impact will be if these assets are compromised.\n\u2022\tIt should be established\ + \ how the implementation of adequate mitigation measures will be organized." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.RM + name: Risk Management Strategy + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support operational risk decisions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-1 + description: Risk management processes are established, managed, and agreed + to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1 + ref_id: IMPORTANT_ID.RM-1.1 + description: A cyber risk management process that identifies key internal and + external stakeholders and facilitates addressing risk-related issues and information + shall be created, documented, reviewed, approved, and updated when changes + occur. + annotation: 'External stakeholders include customers, investors and shareholders, + suppliers, government agencies and the wider community. ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-2 + description: Organizational risk tolerance is determined and clearly expressed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 + ref_id: IMPORTANT_ID.RM-2.1 + description: "The organization shall clearly determine it\u2019s risk appetite." + annotation: Determination and expression of risk tolerance (risk appetite) should + be in line with the policies on information security and cybersecurity, to + facilitate demonstration of coherence between policies, risk tolerance and + measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm + ref_id: ID.RM-3 + description: "The organization\u2019s determination of risk tolerance is informed\ + \ by its role in critical infrastructure and sector specific risk analysis" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 + ref_id: IMPORTANT_ID.RM-3.1 + description: "The organization\u2019s role in critical infrastructure and its\ + \ sector shall determine the organization\u2019s risk appetite." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id + ref_id: ID.SC + name: Supply Chain Risk Management + description: "The organization\u2019s priorities, constraints, risk tolerances,\ + \ and assumptions are established and used to support risk decisions associated\ + \ with managing supply chain risk. The organization has established and implemented\ + \ the processes to identify, assess and manage supply chain risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-1 + description: Cyber supply chain risk management processes are identified, established, + assessed, managed, and agreed to by organizational stakeholders + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1 + ref_id: ID.SC-1.1 + description: The organization shall document, review, approve, update when changes + occur, and implement a cyber supply chain risk management process that supports + the identification, assessment, and mitigation of the risks associated with + the distributed and interconnected nature of ICT/OT product and service supply + chains. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-2 + description: 'Suppliers and third party partners of information systems, components, + and services are identified, prioritized, and assessed using a cyber supply + chain risk assessment process ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: IMPORTANT_ID.SC-2.1 + description: "The organization shall conduct cyber supply chain risk assessments\ + \ at least annually or when a change to the organization\u2019s critical systems,\ + \ operational environment, or supply chain occurs; These assessments shall\ + \ be documented, and the results disseminated to relevant stakeholders including\ + \ those responsible for ICT/OT systems." + annotation: This assessment should identify and prioritize potential negative + impacts to the organization from the risks associated with the distributed + and interconnected nature of ICT/OT product and service supply chains. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 + ref_id: ID.SC-2.2 + description: "A documented list of all the organization\u2019s suppliers, vendors\ + \ and partners who may be involved in a major incident shall be established,\ + \ kept up-to-date and made available online and offline." + annotation: This list should include suppliers, vendors and partners contact + information and the services they provide, so they can be contacted for assistance + in the event of an outage or service degradation. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-3 + description: "Contracts with suppliers and third-party partners are used to\ + \ implement appropriate measures designed to meet the objectives of an organization\u2019\ + s cybersecurity program and Cyber Supply Chain Risk Management Plan." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: IMPORTANT_ID.SC-3.1 + description: Based on the results of the cyber supply chain risk assessment, + a contractual framework for suppliers and external partners shall be established + to address sharing of sensitive information and distributed and interconnected + ICT/OT products and services. + annotation: "\u2022\tEntities not subject to the NIS legislation should consider\ + \ business critical suppliers and third-party partners only.\n\u2022\tKeep\ + \ in mind that GDPR requirements need to be fulfilled when business information\ + \ contains personal data (applicable on all levels), i.e. security measures\ + \ need to be addressed in the contractual framework." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.2 + description: "Contractual information security and cybersecurity\u2019 requirements\ + \ for suppliers and third-party partners shall be implemented to ensure a\ + \ verifiable flaw remediation process, and to ensure the correction of flaws\ + \ identified during \u2018information security and cybersecurity\u2019 testing\ + \ and evaluation." + annotation: "\u2022\tInformation systems containing software (or firmware) affected\ + \ by recently announced software flaws (and potential vulnerabilities resulting\ + \ from those flaws) should be identified.\n\u2022\tNewly released security\ + \ relevant patches, service packs, and hot fixes should be installed, and\ + \ these patches, service packs, and hot fixes are tested for effectiveness\ + \ and potential side effects on the organization\u2019s information systems\ + \ before installation. Flaws discovered during security assessments, continuous\ + \ monitoring, incident response activities, or information system error handling\ + \ are also addressed expeditiously. Flaw remediation should be incorporated\ + \ into configuration management as an emergency change." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 + ref_id: ID.SC-3.3 + description: "The organization shall establish contractual requirements permitting\ + \ the organization to review the \u2018information security and cybersecurity\u2019\ + \ programs implemented by suppliers and third-party partners." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-4 + description: Suppliers and third-party partners are routinely assessed using + audits, test results, or other forms of evaluations to confirm they are meeting + their contractual obligations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: IMPORTANT_ID.SC-4.1 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing audits, test results, and other evaluations." + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 + ref_id: ID.SC-4.2 + description: "The organization shall review assessments of suppliers\u2019 and\ + \ third-party partner\u2019s compliance with contractual obligations by routinely\ + \ reviewing third-party independent audits, test results, and other evaluations." + annotation: The depth of the review should depend on the criticality of delivered + products and services. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc + ref_id: ID.SC-5 + description: Response and recovery planning and testing are conducted with suppliers + and third-party providers + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: IMPORTANT_ID.SC-5.1 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in response + and recovery planning activities. + annotation: Entities not subject to the NIS legislation could limit themselves + to business critical suppliers and third-party partners only. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 + ref_id: ID.SC-5.2 + description: The organization shall identify and document key personnel from + suppliers and third-party partners to include them as stakeholders in testing + and execution of the response and recovery plans. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + assessable: false + depth: 1 + ref_id: PR + name: PROTECT (PR) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AC + name: Identity Management, Authentication and Access Control + description: Access to physical and logical assets and associated facilities + is limited to authorized users, processes, and devices, and is managed consistent + with the assessed risk of unauthorized access to authorized activities and + transactions. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-1 + description: Identities and credentials are issued, managed, verified, revoked, + and audited for authorized devices, users and processes + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: BASIC_PR.AC-1.1 + description: 'Identities and credentials for authorized devices and users shall + be managed.' + annotation: "Identities and credentials for authorized devices and users could\ + \ be managed through a password policy. A password policy is a set of rules\ + \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ + (Not limitative list and measures to be considered as appropriate)\n\u2022\ + \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\ + \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\ + \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\ + \ must be longer than a state-of-the-art number of characters with a combination\ + \ of character types and changed periodically or when there is any suspicion\ + \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\ + \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\ + \ are managed by user groups." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: IMPORTANT_PR.AC-1.2 + description: Identities and credentials for authorized devices and users shall + be managed, where feasible through automated mechanisms. + annotation: "\u2022\tAutomated mechanisms can help to support the management\ + \ and auditing of information system credentials.\n\u2022\tConsider strong\ + \ user authentication, meaning an authentication based on the use of at least\ + \ two authentication factors from different categories of either knowledge\ + \ (something only the user knows), possession (something only the user possesses)\ + \ or inherence (something the user is) that are independent, in that the breach\ + \ of one does not compromise the reliability of the others, and is designed\ + \ in such a way to protect the confidentiality of the authentication data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.3 + description: System credentials shall be deactivated after a specified period + of inactivity unless it would compromise the safe operation of (critical) + processes. + annotation: "\u2022\tTo guarantee the safe operation, service accounts should\ + \ be used for running processes and services.\n\u2022\tConsider the use of\ + \ a formal access procedure for external parties." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.4 + description: "For transactions within the organization's critical systems, the\ + \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\ + \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\ + \ for system-to-system communications" + annotation: Consider the use of SSO (Single Sign On) in combination with MFA + for the organization's internal and external critical systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 + ref_id: PR.AC-1.5 + description: "The organization\u2019s critical systems shall be monitored for\ + \ atypical use of system credentials. Credentials associated with significant\ + \ risk shall be disabled." + annotation: "\u2022\tConsider limiting the number of failed login attempts by\ + \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\ + \ accessible until it has been reset or the account lockout duration elapses." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-2 + description: Physical access to assets is managed and protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: BASIC_PR.AC-2.1 + description: Physical access to the facility, servers and network components + shall be managed. + annotation: "\u2022\tConsider to strictly manage keys to access the premises\ + \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\ + \ an employee's keys or badges when they leave the company permanently.\n\ + o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\ + \ to external service providers (cleaning agents, etc.), unless it is possible\ + \ to trace these accesses and restrict them technically to given time slots.\n\ + \u2022\tConsider to not leaving internal network access outlets accessible\ + \ in public areas. These public places can be waiting rooms, corridors..." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: IMPORTANT_PR.AC-2.2 + description: The management of physical access shall include measures related + to access in emergency situations. + annotation: "\u2022\tPhysical access controls may include, for example: lists\ + \ of authorized individuals, identity credentials, escort requirements, guards,\ + \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\ + \u2022\tThe following measures should be considered:\no\tImplement a badge\ + \ system and create different security zones.\no\tLimit physical access to\ + \ servers and network components to authorized personnel.\no\tLog all access\ + \ to servers and network components.\n\u2022\tVisitor access records should\ + \ be maintained, reviewed and acted upon as required." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.3 + description: Physical access to critical zones shall be controlled in addition + to the physical access to the facility. + annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\ + \ (server rooms\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 + ref_id: PR.AC-2.4 + description: 'Assets related to critical zones shall be physically protected. ' + annotation: "\u2022\tConsider protecting power equipment, power cabling, network\ + \ cabling, and network access interfaces from accidental damage, disruption,\ + \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\ + \ separated power systems for organization\u2019s critical operations." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-3 + description: Remote access is managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.1 + description: The organisation's wireless access points shall be secured. + annotation: "Consider the following when wireless networking is used:\n\u2022\ + \tChange the administrative password upon installation of a wireless access\ + \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\ + \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\ + \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\ + \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\ + \ internet access to customers is separated from your business network.\n\u2022\ + \tConnecting to unknown or unsecured / guest wireless access points, should\ + \ be avoided, and if unavoidable done through an encrypted virtual private\ + \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\ + \ mobile) according to the organization's security policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: BASIC_PR.AC-3.2 + description: The organization's networks when accessed remotely shall be secured, + including through multi-factor authentication (MFA). + annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, + remote desktop, and Virtual Private Network (VPNs). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: IMPORTANT_PR.AC-3.3 + description: "Usage restrictions, connection requirements, implementation guidance,\ + \ and authorizations for remote access to the organization\u2019s critical\ + \ systems environment shall be identified, documented and implemented. " + annotation: "Consider the following:\n\u2022\tRemote access methods include,\ + \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\ + \ mobile device connections, and communications through external networks.\n\ + \u2022\tLogin credentials should be in line with company's user authentication\ + \ policies.\n\u2022\tRemote access for support activities or maintenance of\ + \ organizational assets should be approved, logged, and performed in a manner\ + \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\ + \ of any remote connection to its device by a visual indication." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.4 + description: "Remote access to the organization\u2019s critical systems shall\ + \ be monitored and cryptographic mechanisms shall be implemented where determined\ + \ necessary." + annotation: This should include that only authorized use of privileged functions + from remote access is allowed. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 + ref_id: R.AC-3.5 + description: The security for connections with external systems shall be verified + and framed by documented agreements. + annotation: Access from pre-defined IP addresses could be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-4 + description: Access permissions and authorizations are managed, incorporating + the principles of least privilege and separation of duties + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.1 + description: "Access permissions for users to the organization\u2019s systems\ + \ shall be defined and managed." + annotation: "The following should be considered:\n\u2022\tDraw up and review\ + \ regularly access lists per system (files, servers, software, databases,\ + \ etc.), possibly through analysis of the Active Directory in Windows-based\ + \ systems, with the objective of determining who needs what kind of access\ + \ (privileged or not), to what, to perform their duties in the organization.\n\ + \u2022\tSet up a separate account for each user (including any contractors\ + \ needing access) and require that strong, unique passwords be used for each\ + \ account.\n\u2022\tEnsure that all employees use computer accounts without\ + \ administrative privileges to perform typical work functions. This includes\ + \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\ + \ consider using the minimal privileges (e.g. internet access only) as required\ + \ for your business needs.\n\u2022\tPermission management should be documented\ + \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\ + \ (SSO) when appropriate." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.2 + description: It shall be identified who should have access to the organization's + business's critical information and technology and the means to get access. + annotation: 'Means to get access may include: a key, password, code, or administrative + privilege.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.3 + description: 'Employee access to data and information shall be limited to the + systems and specific information they need to do their jobs (the principle + of Least Privilege).' + annotation: "The principle of Least Privilege should be understood as the principle\ + \ that a security architecture should be designed so that each employee is\ + \ granted the minimum system resources and authorizations that the employee\ + \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\ + \ to have access to all the business\u2019s information.\n\u2022\tLimit the\ + \ number of Internet accesses and interconnections with partner networks to\ + \ the strict necessary to be able to centralize and homogenize the monitoring\ + \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\ + \ business, all access to the business\u2019s information or systems is blocked\ + \ instantly." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: BASIC_PR.AC-4.4 + description: 'Nobody shall have administrator privileges for daily tasks.' + annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ + \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ + \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ + \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\ + \ from administrative accounts." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.5 + description: Where feasible, automated mechanisms shall be implemented to support + the management of user accounts on the organisation's critical systems, including + disabling, monitoring, reporting and deleting user accounts. + annotation: Consider separately identifying each person with access to the organization's + critical systems with a username to remove generic and anonymous accounts + and access. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.6 + description: Separation of duties (SoD) shall be ensured in the management of + access rights. + annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\ + \ functions and system support functions among different roles.\n\u2022\t\ + conducting system support functions with different individuals.\n\u2022\t\ + not allow a single individual to both initiate and approve a transaction (financial\ + \ or otherwise).\n\u2022\tensuring that security personnel administering access\ + \ control functions do not also administer audit functions." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: IMPORTANT_PR.AC-4.7 + description: Priviliged users shall be managed and monitored. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.8 + description: Account usage restrictions for specific time periods and locations + shall be taken into account in the organization's security access policy and + applied accordingly. + annotation: Specific restrictions can include, for example, restricting usage + to certain days of the week, time of day, or specific durations of time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 + ref_id: PR.AC-4.9 + description: Priviliged users shall be managed, monitored and audited. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-5 + description: Network integrity is protected (e.g., network segregation, network + segmentation) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.1 + description: Firewalls shall be installed and activated on all the organization's + networks. + annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\ + \ between your internal network and the Internet. This may be a function of\ + \ a (wireless) access point/router, or it may be a function of a router provided\ + \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\ + \ software installed on purchased firewall solutions and ensure that the administrator\u2019\ + s log-in and administrative password is changed upon installation and regularly\ + \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\ + \ computer system (including smart phones and other networked devices).\n\u2022\ + \tHave firewalls on each of your computers and networks even if you use a\ + \ cloud service provider or a virtual private network (VPN). Ensure that for\ + \ telework home network and systems have hardware and software firewalls installed,\ + \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\ + \ Detection / Prevention System (IDPS). These devices analyze network traffic\ + \ at a more detailed level and can provide a greater level of protection." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: BASIC_PR.AC-5.2 + description: Where appropriate, network integrity of the organization's critical + systems shall be protected by incorporating network segmentation and segregation. + annotation: "\u2022\tConsider creating different security zones in the network\ + \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\ + \ control mechanisms) and control/monitor the traffic between these zones.\n\ + \u2022\tWhen the network is \"flat\", the compromise of a vital network component\ + \ can lead to the compromise of the entire network." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.3 + description: 'Where appropriate, network integrity of the organization''s critical + systems shall be protected by + (1) Identifying, documenting, and controlling connections between system components. + (2) Limiting external connections to the organization''s critical systems.' + annotation: Boundary protection mechanisms include, for example, routers, gateways, + unidirectional gateways, data diodes, and firewalls separating system components + into logically separate networks or subnetworks. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: IMPORTANT_PR.AC-5.4 + description: 'The organization shall monitor and control connections and communications + at the external boundary and at key internal boundaries within the organization''s + critical systems by implementing boundary protection devices where appropriate. ' + annotation: "Consider implementing the following recommendations:\n\u2022\t\ + Separate your public WIFI network from your business network.\n\u2022\tProtect\ + \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\ + \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\ + \ your corporate network.\n\u2022\tDivide your network according to security\ + \ levels and apply firewall rules. Isolate your networks for server administration.\n\ + \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\ + \ security gateways (deny all policy: only allow/open connections that have\ + \ been explicitly pre-authorized)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.5 + description: The organization shall implement, where feasible, authenticated + proxy servers for defined communications traffic between the organization's + critical systems and external networks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 + ref_id: PR.AC-5.6 + description: The organization shall ensure that the organization's critical + systems fail safely when a border protection device fails operationally. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-6 + description: Identities are proofed and bound to credentials and asserted in + interactions + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: IMPORTANT_PR.AC-6.1 + description: The organization shall implement documented procedures for verifying + the identity of individuals before issuing credentials that provide access + to organization's systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 + ref_id: PR.AC-6.2 + description: The organization shall ensure the use of unique credentials bound + to each verified user, device, and process interacting with the organization's + critical systems; make sure that they are authenticated, and that the unique + identifiers are captured when performing system interactions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac + ref_id: PR.AC-7 + description: "Users, devices, and other assets are authenticated (e.g., single-factor,\ + \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\ + \ security and privacy risks and other organizational risks)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 + ref_id: IMPORTANT_PR.AC-7.1 + description: "The organization shall perform a documented risk assessment on\ + \ organization's critical system transactions and authenticate users, devices,\ + \ and other assets (e.g., single-factor, multi-factor) commensurate with the\ + \ risk of the transaction (e.g., individuals\u2019 security and privacy risks\ + \ and other organizational risks)." + annotation: Consider a security-by-design approach for new systems; For existing + systems a separate risk assessment should be used. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.AT + name: Awareness and Training + description: "The organization\u2019s personnel and partners are provided cybersecurity\ + \ awareness education and are trained to perform their cybersecurity-related\ + \ duties and responsibilities consistent with related policies, procedures,\ + \ and agreements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-1 + description: 'All users are informed and trained ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: BASIC_PR.AT-1.1 + description: Employees shall be trained as appropriate. + annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\ + \ systems, and they should be trained immediately when hired and regularly\ + \ thereafter about the company\u2019s information security policies and what\ + \ they will be expected to do to protect company\u2019s business information\ + \ and technology.\n\u2022\tTraining should be continually updated and reinforced\ + \ by awareness campaigns." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: IMPORTANT_PR.AT-1.2 + description: The organization shall incorporate insider threat recognition and + reporting into security awareness training. + annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\ + \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\ + \ program by gathering in a document the messages you want to convey to your\ + \ staff (topics, audiences, objectives, etc.) and your communication rhythm\ + \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\ + \ and in an engaging way, involving management, IT colleagues, the ICT service\ + \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\ + \ recognition of fraud attempts, phishing, management of sensitive information,\ + \ incidents, etc. The goal is for all employees to understand ways to protect\ + \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\ + \ or your ICT service provider some practice scenarios (e.g. what to do if\ + \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\ + \ if an account is hacked, etc.), determine what behaviours to adopt, document\ + \ and communicate them to all your staff. The central point of contact in\ + \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\ + \ of a scenario to test your knowledge. Consider performing the exercise for\ + \ example at least once a year." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1 + ref_id: PR.AT-1.3 + description: The organization shall implement an evaluation method to measure + the effectiveness of the awareness trainings. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-2 + description: 'Privileged users understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 + ref_id: IMPORTANT_PR.AT-2.1 + description: Privileged users shall be qualified before privileges are granted, + and these users shall be able to demonstrate the understanding of their roles, + responsibilities, and authorities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-3 + description: 'Third-party stakeholders (e.g., suppliers, customers, partners) + understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.1 + description: "The organization shall establish and enforce security requirements\ + \ for business-critical third-party providers and users.\t" + annotation: "Enforcement should include that \u2018third party stakeholder\u2019\ + -users (e.g. suppliers, customers, partners) can demonstrate the understanding\ + \ of their roles and responsibilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.2 + description: "Third-party providers shall be required to notify any personnel\ + \ transfers, termination, or transition involving personnel with physical\ + \ or logical access to organization's business critical system's components.\t" + annotation: Third-party providers include, for example, service providers, contractors, + and other organizations providing system development, technology services, + outsourced applications, or network and security management. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: IMPORTANT_PR.AT-3.3 + description: The organization shall monitor business critical service providers + and users for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 + ref_id: PR.AT-3.4 + description: The organization shall audit business-critical external service + providers for security compliance. + annotation: Third party audit results can be used as audit evidence. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-4 + description: 'Senior executives understand their roles and responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 + ref_id: IMPORTANT_PR.AT-4.1 + description: Senior executives shall demonstrate the understanding of their + roles, responsibilities, and authorities. + annotation: Guidance on role profiles along with their identified titles, missions, + tasks, skills, knowledge, competences is available in the "European Cybersecurity + Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles + ) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at + ref_id: PR.AT-5 + description: 'Physical and cybersecurity personnel understand their roles and + responsibilities ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 + ref_id: IMPORTANT_PR.AT-5.1 + description: The organization shall ensure that personnel responsible for the + physical protection and security of the organization's critical systems and + facilities are qualified through training before privileges are granted, and + that they understand their responsibilities. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.DS + name: Data Security + description: "Information and records (data) are managed consistent with the\ + \ organization\u2019s risk strategy to protect the confidentiality, integrity,\ + \ and availability of information." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-1 + description: Data-at-rest is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1 + ref_id: PR.DS-1.1 + description: "The organization shall protect its critical system information\ + \ determined to be critical/ sensitive while at rest.\t" + annotation: "\u2022\tConsider using encryption techniques for data storage,\ + \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\ + \ encrypting end-user devices and removable media containing sensitive data\ + \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\ + \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt, Apple FileVault\xAE\ + , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\ + \ in the cloud. The below measures should be considered:\n\u2022\tImplement\ + \ dedicated safeguards to prevent unauthorized access, distortion, or modification\ + \ of system data and audit records (e.g. restricted access rights, daily backups,\ + \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\ + \ media, stored files, configuration files and data stored in the cloud." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-2 + description: Data-in-transit is protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 + ref_id: PR.DS-2.1 + description: The organization shall protect its critical system information + determined to be critical when in transit. + annotation: When the organization often sends sensitive documents or e-mails, + it is recommended to encrypt those documents and/or e-mails with appropriate, + supported, and authorized software tools. If you send sensitive documents + or emails, you may want to consider encrypting those documents and/or emails + with appropriate, supported, and authorized software tools. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-3 + description: Assets are formally managed throughout removal, transfers, and + disposition + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: BASIC_PR.DS-3.1 + description: Assets and media shall be disposed of safely. + annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\ + \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\ + ), ensure that all sensitive business or personal data are securely deleted\ + \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\ + \ physically destroyed (or re-commissioned). This is also known as \u201C\ + sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\ + \u2022\tConsider installing a remote-wiping application on company laptops,\ + \ tablets, cell phones, and other mobile devices." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.2 + description: The organization shall enforce accountability for all its business-critical + assets throughout the system lifecycle, including removal, transfers, and + disposition. + annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\ + \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\ + \ documentation related to the movements of business-critical assets." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: IMPORTANT_PR.DS-3.3 + description: The organization shall ensure that the necessary measures are taken + to deal with loss, misuse, damage, or theft of assets. + annotation: "This can be done by policies, processes & procedures (reporting),\ + \ technical & organizational means (encryption, Access Control (AC), Mobile\ + \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\ + \ agreement, guidelines & manuals, backups, inventory update \u2026)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 + ref_id: PR.DS-3.4 + description: The organization shall ensure that disposal actions are approved, + tracked, documented, and verified. + annotation: Disposal actions include media sanitization actions (See PR.IP-6) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-4 + description: Adequate capacity to ensure availability is maintained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.1 + description: Capacity planning shall ensure adequate resources for organization's + critical system information processing, networking, telecommunications, and + data storage. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: IMPORTANT_PR.DS-4.2 + description: Audit data from the organization's critical systems shall be moved + to an alternative system. + annotation: Be aware that log services can become a bottleneck and hinder the + correct functioning of the source systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 + ref_id: PR.DS-4.3 + description: "The organization\u2019s critical systems shall be protected against\ + \ denial-of-service attacks or at least the effect of such attacks will be\ + \ limited." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-5 + description: Protections against data leaks are implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 + ref_id: IMPORTANT_PR.DS-5.1 + description: The organization shall take appropriate actions resulting in the + monitoring of its critical systems at external borders and critical internal + points when unauthorized access and activities, including data leakage, is + detected. + annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\ + \ access rights, daily backups, data encryption, installation of firewalls,\ + \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ + \ configuration of the central directory (Active Directory in Windows environment),\ + \ with specific focus on the access to data of key persons in the company." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-6 + description: Integrity checking mechanisms are used to verify software, firmware, + and information integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: IMPORTANT_PR.DS-6.1 + description: The organization shall implement software, firmware, and information + integrity checks to detect unauthorized changes to its critical system components + during storage, transport, start-up and when determined necessary. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.2 + description: The organization shall implement automated tools where feasible + to provide notification upon discovering discrepancies during integrity verification. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 + ref_id: PR.DS-6.3 + description: The organization shall implement automatic response capability + with pre-defined security safeguards when integrity violations are discovered. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-7 + description: The development and testing environment(s) are separate from the + production environment + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 + ref_id: PR.DS-7.1 + description: The development and test environment(s) shall be isolated from + the production environment. + annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\ + \ should first be tested in an environment that is different and separate\ + \ from the production environment (operational environment) before that change\ + \ is effectively implemented . That way, the effect of those changes can be\ + \ analysed and adjustments can be made without disrupting operational activities.\n\ + \u2022\tConsider adding and testing cybersecurity features as early as during\ + \ development (secure development lifecycle principles). \u2022\tAny change\ + \ one wants to make to the ICT/OT environment should first be tested in an\ + \ environment that is different and separate from the production environment\ + \ (operational environment) before that change is effectively implemented\ + \ . That way, the effect of those changes can be analysed and adjustments\ + \ can be made without disrupting operational activities.\n\u2022\tConsider\ + \ adding and testing cybersecurity features as early as during development\ + \ (secure development lifecycle principles)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds + ref_id: PR.DS-8 + description: Integrity checking mechanisms are used to verify hardware integrity + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.1 + description: The organization shall implement hardware integrity checks to detect + unauthorized tampering to its critical system's hardware. + annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity + checks, cyclical redundancy checks, cryptographic hashes) and associated tools + can automatically monitor the integrity of information systems and hosted + applications. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 + ref_id: PR.DS-8.2 + description: The organization shall incorporate the detection of unauthorized + tampering to its critical system's hardware into the organization incident + response capability. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.IP + name: Information Protection Processes and Procedures + description: 'Security policies (that address purpose, scope, roles, responsibilities, + management commitment, and coordination among organizational entities), processes, + and procedures are maintained and used to manage protection of information + systems and assets.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-1 + description: A baseline configuration of information technology/industrial control + systems is created and maintained incorporating security principles (e.g. + concept of least functionality) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: IMPORTANT_PR.IP-1.1 + description: 'The organization shall develop, document, and maintain a baseline + configuration for the its business critical systems. ' + annotation: "\u2022\tThis control includes the concept of least functionality.\n\ + \u2022\tBaseline configurations include for example, information about organization's\ + \ business critical systems, current version numbers and patch information\ + \ on operating systems and applications, configuration settings/parameters,\ + \ network topology, and the logical placement of those components within the\ + \ system architecture.\n\u2022\tNetwork topology should include the nerve\ + \ points of the IT/OT environment (external connections, servers hosting data\ + \ and/or sensitive functions, DNS services security, etc.)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 + ref_id: PR.IP-1.2 + description: The organization shall configure its business-critical systems + to provide only essential capabilities; Therefore the baseline configuration + shall be reviewed, and unnecessary capabilities disabled. + annotation: "\u2022\tConfiguration of a system to provide only organization-defined\ + \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\ + .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\ + \ services." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-2 + description: A System Development Life Cycle to manage systems is implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: IMPORTANT_PR.IP-2.1 + description: The system and application development life cycle shall include + security considerations. + annotation: "\u2022\tSystem and application development life cycle should include\ + \ the acquisition process of the organization's business critical systems\ + \ and its components.\n\u2022\tVulnerability awareness and prevention training\ + \ for (web application) developers, and advanced social engineering awareness\ + \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\ + \ internet facing applications the implementation of a web application firewall\ + \ (WAF) should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 + ref_id: PR.IP-2.2 + description: The development process for critical systems and system components + shall cover the full design cycle and shall provide a description of the functional + properties of security controls, and design and implementation information + for security-relevant system interfaces. + annotation: "The development cycle includes:\n\u2022\tAll development phases:\ + \ specification , design, development, implementation.\n\u2022\tConfiguration\ + \ management for planned and unplanned changes and change control during the\ + \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-3 + description: Configuration change control processes are in place + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: IMPORTANT_PR.IP-3.1 + description: Changes shall be tested and validated before being implemented + into operational systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 + ref_id: PR.IP-3.2 + description: For planned changes to the organization's critical systems, a security + impact analysis shall be performed in a separate test environment before implementation + in an operational environment. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-4 + description: 'Backups of information are conducted, maintained, and tested ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: BASIC_PR.IP-4.1 + description: Backups for organization's business critical data shall be conducted + and stored on a system different from the device on which the original data + resides + annotation: "\u2022\tOrganization's business critical system's data includes\ + \ for example software, configurations and settings, documentation, system\ + \ configuration data including computer configuration backups, application\ + \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\ + \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\ + \ should be considered.\n\u2022\tConsider not storing the organization's data\ + \ backup on the same network as the system on which the original data resides\ + \ and provide an offline copy. Among other things, this prevents file encryption\ + \ by hackers (risk of ransomware)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.2 + description: The reliability and integrity of backups shall be verified and + tested on regular basis. + annotation: This should include regularly testing of the backup restore procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: IMPORTANT_PR.IP-4.3 + description: A separate alternate storage site for system backups shall be operated + and the same security safeguards as the primary storage location shall be + employed. + annotation: An offline backup of your data is ideally stored in a separate physical + location from the original data source and where feasible offsite for extra + protection and security. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.4 + description: Backup verification shall be coordinated with the functions in + the organization that are responsible for related plans. + annotation: "\u2022\tRelated plans include, for example, Business Continuity\ + \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\ + \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\ + \u2022\tRestoration of backup data during contingency plan testing should\ + \ be provided." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 + ref_id: PR.IP-4.5 + description: Critical system backup shall be separated from critical information + backup. + annotation: Seperation of critical system backup from critical information backup + should lead to a shorter recovery time. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-5 + description: Policy and regulations regarding the physical operating environment + for organizational assets are met + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: IMPORTANT_PR.IP-5.1 + description: The organization shall define, implement, and enforce policy and + procedures regarding emergency and safety systems, fire protection systems, + and environment controls for its critical systems. + annotation: "The below measures should be considered:\n\u2022\tProtect unattended\ + \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\ + \ suppression mechanisms should take the organization's critical system environment\ + \ into account (e.g., water sprinkler systems could be hazardous in specific\ + \ environments)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 + ref_id: PR.IP-5.2 + description: The organization shall implement fire detection devices that activate + and notify key personnel automatically in the event of a fire. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-6 + description: Data is destroyed according to policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: IMPORTANT_PR.IP-6.1 + description: The organization shall ensure that its critical system's data is + destroyed according to policy. + annotation: "\u2022\tDisposal actions include media sanitization actions (See\ + \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\ + o\tHard copy media (physical representations of information)\no\tElectronic\ + \ or soft copy media (the bits and bytes contained in hard drives, random\ + \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\ + \ mobile computing devices, networking equipment\u2026)" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 + ref_id: PR.IP-6.2 + description: Sanitation processes shall be documented and tested. + annotation: "\u2022\tSanitation processes include procedures and equipment.\n\ + \u2022\tConsider applying non-destructive sanitization techniques to portable\ + \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\ + \ confidentiality requirements." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-7 + description: Protection processes are improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: IMPORTANT_PR.IP-7.1 + description: The organization shall incorporate improvements derived from the + monitoring, measurements, assessments, and lessons learned into protection + process updates (continuous improvement). + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.2 + description: The organization shall implement independent teams to assess the + protection process(es). + annotation: 'Independent teams, for example, may include internal or external + impartial personnel. + + Impartiality implies that assessors are free from any perceived or actual + conflicts of interest regarding the development, operation, or management + of the organization''s critical system under assessment or to the determination + of security control effectiveness.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 + ref_id: PR.IP-7.3 + description: The organization shall ensure that the security plan for its critical + systems facilitates the review, testing, and continual improvement of the + security protection processes. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-8 + description: 'Effectiveness of protection technologies is shared ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.1 + description: The organization shall collaborate and share information about + its critical system's related security incidents and mitigation measures with + designated partners. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.2 + description: Communication of effectiveness of protection technologies shall + be shared with appropriate parties. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 + ref_id: IMPORTANT_PR.IP-8.3 + description: The organization shall implement, where feasible, automated mechanisms + to assist in information collaboration. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-9 + description: Response plans (Incident Response and Business Continuity) and + recovery plans (Incident Recovery and Disaster Recovery) are in place and + managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: IMPORTANT_PR.IP-9.1 + description: Incident response plans (Incident Response and Business Continuity) + and recovery plans (Incident Recovery and Disaster Recovery) shall be established, + maintained, approved, and tested to determine the effectiveness of the plans, + and the readiness to execute the plans. + annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\ + \ objectives, restoration priorities, metrics, contingency roles, personnel\ + \ assignments and contact information.\n\u2022\tMaintaining essential functions\ + \ despite system disruption, and the eventual restoration of the organization\u2019\ + s systems, should be addressed.\n\u2022\tConsider defining incident types,\ + \ resources and management support needed to effectively maintain and mature\ + \ the incident response and contingency capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 + ref_id: PR.IP-9.2 + description: The organization shall coordinate the development and the testing + of incident response plans and recovery plans with stakeholders responsible + for related plans. + annotation: Related plans include, for example, Business Continuity Plans, Disaster + Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, + Critical Infrastructure Plans, Cyber incident response plans, and Occupant + Emergency Plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-11 + description: Cybersecurity is included in human resources practices (e.g., deprovisioning, + personnel screening) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: BASIC_PR.IP-11.1 + description: "Personnel having access to the organization\u2019s most critical\ + \ information or technology shall be verified." + annotation: "\u2022\tThe access to critical information or technology should\ + \ be considered when recruiting, during employment and at termination.\n\u2022\ + \tBackground verification checks should take into consideration applicable\ + \ laws, regulations, and ethics in proportion to the business requirements,\ + \ the classification of the information to be accessed and the perceived risks." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 + ref_id: IMPORTANT_PR.IP-11.2 + description: Develop and maintain a human resource information/cyber security + process that is applicable when recruiting, during employment and at termination + of employment. + annotation: "The human resource information/cyber security process should include\ + \ access to critical information or technology; background verification checks;\ + \ code of conduct; roles, authorities, and responsibilities\u2026" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip + ref_id: PR.IP-12 + description: A vulnerability management plan is developed and implemented + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 + ref_id: IMPORTANT_PR.IP-12.1 + description: The organization shall establish and maintain a documented process + that allows continuous review of vulnerabilities and strategies to mitigate + them. + annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\ + \ in the identified components and distribute updates (software publisher\ + \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\ + \ identify where its critical system's vulnerabilities may be exposed to adversaries." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.MA + name: Maintenance + description: Maintenance and repairs of industrial control and information system + components are performed consistent with policies and procedures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-1 + description: Maintenance and repair of organizational assets are performed and + logged, with approved and controlled tools + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: BASIC_PR.MA-1.1 + description: Patches and security updates for Operating Systems and critical + system components shall be installed. + annotation: "The following should be considered:\n\u2022\tLimit yourself to\ + \ only install those applications (operating systems, firmware, or plugins\ + \ ) that you need to run your business and patch/update them regularly.\n\u2022\ + \tYou should only install a current and vendor-supported version of software\ + \ you choose to use. It may be useful to assign a day each month to check\ + \ for patches.\n\u2022\tThere are products which can scan your system and\ + \ notify you when there is an update for an application you have installed.\ + \ If you use one of these products, make sure it checks for updates for every\ + \ application you use.\n\u2022\tInstall patches and security updates in a\ + \ timely manner." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.2 + description: The organization shall plan, perform and document preventive maintenance + and repairs on its critical system components according to approved processes + and tools. + annotation: 'Consider the below measures: + (1) Perform security updates on all software in a timely manner. + (2) Automate the update process and audit its effectiveness. + (3) Introduce an internal patching culture on desktops, mobile devices, servers, + network components, etc. to ensure updates are tracked.' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.3 + description: The organization shall enforce approval requirements, control, + and monitoring of maintenance tools for use on the its critical systems. + annotation: Maintenance tools can include, for example, hardware/software diagnostic + test equipment, hardware/software packet sniffers and laptops. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: IMPORTANT_PR.MA-1.4 + description: The organization shall verify security controls following hardware + maintenance or repairs, and take action as appropriate. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.5 + description: The organization shall prevent the unauthorized removal of maintenance + equipment containing organization's critical system information. + annotation: This requirement maily focuses mainly on OT/ICS environments. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.6 + description: 'Maintenance tools and portable storage devices shall be inspected + when brought into the facility and shall be protected by anti-malware solutions + so that they are scanned for malicious code before they are used on organization''s + systems.' + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1 + ref_id: PR.MA-1.7 + description: The organization shall verify security controls following hardware + and software maintenance or repairs/patching and take action as appropriate. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma + ref_id: PR.MA-2 + description: Remote maintenance of organizational assets is approved, logged, + and performed in a manner that prevents unauthorized access + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.1 + description: Remote maintenance shall only occur after prior approval, monitoring + to avoid unauthorised access, and approval of the outcome of the maintenance + activities as described in approved processes or procedures. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: IMPORTANT_PR.MA-2.2 + description: The organization shall make sure that strong authenticators, record + keeping, and session termination for remote maintenance is implemented. + annotation: No additional guidance on this topic + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 + ref_id: PR.MA-2.3 + description: The organization shall require that diagnostic services pertaining + to remote maintenance be performed from a system that implements a security + capability comparable to the capability implemented on the equivalent organization's + critical system. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr + ref_id: PR.PT + name: Protective Technology + description: Technical security solutions are managed to ensure the security + and resilience of systems and assets, consistent with related policies, procedures, + and agreements. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-1 + description: Audit/log records are determined, documented, implemented, and + reviewed in accordance with policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: BASIC_PR.PT-1.1 + description: ' Logs shall be maintained, documented, and reviewed.' + annotation: "\u2022\tEnsure the activity logging functionality of protection\ + \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\ + \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\ + \tThe logs should be reviewed for any unusual or unwanted trends, such as\ + \ a large use of social media websites or an unusual number of viruses consistently\ + \ found on a particular computer. These trends may indicate a more serious\ + \ problem or signal the need for stronger protections in a particular area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: IMPORTANT_PR.PT-1.2 + description: 'The organization shall ensure that the log records include an + authoritative time source or internal clock time stamp that are compared and + synchronized to an authoritative time source. ' + annotation: Authoritative time sources include for example, an internal Network + Time Protocol (NTP) server, radio clock, atomic clock, GPS time source. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.3 + description: "The organization shall ensure that audit processing failures on\ + \ the organization's systems generate alerts and trigger defined responses.\t" + annotation: The use of System Logging Protocol (Syslog) servers can be considered. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1 + ref_id: PR.PT-1.4 + description: The organization shall enable authorized individuals to extend + audit capabilities when required by events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-2 + description: Removable media is protected and its use restricted according to + policy + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.1 + description: The usage restriction of portable storage devices shall be ensured + through an appropriate documented policy and supporting safeguards. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: IMPORTANT_PR.PT-2.2 + description: The organisation should technically prohibit the connection of + removable media unless strictly necessary; in other instances, the execution + of autoruns from such media should be disabled. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 + ref_id: PR.PT-2.3 + description: Portable storage devices containing system data shall be controlled + and protected while in transit and in storage. + annotation: Protection and control should include the scanning of all portable + storage devices for malicious code before they are used on organization's + systems. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-3 + description: The principle of least functionality is incorporated by configuring + systems to provide only essential capabilities + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: IMPORTANT_PR.PT-3.1 + description: The organization shall configure the business critical systems + to provide only essential capabilities. + annotation: Consider applying the principle of least functionality to access + systems and assets (see also PR.AC-4). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.2 + description: The organization shall disable defined functions, ports, protocols, + and services within its critical systems that it deems unnecessary. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 + ref_id: PR.PT-3.3 + description: The organization shall implement technical safeguards to enforce + a deny-all, permit-by-exception policy to only allow the execution of authorized + software programs. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt + ref_id: PR.PT-4 + description: Communications and control networks are protected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: BASIC_PR.PT-4.1 + description: Web and e-mail filters shall be installed and used. + annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\ + \ should be configured based on the type of message attachments so that files\ + \ of the specified types are automatically processed (e.g. deleted).\n\u2022\ + \tWeb-filters should notify the user if a website may contain malware and\ + \ potentially preventing users from accessing that website." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.2 + description: The organization shall control the information flows/data flows + within its critical systems and between interconnected systems. + annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\ + \ for example, by labelling or colouring physical connectors as an aid to\ + \ manual hook-up.\n\u2022\tInspection of message content may enforce information\ + \ flow policy. For example, a message containing a command to an actuator\ + \ may not be permitted to flow between the control network and any other network.\n\ + \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\ + \ associated with labels or attributes (e.g., hardware I/O address). Manual\ + \ methods are typically static. Label or attribute policy mechanisms may be\ + \ implemented in hardware, firmware, and software that controls or has device\ + \ access, such as device drivers and communications controllers." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 + ref_id: PR.PT-4.3 + description: The organization shall manage the interface for external communication + services by establishing a traffic flow policy, protecting the confidentiality + and integrity of the information being transmitted; This includes the review + and documenting of each exception to the traffic flow policy. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + assessable: false + depth: 1 + ref_id: DE + name: DETECT (DE) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.AE + name: Anomalies and Events + description: Anomalous activity is detected and the potential impact of events + is understood. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-1 + description: A baseline of network operations and expected data flows for users + and systems is established and managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1 + ref_id: DE.AE-1.1 + description: The organization shall ensure that a baseline of network operations + and expected data flows for its critical systems is developed, documented + and maintained to track events. + annotation: "\u2022\tConsider enabling local logging on all your systems and\ + \ network devices and keep them for a certain period, for example up to 6\ + \ months.\n\u2022\tEnsure that your logs contain enough information (source,\ + \ date, user, timestamp, etc.) and that you have enough storage space for\ + \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\ + \ deploying a Security Information and Event Management tool (SIEM) that will\ + \ facilitate the correlation and analysis of your data." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-2 + description: Detected events are analyzed to understand attack targets and methods + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: IMPORTANT_DE.AE-2.1 + description: The organization shall review and analyze detected events to understand + attack targets and methods. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 + ref_id: DE.AE-2.2 + description: 'The organization shall implement automated mechanisms where feasible + to review and analyze detected events. ' + annotation: Consider to review your logs regularly to identify anomalies or + abnormal events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-3 + description: Event data are collected and correlated from multiple sources and + sensors + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: BASIC_DE.AE-3.1 + description: "The activity logging functionality of protection / detection hardware\ + \ or software \n(e.g. firewalls, anti-virus) shall be enabled, backed-up and\ + \ reviewed." + annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\ + \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\ + \ as a large use of social media websites or an unusual number of viruses\ + \ consistently found on a particular computer. These trends may indicate a\ + \ more serious problem or signal the need for stronger protections in a particular\ + \ area." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: IMPORTANT_DE.AE-3.2 + description: The organization shall ensure that event data is compiled and correlated + across its critical systems using various sources such as event reports, audit + monitoring, network monitoring, physical access monitoring, and user/administrator + reports. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 + ref_id: DE.AE-3.3 + description: The organization shall integrate analysis of events where feasible + with the analysis of vulnerability scanning information; performance data; + its critical system's monitoring, and facility monitoring to further enhance + the ability to identify inappropriate or unusual activity. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-4 + description: Impact of events is determined + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 + ref_id: DE.AE-4.1 + description: "Negative impacts to organization\u2019s operations, assets, and\ + \ individuals resulting from detected events shall be determined and correlated\ + \ with risk assessment outcomes." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae + ref_id: DE.AE-5 + description: Incident alert thresholds are established + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.1 + description: The organization shall implement automated mechanisms and system + generated alerts to support event detection and to assist in the identification + of security alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 + ref_id: IMPORTANT_DE.AE-5.2 + description: The organization shall define incident alert thresholds. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.CM + name: Security Continuous Monitoring + description: The information system and assets are monitored to identify cybersecurity + events and verify the effectiveness of protective measures. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-1 + description: The network is monitored to detect potential cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: BASIC_DE.CM-1.1 + description: Firewalls shall be installed and operated on the network boundaries + and completed with firewall protection on the endpoints. + annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\ + \tConsider, where feasible, including smart phones and other networked devices\ + \ when installing and operating firewalls.\n\u2022\tConsider limiting the\ + \ number of interconnection gateways to the Internet." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: IMPORTANT_DE.CM-1.2 + description: The organization shall monitor and identify unauthorized use of + its business critical systems through the detection of unauthorized local + connections, network connections and remote connections. + annotation: "\u2022\tMonitoring of network communications should happen at the\ + \ external boundary of the organization's business critical systems and at\ + \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ + \ facing applications the implementation of a web application firewall (WAF)\ + \ should be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1 + ref_id: DE.CM-1.3 + description: "The organization shall conduct ongoing security status monitoring\ + \ of its network to detect defined information/cybersecurity events and indicators\ + \ of potential information/cybersecurity events.\t" + annotation: "Security status monitoring should include:\n\u2022\tThe generation\ + \ of system alerts when indications of compromise or potential compromise\ + \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\ + \ critical systems.\n\u2022\tThe establishment of audit records for defined\ + \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\ + \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\ + \ personnel, and service provider." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-2 + description: The physical environment is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: IMPORTANT_DE.CM-2.1 + description: The physical environment of the facility shall be monitored for + potential information/cybersecurity events. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 + ref_id: DE.CM-2.2 + description: The physical access to organization's critical systems and devices + shall be, on top of the physical access monitoring to the facility, increased + through physical intrusion alarms, surveillance equipment, independent surveillance + teams. + annotation: It is recommended to log all visitors. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-3 + description: Personnel activity is monitored to detect potential cybersecurity + events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: BASIC_DE.CM-3.1 + description: End point and network protection tools to monitor end-user behavior + for dangerous activity shall be implemented. + annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.2 + description: End point and network protection tools that monitor end-user behavior + for dangerous activity shall be managed. + annotation: Consider using a centralized log platform for the consolidation + and exploitation of log files. Consider to actively investigate the alerts + generated because of suspicious activities and take the appropriate actions + to remediate the threat, e.g. through the deployment of a security operations + centre (SOC). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 + ref_id: IMPORTANT_DE.CM-3.3 + description: Software usage and installation restrictions shall be enforced. + annotation: Only authorized software should be used and user access rights should + be limited to the specific data, resources and applications needed to complete + a required task (least privilege principle). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-4 + description: Malicious code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: BASIC_DE.CM-4.1 + description: Anti-virus, -spyware, and other -malware programs shall be installed + and updated. + annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\ + \ be countered by installing, using, and regularly updating anti-virus and\ + \ anti-spyware software on every device used in company\u2019s business (including\ + \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\ + \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\ + \ or at least daily followed by system scanning as appropriate.\n\u2022\t\ + It should be considered to provide the same malicious code protection mechanisms\ + \ for home computers (e.g. teleworking) or personal devices that are used\ + \ for professional work (BYOD)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 + ref_id: DE.CM-4.2 + description: The organisation shall set up a system to detect false positives + while detecting and eradicating malicious code. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-5 + description: Unauthorized mobile code is detected + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 + ref_id: IMPORTANT_DE.CM-5.1 + description: The organization shall define acceptable and unacceptable mobile + code and mobile code technologies; and authorize, monitor, and control the + use of mobile code within the system. + annotation: "\u2022\tMobile code includes any program, application, or content\ + \ that can be transmitted across a network (e.g., embedded in an email, document,\ + \ or website) and executed on a remote system. Mobile code technologies include\ + \ for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\ + \tDecisions regarding the use of mobile code in organizational systems should\ + \ be based on the potential for the code to cause damage to the systems if\ + \ used maliciously. Usage restrictions and implementation guidance should\ + \ apply to the selection and use of mobile code installed." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-6 + description: External service provider activity is monitored to detect potential + cybersecurity events + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.1 + description: All external connections by vendors supporting IT/OT applications + or infrastructure shall be secured and actively monitored to ensure that only + permissible actions occur during the connection. + annotation: This monitoring includes unauthorized personnel access, connections, + devices, and software. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 + ref_id: IMPORTANT_DE.CM-6.2 + description: External service providers' conformance with personnel security + policies and procedures and contract security requirements shall be monitored + relative to their cybersecurity risks. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-7 + description: Monitoring for unauthorized personnel, connections, devices, and + software is performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: IMPORTANT_DE.CM-7.1 + description: The organization's business critical systems shall be monitored + for unauthorized personnel access, connections, devices, access points, and + software. + annotation: "\u2022\tUnauthorized personnel access includes access by external\ + \ service providers.\n\u2022\tSystem inventory discrepancies should be included\ + \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\ + \ critical systems should be included in the monitoring." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 + ref_id: DE.CM-7.2 + description: Unauthorized configuration changes to organization's systems shall + be monitored and addressed with the appropriate mitigation actions. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm + ref_id: DE.CM-8 + description: Vulnerability scans are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.1 + description: The organization shall monitor and scan for vulnerabilities in + its critical systems and hosted applications ensuring that system functions + are not adversely impacted by the scanning process. + annotation: Consider the implementation of a continuous vulnerability scanning + program; Including reporting and mitigation plans. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 + ref_id: IMPORTANT_DE.CM-8.2 + description: The vulnerability scanning process shall include analysis, remediation, + and information sharing. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de + ref_id: DE.DP + name: Detection Processes + description: Detection processes and procedures are maintained and tested to + ensure awareness of anomalous events. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-2 + description: Detection activities comply with all applicable requirements + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2 + ref_id: IMPORTANT_DE.DP-2.1 + description: The organization shall conduct detection activities in accordance + with applicable federal and regional laws, industry regulations and standards, + policies, and other applicable requirements. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-3 + description: Detection processes are tested + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 + ref_id: IMPORTANT_DE.DP-3.1 + description: The organization shall validate that event detection processes + are operating as intended. + annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\ + \ be demonstrable." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-4 + description: Event detection information is communicated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 + ref_id: IMPORTANT_DE.DP-4.1 + description: The organization shall communicate event detection information + to predefined parties. + annotation: Event detection information includes for example, alerts on atypical + account usage, unauthorized remote access, wireless connectivity, mobile device + connection, altered configuration settings, contrasting system component inventory, + use of maintenance tools and nonlocal maintenance, physical access, temperature + and humidity, equipment delivery and removal, communications at the information + system boundaries, use of mobile code, use of Voice over Internet Protocol + (VoIP), and malware disclosure. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp + ref_id: DE.DP-5 + description: Detection processes are continuously improved + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: IMPORTANT_DE.DP-5.1 + description: Improvements derived from the monitoring, measurement, assessment, + testing, review, and lessons learned, shall be incorporated into detection + process revisions. + annotation: "\u2022\tThis results in a continuous improvement of the detection\ + \ processes.\n\u2022\tThe use of independent teams to assess the detection\ + \ process could be considered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 + ref_id: DE.DP-5.2 + description: The organization shall conduct specialized assessments including + in-depth monitoring, vulnerability scanning, malicious user testing, insider + threat assessment, performance/load testing, and verification and validation + testing on the organization's critical systems. + annotation: These activities can be outsourced, preferably to accredited organizations. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + assessable: false + depth: 1 + ref_id: RS + name: RESPOND (RS) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.RP + name: Response Planning + description: Response processes and procedures are executed and maintained, + to ensure response to detected cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp + ref_id: RS.RP-1 + description: Response plan is executed during or after an incident + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1 + ref_id: BASIC_RS.RP-1.1 + description: An incident response process, including roles, responsibilities, + and authorities, shall be executed during or after an information/cybersecurity + event on the organization's critical systems. + annotation: "\u2022\tThe incident response process should include a predetermined\ + \ set of instructions or procedures to detect, respond to, and limit consequences\ + \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\ + \ in the incident response plan should be specific on involved people, contact\ + \ info, different roles and responsibilities, and who makes the decision to\ + \ initiate recovery procedures as well as who will be the contact with appropriate\ + \ external stakeholders. It should be considered to determine the causes of\ + \ an information/cybersecurity event and implement a corrective action in\ + \ order that the event does not recur or occur elsewhere (an infection by\ + \ malicious code on one machine did not have spread elsewhere in the network).\ + \ The effectiveness of any corrective action taken should be reviewed. Corrective\ + \ actions should be appropriate to the effects of the information/cybersecurity\ + \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9" + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.CO + name: Communications + description: Response activities are coordinated with internal and external + stakeholders (e.g. external support from law enforcement agencies). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-1 + description: Personnel know their roles and order of operations when a response + is needed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1 + ref_id: IMPORTANT_RS.CO-1.1 + description: The organization shall ensure that personnel understand their roles, + objectives, restoration priorities, task sequences (order of operations) and + assignment responsibilities for event response. + annotation: Consider the use the CCB Incident Management Guide to guide you + through this exercise and consider bringing in outside experts if needed. + Test your plan regularly and adjust it after each incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-2 + description: Incidents are reported consistent with established criteria + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: IMPORTANT_RS.CO-2.1 + description: The organization shall implement reporting on information/cybersecurity + incidents on its critical systems in an organization-defined time frame to + organization-defined personnel or roles. + annotation: All users should have a single point of contact to report any incident + and be encouraged to do so. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 + ref_id: RS.CO-2.2 + description: Events shall be reported consistent with established criteria. + annotation: Criteria to report should be included in the incident response plan. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-3 + description: Information is shared consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: BASIC_RS.CO-3.1 + description: "Information/cybersecurity incident information shall be communicated\ + \ and shared with the organization\u2019s employees in a format that they\ + \ can understand." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 + ref_id: IMPORTANT_RS.CO-3.2 + description: The organization shall share information/cybersecurity incident + information with relevant stakeholders as foreseen in the incident response + plan. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-4 + description: Coordination with stakeholders occurs consistent with response + plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 + ref_id: IMPORTANT_RS.CO-4.1 + description: The organization shall coordinate information/cybersecurity incident + response actions with all predefined stakeholders. + annotation: "\u2022\tStakeholders for incident response include for example,\ + \ mission/business owners, organization's critical system owners, integrators,\ + \ vendors, human resources offices, physical and personnel security offices,\ + \ legal departments, operations personnel, and procurement offices.\n\u2022\ + \tCoordination with stakeholders occurs consistent with incident response\ + \ plans." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co + ref_id: RS.CO-5 + description: 'Voluntary information sharing occurs with external stakeholders + to achieve broader cybersecurity situational awareness ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 + ref_id: IMPORTANT_RS.CO-5.1 + description: "The organization shall share information/cybersecurity event information\ + \ voluntarily, as appropriate, with external stakeholders, industry security\ + \ groups,\u2026 to achieve broader information/cybersecurity situational awareness." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.AN + name: Analysis + description: Analysis is conducted to ensure effective response and support + recovery activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-1 + description: Notifications from detection systems are investigated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: IMPORTANT_RS.AN-1.1 + description: The organization shall investigate information/cybersecurity-related + notifications generated from detection systems. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1 + ref_id: RS.AN-1.2 + description: The organization shall implement automated mechanisms to assist + in the investigation and analysis of information/cybersecurity-related notifications. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-2 + description: The impact of the incident is understood + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: IMPORTANT_RS.AN-2.1 + description: Thorough investigation and result analysis shall be the base for + understanding the full implication of the information/cybersecurity incident. + annotation: "\u2022\tResult analysis can involve the outcome of determining\ + \ the correlation between the information of the detected event and the outcome\ + \ of risk assessments. In this way, insight is gained into the impact of the\ + \ event across the organization.\n\u2022\tConsider including detection of\ + \ unauthorized changes to its critical systems in its incident response capabilities." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 + ref_id: RS.AN-2.2 + description: The organization shall implement automated mechanisms to support + incident impact analysis. + annotation: Implementation could vary from a ticketing system to a Security + Information and Event Management (SIEM). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-3 + description: Forensics are performed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.1 + description: The organization shall provide on-demand audit review, analysis, + and reporting for after-the-fact investigations of information/cybersecurity + incidents. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 + ref_id: RS.AN-3.2 + description: The organization shall conduct forensic analysis on collected information/cybersecurity + event information to determine root cause. + annotation: Consider to determine the root cause of an incident. If necessary, + use forensics analysis on collected information/cybersecurity event information + to achieve this. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-4 + description: Incidents are categorized consistent with response plans + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 + ref_id: IMPORTANT_RS.AN-4.1 + description: Information/cybersecurity incidents shall be categorized according + to the level of severity and impact consistent with the evaluation criteria + included the incident response plan. + annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\ + \ incident and implement a corrective action in order that the incident does\ + \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\ + \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\ + \ to the effects of the information/cybersecurity incident encountered." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an + ref_id: RS.AN-5 + description: Processes are established to receive, analyze and respond to vulnerabilities + disclosed to the organization from internal and external sources (e.g. internal + testing, security bulletins, or security researchers) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: IMPORTANT_RS.AN-5.1 + description: 'The organization shall implement vulnerability management processes + and procedures that include processing, analyzing and remedying vulnerabilities + from internal and external sources. ' + annotation: Internal and external sources could be e.g. internal testing, security + bulletins, or security researchers. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 + ref_id: RS.AN-5.2 + description: The organization shall implement automated mechanisms to disseminate + and track remediation efforts for vulnerability information, captured from + internal and external sources, to key stakeholders. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.MI + name: Mitigation + description: Activities are performed to prevent expansion of an event, mitigate + its effects, and resolve the incident. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi + ref_id: RS.MI-1 + description: Incidents are contained + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1 + ref_id: IMPORTANT_RS.MI-1.1 + description: The organization shall implement an incident handling capability + for information/cybersecurity incidents on its business critical systems that + includes preparation, detection and analysis, containment, eradication, recovery + and documented risk acceptance. + annotation: A documented risk acceptance deals with risks that the organisation + assesses as not dangerous to the organisation's business critical systems + and where the risk owner formally accepts the risk (related with the risk + appetite of the organization) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs + ref_id: RS.IM + name: Improvements + description: Organizational response activities are improved by incorporating + lessons learned from current and previous detection/response activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-1 + description: Response plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: BASIC_RS.IM-1.1 + description: The organization shall conduct post-incident evaluations to analyse + lessons learned from incident response and recovery, and consequently improve + processes / procedures / technologies to enhance its cyber resilience. + annotation: Consider bringing involved people together after each incident and + reflect together on ways to improve what happened, how it happened, how we + reacted, how it could have gone better, what should be done to prevent it + from happening again, etc. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1 + ref_id: IMPORTANT_RS.IM-1.2 + description: Lessons learned from incident handling shall be translated into + updated or new incident handling procedures that shall be tested, approved + and trained. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im + ref_id: RS.IM-2 + description: Response and Recovery strategies are updated + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 + ref_id: IMPORTANT_RS.IM-2.1 + description: The organization shall update the response and recovery plans + to address changes in its context. + annotation: "The organization\u2019s context relates to the organizational structure,\ + \ its critical systems, attack vectors, new threats, improved technology,\ + \ environment of operation, problems encountered during plan implementation/execution/testing\ + \ and lessons learned." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + assessable: false + depth: 1 + ref_id: RC + name: RECOVER (RC) + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.RP + name: Recovery Planning + description: Recovery processes and procedures are executed and maintained to + ensure restoration of systems or assets affected by cybersecurity incidents. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp + ref_id: RC.RP-1 + description: 'Recovery plan is executed during or after a cybersecurity incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: BASIC_RC.RP-1.1 + description: A recovery process for disasters and information/cybersecurity + incidents shall be developed and executed as appropriate. + annotation: "A process should be developed for what immediate actions will be\ + \ taken in case of a fire, medical emergency, burglary, natural disaster,\ + \ or an information/cyber security incident.\nThis process should consider:\n\ + \u2022\tRoles and Responsibilities, including of who makes the decision to\ + \ initiate recovery procedures and who will be the contact with appropriate\ + \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\ + \ and information systems in case of an incident. This includes shutting down\ + \ or locking computers, moving to a backup site, physically removing important\ + \ documents, etc.\n\u2022\tWho to call in case of an incident." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1 + ref_id: RC.RP-1.2 + description: "The essential organization\u2019s functions and services shall\ + \ be continued with little or no loss of operational continuity and continuity\ + \ shall be sustained until full system restoration." + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.IM + name: Improvements + description: Recovery planning and processes are improved by incorporating lessons + learned into future activities. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im + ref_id: RC.IM-1 + description: Recovery plans incorporate lessons learned + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1 + ref_id: IMPORTANT_RC.IM-1.1 + description: The organization shall incorporate lessons learned from incident + recovery activities into updated or new system recovery procedures and, after + testing, frame this with appropriate training. + annotation: No additional guidance on this topic. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc + ref_id: RC.CO + name: Communications + description: Restoration activities are coordinated with internal and external + parties (e.g. coordinating centers, Internet Service Providers, owners of + attacking systems, victims, other CSIRTs, and vendors). + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-1 + description: Public relations are managed + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: IMPORTANT_RC.CO-1.1 + description: The organization shall centralize and coordinate how information + is disseminated and manage how the organization is presented to the public. + annotation: "Public relations management may include, for example, managing\ + \ media interactions, coordinating and logging all requests for interviews,\ + \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\ + \ media requests with appropriate and available internal experts who are ready\ + \ to be interviewed, screening all of information provided to the media, ensuring\ + \ personnel are familiar with public relations and privacy policies." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1 + ref_id: RC.CO-1.2 + description: A Public Relations Officer shall be assigned. + annotation: "The Public Relations Officer should consider the use of pre-define\ + \ external contacts \n(e.g. press, regulators, interest groups)." + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-2 + description: 'Reputation is repaired after an incident ' + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 + ref_id: RC.CO-2.1 + description: The organization shall implement a crisis response strategy to + protect the organization from the negative consequences of a crisis and help + restore its reputation. + annotation: Crisis response strategies include, for example, actions to shape + attributions of the crisis, change perceptions of the organization in crisis, + and reduce the negative effect generated by the crisis. + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co + ref_id: RC.CO-3 + description: Recovery activities are communicated to internal and external stakeholders + as well as executive and management teams + - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 + ref_id: IMPORTANT_RC.CO-3.1 + description: The organization shall communicate recovery activities to predefined + stakeholders, executive and management teams. + annotation: Communication of recovery activities to all relevant stakeholders + applies only to entities subject to the NIS legislation. diff --git a/tools/ccb/cff.xlsx b/tools/ccb/cff.xlsx new file mode 100644 index 000000000..b3c9936c7 Binary files /dev/null and b/tools/ccb/cff.xlsx differ