diff --git a/backend/library/libraries/ccf-v5.yaml b/backend/library/libraries/ccf-v5.yaml new file mode 100644 index 000000000..e7ce020eb --- /dev/null +++ b/backend/library/libraries/ccf-v5.yaml @@ -0,0 +1,9769 @@ +urn: urn:intuitem:risk:library:adobe-ccf-v5 +locale: en +ref_id: adobe-ccf-v5 +name: Adobe CCF v5 +description: 'Adobe Common Controls Framework (CCF) version 5 + + https://www.adobe.com/trust/compliance/adobe-ccf.html + + ' +copyright: Creative Commons +version: 1 +provider: Adobe +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:adobe-ccf-v5 + ref_id: adobe-ccf-v5 + name: Adobe CCF v5 + description: 'Adobe Common Controls Framework (CCF) version 5 + + https://www.adobe.com/trust/compliance/adobe-ccf.html + + ' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + assessable: false + depth: 1 + name: Asset Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-01 + name: Inventory Management + description: Organization maintains an inventory of information systems, which + is reconciled on a periodic basis. + annotation: '1. Design and document a process for maintaining an inventory of + information systems for management of assets within an organization. + + 2. Perform inventory reconciliation on a periodic basis. + + 3. Create and maintain periodic reconciliation documentation.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-02 - Asset Inventory + + E-AM-03 - Asset Reconciliation Records' + question: + question_type: unique_choice + question_choices: &id001 + - 'Yes' + - 'No' + - N/A + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:1 + text: 1. Inspect the policy and standard to determine whether requirements + for maintaining and reconciling a system of inventory for information + systems are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:2 + text: 2. Observe the inventory of system devices to determine whether the + organization maintains the inventory in a system of record. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:3 + text: 3. Inspect periodic reconciliation documentation to determine whether + reconciliation was performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-02 + name: 'Inventory Management: Applications' + description: Organization maintains an inventory of application assets, which + is reconciled on a periodic basis. + annotation: '1. Design and document a process for maintaining an inventory of + application assets for management of assets within an organization. + + 2. Perform inventory reconciliation on a periodic basis. + + 3. Create and maintain periodic reconciliation documentation.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-02 - Asset Inventory + + E-AM-03 - Asset Reconciliation Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:1 + text: 1. Inspect the policy and standard to determine whether requirements + for maintaining and reconciling a system of inventory for application + assets are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:2 + text: 2. Observe the inventory of system devices to determine whether the + organization maintains the inventory in a system of record. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:3 + text: 3. Inspect periodic reconciliation documentation to determine whether + reconciliation was performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-03 + name: 'Inventory Reconciliation: ARP Table' + description: Organization reconciles network discovery scans against the established + device inventory on a quarterly basis; non-inventoried devices are assigned + an owner. + annotation: '1. Design and document a process for conducting network discovery + scans on a periodic basis. + + 2. Ensure the results of the scans are reconciled with the system asset inventory + at least quarterly. + + 3. Ensure necessary actions are taken to include non-inventoried assets in + the inventory with appropriate ownership details.' + typical_evidence: 'E-AM-04 - Network Discovery Scan Records + + E-AM-03 - Asset Reconciliation Records + + E-AM-02 - Asset Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:1 + text: '1. Inspect network discovery scans result to ensure periodic scans + were conducted. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:2 + text: 2. Observe the reconciliation report of network discovery scans against + the established device inventory to determine that the inventories are + reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:3 + text: 3. Inspect the device inventory to ensure non-inventoried devices + have been added and have a designed owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-04 + name: 'Inventory Reconciliation: Logging' + description: Organization reconciles the enterprise log repository against the + established device inventory on a quarterly basis; non-inventoried devices + are assigned an owner. + annotation: '1. Ensure logs from enterprise logging solutions are reconciled + with the system device asset inventory on a quarterly basis. + + 2. Ensure necessary actions are taken to include non-inventoried assets in + the inventory with appropriate ownership details' + typical_evidence: 'E-AM-03 - Asset Reconciliation Records + + E-AM-02 - Asset Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:1 + text: 1. Inspect the reconciliation report of enterprise log repository + against the established device inventory to determine that the inventories + are reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:2 + text: 2. Inspect the non-inventoried devices to determine that the assets + have a designed owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-05 + name: Inventory Labels + description: Organization assets are labeled and have designated owners. + annotation: '1. Ensure all assets in the system device asset inventory are assigned + appropriate labels as per the organization''s labelling procedures. + + 2. Ensure each asset has an assigned owner and accuracy is maintained.' + typical_evidence: 'E-AM-02 - Asset Inventory + + E-AM-01 - Asset Management Policy' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:1 + text: 1. Inspect documentation to determine whether requirements for asset + labelling ownership assessment are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:2 + text: 2. Inspect the asset listings to determine whether the assets are + labelled and have a designated owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:3 + text: 3. For a sample of services, inspect the asset reports to determine + asset are labelled and have a designated owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:4 + text: 4. Observe and compare physical assets at an organization's data center + to determine whether the assets were labelled according to in-scope asset + listings. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-06 + name: Media Marking + description: Where applicable, Organization marks information system media indicating + the distribution limitations, handling caveats, and applicable security markings + (if any) of the information. Exemptions must be approved by management and + remain in a specific controlled area. + annotation: '1. Ensure that a process is established and documented for media + marking and handling, including distribution limitation. + + 2. Ensure that sensitive information containing media is marked as per the + organization''s media marking requirements as applicable. + + 3. Ensure that any exceptions are approved by management, documented and retained + by authorized personnel.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-05 - Evidence of Media Snapshots' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:1 + text: 1. Inspect information system media marking to indicate the distribution + limitations, handling caveats, and applicable security markings (if any) + of the information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:2 + text: 2. Inspect exemption cases to validate that it must be approved by + management and remain in a specific area. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-07 + name: Asset Transportation Authorization + description: Organization authorizes and records the entry and exit of systems + at datacenter locations. + annotation: '1. Ensure a process is established and documented to control the + transport of assets in and out of data center locations. + + 2. Ensure appropriate records and approvals are obtained and maintained against + entry and exit of each asset.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-06 - Asset Movement Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:1 + text: 1. Inspect the policy and/or standard to determine whether requirements + have been established to authorize and record the entry and exit of systems + at datacenter locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:2 + text: 2. Inspect evidence of asset movement from a sample of data centers + and colocations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-08 + name: Asset Transportation Documentation + description: Organization documents the transportation of physical media outside + of datacenters. Physical media is packaged securely and transported in a secure, + traceable manner. + annotation: '1. Ensure appropriate records and approvals are obtained and documented + against entry and exit of each asset. + + 2. Ensure all assets being transported are secured as per the organization''s + policy and can be tracked when offsite.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-06 - Asset Movement Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:1 + text: 1. Inspect the policy and/or standard to determine whether the transportation + of physical media outside of datacenters are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:2 + text: 2. Inspect the logs of physical media evidence that have been transported + to determine that physical media is packed securely and transported in + a secure, traceable manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-09 + name: Use of Portable Media + description: The use of portable media in Organization datacenters is prohibited + unless explicitly authorized by management. + annotation: '1. Ensure policy and procedures are established and communicated + prohibiting the use of portable media. + + 2. Ensure necessary controls are in place to detect the usage of portable + media inside the organization''s network. + + 3. Ensure any exceptions are documented based on business justification and + need and are approved appropriately.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-07 - Portable Media Configuration Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:1 + text: 1. Inspect the policy and/or standard to determine that the use of + portable media in the datacenters is prohibited unless explicitly authorized + by management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:2 + text: 2. Inspect Configurations to detect the use of portable media. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-10 + name: Maintenance of Assets + description: Equipment maintenance is documented and approved according to management + requirements. + annotation: '1. Ensure a process is established and documented for maintenance + of assets. + + 2. Ensure all maintenance is approved by the management and is carried out + through approved vendors. + + 3. Ensure proper testing of equipment is conducted post maintenance before + use.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-08 - Asset Maintenance Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:1 + text: 1. Inspect the policy and/or standard to determine whether management + requirements have been established for the documentation and approval + of equipment maintenance. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:2 + text: 2. Inspect equipment maintenance requests to determine whether equipment + maintenance is documented and approved according to management requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-11 + name: Tampering of Payment Card Capture Devices + description: Devices that physically capture payment card data are inspected + for evidence of tampering on a semi-annual basis. + annotation: '1. Ensure all payment card devices are inspected on semiannual + basis to check for tampering. + + 2. Ensure that appropriate documentation is maintained regarding maintenance + activities of these devices' + typical_evidence: E-AM-09 - Payment Card Device Verification Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:1 + text: 1. Inspect devices verification records for tampering check. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:2 + text: 2. Inspect and validate whether these verification were done at least + semi-annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-12 + name: 'Component Installation: Inspection and Approval' + description: Prior to installation in a production network, hardware components + are inspected for improper or unauthorized modifications. + annotation: '1. Ensure a process is established and documented for approval + of hardware prior to installation on production. + + 2. Ensure each asset is inspected with agreed on procedures before being enabled + on production.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-10 - Hardware Installation Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:1 + text: 1. Validate if a process exists for the approval and verification + of hardware prior to production installation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:2 + text: 2. Inspect hardware components installation records in a production + network to determine that modifications were validated before installation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-13 + name: Software bill of Material + description: Organization maintains a comprehensive software bill of materials + annotation: '1. Ensure a Software bill of material is established. + + 2. Ensure that a process has been established and documented for the addition, + removal, and update of components from SBOM.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-11 - Software Bill of Materials' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:1 + text: 1. Inspect and validate that a Software bill of material is established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:2 + text: 2. Validate that a process has been established and documented for + addition, removal, and update of components from SBOM. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + assessable: false + depth: 1 + name: Business Continuity + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-01 + name: Business Continuity Plan + description: Organization's business contingency plan is periodically reviewed, + approved by management and communicated to relevant team members. + annotation: '1. Design and document a process for Business Continuity and Disaster + Recovery. + + 2. Define steps for recovery with all roles and responsibilities in the Business + Continuity Plan. + + 3. Ensure that the Business Continuity Plan is approved by the process owners, + and is communicated to all the relevant team members.' + typical_evidence: 'E-BC-01 - Business Continuity Policy + + E-BC-02 - Business Continuity Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:1 + text: 1. Inspect and validate whether the Business Continuity and Disaster + Recovery Processes are designed and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:2 + text: "2. Inspect Organization's Business Continuity Plan (\u201CBCP\u201D\ + ) to determine whether Organization has established recovery steps and\ + \ phases, recovery capabilities, and identified personnel responsible\ + \ to execute recovery procedures." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:3 + text: "3. Inspect the most recent version of Organization\u2019s BCP to\ + \ determine whether it is periodically reviewed and approved." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:4 + text: "4. Inspect the corporate intranet to determine whether Organization\u2019\ + s BCP is communicated to relevant team members." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-02 + name: 'Business Continuity Plan: Personal Health Information' + description: Organization's Business Contingency Plan addresses how to access + facilities and obtain data during an emergency. + annotation: 1. Ensure that steps to be followed in case of an emergency are + clearly mentioned in the Business Continuity Plan so that access to the facilities + and data is facilitated during an emergency. + typical_evidence: E-BC-02 - Business Continuity Plan + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02:question:1 + text: 1. Inspect an organization's Business Contingency Plan to determine + whether Organization has addresses how to access facilities and obtain + data during an emergency. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-03 + name: 'Business Continuity Plan: Roles and Responsibilities' + description: Business contingency roles and responsibilities are assigned to + individuals and their contact information is communicated to authorized personnel. + annotation: '1. Check that roles and responsibilities are clearly defined in + the Business Continuity Plan. There should be proper demarcation of responsibilities + during each phase of the crisis. + + 2. Ensure that the contact information for all the stakeholders is defined + within Business Continuity Plan and should be up to date, documented, and + communicated to all authorized personnel. + + 3. Ensure that people with roles and responsibilities within Business Continuity + Plans are well aware of their responsibilities.' + typical_evidence: E-BC-02 - Business Continuity Plan + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:1 + text: 1. Inspect documentation consisting of business contingency roles + and responsibilities. . + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:2 + text: 2. Inspect whether the contact information of personnel with business + continuity responsibilities are documented within the Business Continuity + Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:3 + text: 3. Inspect evidence to check whether roles and responsibilities are + communicated to all applicable stakeholders and audience + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-04 + name: Continuity Testing + description: "Organization performs business contingency and disaster recovery\ + \ tests on a periodic basis and ensures the following: \n\u2022 tests are\ + \ executed with relevant contingency teams\n\u2022 test results are documented\n\ + \u2022 corrective actions are taken for exceptions noted\n\u2022 plans are\ + \ updated based on results" + annotation: '1. Ensure that Business Continuity testing should be performed + on a periodic basis as per the organization policy. + + 2. The business continuity testing should emulate the Business Continuity + Plan and should check the coverage and efficiency of the plan. All the relevant + team preparedness should be assessed in this testing. + + 3. Ensure that the test results are documented, and any exceptions are noted + and appropriate corrective action is undertaken.' + typical_evidence: E-BC-03 - Business Continuity/Disaster Recovery Test Results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:1 + text: 1. Inspect whether Business Continuity Testing was performed on a + periodic basis as per the organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:2 + text: 2. Inspect the most recent BCP test and inspect DR tests results to + determine whether tests were executed and results were documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:3 + text: 3. Validate whether the results of the testing exercises were tracked + to remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-05 + name: Business Impact Analysis + description: Organization identifies the business impact of relevant threats + to assets, infrastructure, and resources that support critical business functions. + Recovery objectives are established for critical business functions. + annotation: "1. Design and document a process for conducting Business Impact\ + \ Analysis to determine the criticality of business activities and associated\ + \ resource requirements.\n2. Ensure that BIA is conducted for all processes\ + \ and assets to identify criticality.\n3. Ensure that recovery objectives\ + \ are established for critical processes.\n " + typical_evidence: 'E-BC-01 - Business Continuity Policy + + E-BC-02 - Business Continuity Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:1 + text: 1. Inspect and validate whether a documented process exists for conducting + Business Impact Analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:2 + text: 2. Inspect Business Impact Analysis to determine whether the threats + to assets, infrastructure, and resources are identified and the recovery + objectives are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-06 + name: Capacity Forecasting + description: Budgets for infrastructure capacity are established based on analysis + of historical business activity and growth projections; purchases are made + against the established budget and plans are updated on a quarterly basis. + annotation: "1. Ensure that capacity forecasts are created based on the business\ + \ forecasts, growth projections and analysis of historic business activity.\n\ + \ \n2. Ensure that budget allocation is done for infrastructure and resources\ + \ basis Capacity forecasts." + typical_evidence: E-BC-05 - Capacity Planning Meeting Minutes + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:1 + text: 1. Inspect and validate whether capacity planning was done and forecasts + were created. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:2 + text: 2. Validate whether budgets were established and capacity forecasts + were taken into the account for the same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + assessable: false + depth: 1 + name: Backup Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-01 + name: Backup Configuration + description: Organization configures redundant systems or performs periodic + backups of data to resume system operations in the event of a system failure. + annotation: '1. Ensure that Backup and Restoration process is established, documented + and communicated to all the relevant stakeholders. + + 2. Ensure that all the information systems have redundancy or should be backed + up periodically. Periodicity of the backup should be defined basis the criticality + of the information system and data. + + 3. Check the backup configuration for all the storage/database resources whether + on-prem or on cloud. + + 4. Ensure that alert are in place for backup failures and all backup failures + are handled appropriately.' + typical_evidence: 'E-BM-01 - Backup Management Policy + + E-BM-07 - Backup Configuration Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:1 + text: 1. Inspect documentation to determine whether requirements for the + configuration of redundant systems or performance of periodic backups + of data to resume system operations are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:2 + text: 2.Inspect redundancy or system backup configurations for production + systems to determine type, frequency, and storage of backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:3 + text: 3. Inspect sample alerts for failed backups and validate the remediation + steps. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-02 + name: Resilience Testing + description: Organization performs annual backup restoration or data replication + tests to confirm the reliability and integrity of system backups or recovery + operations. + annotation: "1. Ensure that the requirement for backup restoration testing is\ + \ defined and documented appropriately. \n2. Ensure that backup restoration\ + \ testing is performed on an annual basis and ensure that the integrity of\ + \ backup restores are maintained. " + typical_evidence: 'E-BM-01 - Backup Management Policy + + E-BM-02 - Backup Restoration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:1 + text: 1. Inspect relevant documentation to determine whether requirements + for annual backup restoration or failover and failback tests have been + defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:2 + text: 2. Inspect annual backup restoration, or failover and failback tests + to determine whether Organization has tested the reliability and integrity + of system backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-03 + name: Backup Failure Review + description: Failed backup jobs are periodically reviewed and resolved in a + timely manner. + annotation: "1. Ensure that alert are sent to the system administrators in case\ + \ of backup failures.\n 2. All backup failures should be handled appropriately\ + \ and resolved in a timely manner." + typical_evidence: 'E-BM-03 - Evidence of Failed Backup Review + + E-BM-06 - Sample Alerts for Backup Failure' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:1 + text: 1. Inspect whether failed backup jobs are being reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:2 + text: 2. Inspect alerts are configured to notify administrators if backup + fails. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:3 + text: 3. Inspect and validate the remediation process for failed backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-04 + name: Alternate Storage + description: Organization backups are securely stored in an alternate location + from source data. + annotation: '1. Ensure that the backups are stored in an alternate location + than the source data. + + 2. Ensure that access to the backups is restricted and backups are stored + securely.' + typical_evidence: E-BM-04 - Backup Configuration Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:1 + text: 1. Inspect whether backups are stored in a different location than + the source data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:2 + text: 2. Inspect evidence showing that backups are secured and access in + restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-05 + name: Alternate Telecommunication + description: Alternate telecommunication service agreements have been established + to resume business when the primary service gets disrupted. Service agreements + contain priority of service provisions. + annotation: '1. Ensure that alternate telecommunication service agreements are + defined to resume business when the primary service gets disrupted. + + 2. The priority of the service provisions should be defined in the service + agreements.' + typical_evidence: E-BM-05 - Alternate Telecommunications Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:1 + text: 1. Inspect whether alternate telecommunication service agreements + are defined to resume business when the primary service gets disrupted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:2 + text: 2. Inspect documentation to determine that the Service agreements + contain priority of service provisions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + assessable: false + depth: 1 + name: Configuration Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-01 + name: Baseline Configuration Standard + description: Organization ensures security hardening and baseline configuration + standards have been established according to industry standards and are reviewed + and updated periodically. + annotation: "1. Prepare and maintain Security hardening and Baseline configuration\ + \ standards shall be established.\n2. Configuration of systems (systems can\ + \ include AWS, Azure, GCP, and more) shall be configured with the baseline\ + \ configuration.\n3. Configure required permissions for the configuration\ + \ management server. \n4. Configuration of Security Groups, NACLs, and virtual\ + \ firewall appliances shall be in place.\n5. Configuration of VPC Firewall\ + \ Rules and virtual firewall appliances to allow traffic from the configuration\ + \ management server to the other system servers.\n6. All production systems\ + \ shall be able to demonstrate consistent system configurations via version\ + \ control number, last update date, settings, or other.\n7. Process shall\ + \ be established to ensure that latest version patch (hardened as per industry\ + \ practices) is applied wherever possible.\n8. Ensure that security hardening\ + \ and configuration baselines are monitored are flagged wherever deviation\ + \ is observed.\n9. Establish a process ensuring regular rule set reviews are\ + \ conducted by relevant teams for network devices." + typical_evidence: "Log Management - \nE-CFM-01 - Firewall standard\nE-CFM-02\ + \ - Configuration Management Standard\nE-CFM-03 - Periodic Rule review documentation\n\ + E-CFM-04 - System generated Latest patch versioning documentation\nE-CFM-05\ + \ - Configuration deviation samples" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:1 + text: 1. Validate whether Security hardening and Baseline configuration + standards are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:2 + text: 2. Inspect baseline configuration of systems (systems can include + AWS, Azure, GCP, and more) shall be configured with the baseline configuration. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:3 + text: '3. Validate whether the required permissions are present for the + configuration management server. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:4 + text: 4. Inspect Security Groups, NACLs, and virtual firewall appliances + configurations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:5 + text: 5. Validate whether VPC Firewall Rules and virtual firewall appliances + are configured to allow traffic from the configuration management server + to the other system servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:6 + text: '6. Inspect production systems to determine whether they demonstrate + consistent system configurations via version control #, last update date, + settings, or other.' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:7 + text: 7. For a sample of in scope servers validate whether latest version + patch (hardened as per industry practices) is applied wherever possible. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:8 + text: 8. Validate that security hardening and configuration baselines are + monitored are flagged wherever deviation is observed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:9 + text: 9. Validate that regular rule set reviews are conducted by relevant + teams for network devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-02 + name: Default "Deny-all" Settings + description: Where applicable, the information system default access configurations + are set to "deny-all." + annotation: '1. Prepare a list of in-scope network devices and production accounts + and ensure that default deny-all rules are configured + + 2. Ensure that deny-all rule precedes all other applied rules in terms of + priority.' + typical_evidence: "E-AM-02 - \nE-CFM-03 - Periodic Rule review documentation" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:1 + text: 1. For a list of in-scope network devices and production accounts, + validate that default deny-all rules are configured + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:2 + text: 2. Validate that deny-all rule precedes all other applied rules in + terms of priority. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-03 + name: 'Remote Access: Prohibited Protocols and Commands' + description: Organization defines a listing of prohibited user commands and + prohibited protocols that can be used in a remote session. + annotation: 1. Prepare and maintain the listing of prohibited user commands + and prohibited protocols that can be used in a remote session. + typical_evidence: 'E-CFM-06 - Security hardening standard ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03:question:1 + text: 1. Inspect security hardening standard to determine the listing of + prohibited user commands and prohibited protocols that can be used in + a remote session. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-04 + name: Data Execution Prevention + description: Organization ensures data execution prevention (DEP) security features + are enabled on production hosts to restrict code execution within memory. + annotation: '1. Ensure that configuration setting includes data execution prevention + (DEP) security features enabled on production hosts to restrict code execution + within memory. ' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-03 - Periodic Rule review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04:question:1 + text: '1. Check configuration setting to ensure data execution prevention + (DEP) security features are enabled on production hosts to restrict code + execution within memory. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-05 + name: Client Run Time Technologies + description: Organization disables prohibited client run time technologies on + information systems. + annotation: 1. Establish a process to ensure no prohibited application/software + is installed on the machine. + typical_evidence: E-CFM-07 - Authorized application/software listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05:question:1 + text: 1. Inspect Organization's software compliance dashboard, to ensure + no prohibited application/software is installed on the machine. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-06 + name: Prohibited Activity Monitoring + description: Organization information systems are configured to explicitly deny + a predefined list of activities. + annotation: '1. Prepare a list of activities that shall be denied on Information + Systems, e.g., removable media restriction. + + 2. Ensure that the denied activities are enforced on the Information systems. + + 3. Ensure that the logs are being maintained for monitoring. + + 4. The list shall be reviewed periodically.' + typical_evidence: 'E-CFM-08 - List of denied activities on information systems + + E-CFM-09 - Review history documentation + + E-CFM-10 - Information systems activity logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:1 + text: 1. Validate whether a list is being maintained that has the activities + that shall be denied on Information Systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:2 + text: 2. Inspect the activity logs to validate whether the denied activities + are enforced and monitored on the Information systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:3 + text: 3. Validate whether the periodic review history documentation is present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-07 + name: Configuration Checks + description: Organization uses mechanisms to detect deviations from baseline + configurations on production environments. + annotation: '1. Ensure that security hardening and configuration baselines are + being monitored for in-scope servers. + + 2. Deviations shall be generated for in-scope servers for which remediations + shall be tracked to closure. + + 3. Design a process for security hardening and configuration baselines checks + being accurate and updated at least annually.' + typical_evidence: 'E-CFM-11 - Security hardening and configuration baselines + checks review documentation + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:1 + text: 1. Validate that security hardening and configuration baselines are + being monitored for in-scope servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:2 + text: 2. Validate that deviations are being generated for in-scope servers + and remediations are tracked to closure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:3 + text: 3. Validate that the security hardening and configuration baselines + checks are accurate and updated at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-08 + name: 'Configuration Check Reconciliation: Logging' + description: Organization reconciles the established device inventory against + the enterprise log repository on a quarterly basis; devices which do not forward + security configurations are remediated. + annotation: '1. Prepare an asset register to ensure asset life cycle is maintained + as per the defined policy and/or standard of asset management. + + 2. Establish a process through which the device configuration logs can be + fetched and reconciled with asset register quarterly. + + 3. Ensure that a process is established that tracks the deviations to remediation.' + typical_evidence: "E-AM-02 - Asset Inventory\nE-CFM-12 with E-AM-02 - \nE-CFM-05\ + \ - Configuration deviation samples" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:1 + text: 1. Inspects Organization asset register to ensure asset life cycle + is maintained as per the defined policy and/or standard of asset management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:2 + text: 2. Validate whether the device configuration logs are being reconciled + with asset register quarterly. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:3 + text: 3. Validate for a sample of deviations whether the remediation is + done in a timely manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-09 + name: Time Clock Synchronization + description: Systems are configured to synchronize information system time clocks + based on International Atomic Time or Coordinated Universal Time (UTC). + annotation: '1. Ensure that the inventory includes all the ICT devices such + as firewalls, routers and servers. + + 2. Ensure that a process has been established to use only hardened images + for the servers. + + 3. Ensure that the NTP configuration (primary & secondary NTP servers) for + these devices is configured. + + 4. Ensure that the time sync is enabled and stratums are defined.' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-14 - Sample server configuration + + E-CFM-13 - NTP Server configuration + + E-CFM-15 - NTP server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:1 + text: 1. Obtain a list of in-scope ICT devices such as firewalls, routers + and servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:2 + text: 2. For servers, validate that security hardened images are used. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:3 + text: 3. Obtain the NTP configuration for a sample of devices and check + whether primary and secondary NTP servers are configured. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:4 + text: 4. Validate whether time sync is enabled and stratums are defined + and the time servers are working. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-10 + name: Time Clock Configuration Access + description: Access to modify time data is restricted to authorized personnel. + annotation: '1. Ensure that the ability to modify time data is restricted to + authorized personnel. + + 2. Ensure that access reviews of authorized users and all remediations are + appropriately tracked' + typical_evidence: 'E-CFM-16 - Logical Access Management Standard + + E-CFM-17 - Access Review Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:1 + text: '1. Obtain a list of all users who have the ability to modify time + data. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:2 + text: 2. Validate whether access reviews of these users were performed and + all remediations are appropriately tracked + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-11 + name: Default Device Passwords + description: Vendor-supplied default passwords are changed according to Organization + standards prior to device installation on the Organization network or immediately + after software or operating system installation. + annotation: '1. Ensure that the security hardening and configuration baseline + checks include enforcing disablement of default accounts. + + 2. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:1 + text: 1. Inspect security hardening and configuration baseline checks to + determine whether they are configured to enforce disabling of default + accounts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:2 + text: 2. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-12 + name: Process Isolation + description: Organization implements only one primary function per server within + the production environment; the information system maintains a separate execution + domain for each executing process. + annotation: '1. Ensure that the security hardening and configuration baseline + checks include installing one primary function per server within the production + environment and the information system maintains a separate execution domain + for each executing process. + + 2. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution.' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-18 - Sample of server logs + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:1 + text: 1. Inspect security hardening and configuration baseline checks include + installing one primary function per server within the production environment + and the information system maintains a separate execution domain for each + executing process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:2 + text: 2. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-13 + name: Collaborative Devices + description: Where applicable, collaborative computing devices used at Organization + are configured to restrict remote activation and provide an explicit indication + that they are in use. + annotation: '1. In case of collaborative computing devices, ensure that an explicit + indication is documented confirming its use and requirement. + + 2. Ensure that the security hardening and configuration baseline checks are + configured to restrict remote activation on collaborative computing devices. + + 3. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-19 - Sample of collaborative computing device logs + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:1 + text: 1. Validate whether the use of collaborative computing devices is + being flagged and justification of its use is documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:2 + text: 2. Inspect security hardening and configuration baseline checks to + determine whether collaborative computing devices are configured to restrict + remote activation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:3 + text: 3. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-14 + name: Software Installation + description: Installation of software or programs in the production environment + is approved by authorized personnel. + annotation: '1. Ensure Security hardening and Baseline configuration standards + includes process established to determine whether the installation of software + or programs in the production environment is approved by authorized personnel. + + 2. Prepare an authorized approval matrix for installation of software or programs + in the production environment.' + typical_evidence: "E-CFM-02 - \nE-CFM-20 - Authorized approval matrix" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:1 + text: 1. Inspect Security hardening and Baseline configuration standards + to ensure that the installation of software or programs in the production + environment is approved by authorized personnel is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:2 + text: 2. Inspect the authorized approval matrix for installation of software + or programs in the production environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-15 + name: Job Schedules + description: "Schedule changes or the modifications of production jobs require:\n\ + \u2022 documented approval from authorized personnel\n\u2022 documented monitoring\ + \ details" + annotation: "1. Prepare, document, and periodically review Organization's change\ + \ management standard.\n2. Ensure that the change management process includes\ + \ tracking to determine whether schedule changes or the modifications of production\ + \ jobs require:\n\u2022 documented approval from authorized personnel\n\u2022\ + \ documented monitoring details" + typical_evidence: 'E-CFM-21 - Change Management Standard + + E-CFM-22 - Sample of change requests + + E-CFM-23 - Sample of documented approval on production job changes + + E-CFM-24 - Sample of documented change monitoring details' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:1 + text: 1. Obtain Organization's change management standard and validate whether + it is periodically reviewed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:2 + text: '2. For a sample of change tickets, inspect change management process + flow documentation (e.g., ticketing/tracking tools) to determine whether + schedule changes or the modifications of production jobs require:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:3 + text: "\u2022 documented approval from authorized personnel" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:4 + text: "\u2022 documented monitoring details" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + assessable: false + depth: 1 + name: Change Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-01 + name: Change Management Workflow + description: Change scope, change type, and roles and responsibilities are pre-established + and documented in a change control workflow; notification and approval requirements + are also pre-established based on risk associated with change scope and type. + annotation: "1. Ensure that the change management process is established and\ + \ well-documented, and should be approved by the management and communicated\ + \ to all the relevant stakeholders.\n2. Ensure that roles and responsibilities\ + \ are defined for each activity and change scope, that change type is predefined.\ + \ \n3. Ensure that the change workflow has a mandatory approval and notification\ + \ requirements incorporated based on risk and change type." + typical_evidence: 'E-CHM-01 - Change Management Policy + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:1 + text: "1. Inspect Organization\u2019s policy to determine whether:" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:2 + text: a. Change scope, change type, and roles and responsibilities are pre-established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:3 + text: b. Notification and approval requirements are pre-established based + on the risk associated with change scope and type. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:4 + text: 2. Inspect change management ticketing and tracking tools to determine + whether the change control workflow is defined in accordance with the + defined requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-02 + name: Change Approval + description: "Prior to introducing changes into the production environment,\ + \ approval from authorized personnel is required based on the following:\n\ + \u2022 change description\n\u2022 impact of change\n\u2022 test results\n\u2022\ + \ back-out plan" + annotation: '1. Ensure that all the changes to the production environment are + tracked in a Change Management tracking tool. All the change details should + be documented. Some of the mandatory details for each change are: + + a. Change Description + + b. Change Impact + + c. Test Details + + d. Roll-out and Roll-back Plan + + e. Change Approval + + f. Change date and time + + 2. All the changes in the production environment should be approved by the + authorized personnel prior to implementation. Make sure that the approver + is independent of the change requestor and change implementor. If not, check + that there a secondary approver to ensure segregation of duty is maintained. + + 3. Make sure that the deployment and change logs are retained as per organization''s + policy.' + typical_evidence: 'E-CHM-02 - Change Management Tool Configuration + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:1 + text: '1. Inspect Change Management tracking tool to determine that requirements + prior to introducing changes into the production environment, approval + from appropriate personnel is documented including the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:2 + text: a. Change description + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:3 + text: b. Impact of change + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:4 + text: c. Test results + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:5 + text: d. Back-out procedures + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:6 + text: '2. For a sample of changes, inspect corresponding change tickets, + and verify if it includes the following information:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:7 + text: a. Change Description + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:8 + text: b. Impact of changes + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:9 + text: c. Roll back plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:10 + text: d. Evidence of successful testing documentation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:11 + text: e. Approval of change prior to implementation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:12 + text: 3. For the sampled changes, validate that the change was approved + by a person independent of the person who requested or made the change. + Alternatively, ensure that there is a second level of approval to ensure + that segregation of duties is being maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:13 + text: 4. Inspect whether the change logs are retained as per the organization's + policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-03 + name: Segregation of Duties + description: 'Changes to the production environment are implemented by authorized + personnel. ' + annotation: "1. Ensure that the permission to implement changes to the production\ + \ is limited to few authorized personnels. \n2. Ensure that the change implementor\ + \ is not the change approver." + typical_evidence: 'E-CHM-02 - Change Management Tool Configuration + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03:question:1 + text: 1. Inspect Change Management tracking tool and for a sample of changes, + inspect that change tickets were launched and appropriately approved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-04 + name: Communication of Maintenance and Downtime + description: Customer-impacting product and system changes are publicly communicated + on the company website. + annotation: '1. Ensure that all the changes that impact the customers and customer + product or services should be communicated to the customers on the company + website. + + 2. In cases of any planned downtime due to a change, it should be communicated + to the customers in advance on the website.' + typical_evidence: E-CHM-04 - Company Website Link + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04:question:1 + text: 1. Inspect the company website to determine whether customer-impacting + product and system changes are publicly communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + assessable: false + depth: 1 + name: Customer Managed Security + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-01 + name: Customer Administrative Access + description: For products that enable customers to manage their end users, privileged + user roles exist with the capability to manage end user access to the relevant + applications. + annotation: '1. In cases where customers can manage the access of their end + users, ensure that ability to configure privileged user roles exist. + + 2. Ensure that the customer''s privileged user roles can manage end user access + to the relevant applications.' + typical_evidence: 'E-CMS-01 - Customer capabilities in access management console + + E-CMS-05 - Privileged User Roles capabilities' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:1 + text: 1. Validate whether the customers can configure privileged user roles. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:2 + text: 2. Inspect whether the customer defined privileged user roles can + manage end user access to relevant applications. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-02 + name: Customer Authentication + description: Authentication to organization customer-facing applications are performed + through secure log-on procedures. + annotation: 1. Ensure that authentication to organization customer-facing applications + are performed through secure log-on procedures. + typical_evidence: E-CMS-02 - Customer Authentication Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02:question:1 + text: 1. Inspect whether the authentication to organization customer-facing + applications are performed through secure log-on procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-03 + name: Customer Systems Monitoring + description: As necessary, event logs are made available to customers. + annotation: '1. Establish a process for the customers to access event logs as + needed. ' + typical_evidence: E-CMS-03 - Customer Admin Console + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03:question:1 + text: 1. Inspect the customer console to determine how the event logs are + made available to the customer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-04 + name: Customer Security Engagements + description: "Organization supports customer-requested security inquiries, questionnaires,\ + \ and audits:\n\u2022 in accordance with customer contracts and agreements\n\ + \u2022 to facilitate due diligence prior to licensing organization products" + annotation: "1. Establish a documented process to support customer-requested\ + \ security inquiries, questionnaires, and audits:\n\u2022 in accordance with\ + \ customer contracts and agreements\n\u2022 to facilitate due diligence prior\ + \ to licensing organization products" + typical_evidence: 'E-CMS-02 - Customer Authentication Standard + + E-CMS-04 - Customer contracts and agreements' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:1 + text: '1. Validate whether a process in place to support customer-requested + security inquiries, questionnaires, and audits:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:2 + text: "\u2022 in accordance with customer contracts and agreements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:3 + text: "\u2022 to facilitate due diligence prior to licensing organization\ + \ products" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:4 + text: 2. Inspect a sample customer inquiry, questionnaire, or audit. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + assessable: false + depth: 1 + name: Cryptography + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-01 + name: Encryption Key Maintenance + description: Cryptographic keys are invalidated when compromised or at the end + of their defined lifecycle period. + annotation: '1. Establish a process to ensure that organization approved key + storage solutions are used. + + 2. Ensure that access to the cryptographic key stores is limited to authorized + personnel. + + 3. Establish a process to periodically review the users access list for the + keys and document the confirmation that these are authorized users. + + 4. Establish a process to ensure that the keys are rotated during either of + the below events: + + a) Suspicion that the key has been compromised + + b) End of key life cycle + + 7. In case of termination or transfer of an individual with access to the + key, establish a process for access review and key rotation.' + typical_evidence: 'E-CRY-01 - List of approved key storage solutions + + E-CRY-02 - Periodic Access Review documentation + + E-CRY-03 - Sample of Key rotation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:1 + text: 1. Inspect the process and location of where Encryption keys are stored. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:2 + text: 2. Obtain details of the process to ensure that access to the cryptographic + key stores is limited to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:3 + text: 3. Review the users access list for the keys and confirmation that + these are authorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:4 + text: '4. Obtain confirmation of key rotation at the occurence of either + of the below events during last quarter:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:5 + text: a) Suspicion that the key has been compromised + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:6 + text: b) End of key life cycle + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:7 + text: 7. For a sample of termination or transfer of an individual with access + to the key, and review the process of key rotation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-02 + name: Encryption Key Distribution + description: Organization prohibits the distribution of cryptographic keys in + clear text. + annotation: 1. Ensure that the Key management policy hass a prohibition on the + distribution of cryptographic keys in clear text. + typical_evidence: E-CRY-04 - Key Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02:question:1 + text: 1. Inspect the Key management policy that shows that there is a prohibition + on the distribution of cryptographic keys in clear text. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-03 + name: Encryption Key Storage + description: Encryption keys are securely stored in an approved encryption platform. + annotation: '1. Ensure that key management standard includes management operations + using one of the listed options below, for encrypting and decrypting cardholder + data: + + -Key-encrypting key is at least as strong as the data-encrypting key and is + stored separately from the data-encrypting key + + -Stored within a cryptographic device + + -Keys are stored as at least two full-length key components or key shares' + typical_evidence: E-CRY-04 - Key Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:1 + text: '1. Inspect and review the key management standard, to ensure that + the management operations are using one of the listed options below, for + encrypting and decrypting cardholder data:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:2 + text: -Key-encrypting key is at least as strong as the data-encrypting key + and is stored separately from the data-encrypting key + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:3 + text: -Stored within a cryptographic device + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:4 + text: -Keys are stored as at least two full-length key components or key + shares + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:5 + text: 2. Inspect the process and validate that one of the above methods + are being used to protect the keys. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-04 + name: Clear Text Key Management + description: If applicable, manual clear-text cryptographic key-management operations + must be managed using split knowledge and dual control. + annotation: '1. Ensure that the key management standard includes guidance on + management operations being managed using split knowledge and dual controls. + + 2. Establish a key custodian acknowledgement form. + + 3. Ensure that when split knowledge is in place, both key components are 2 + full keys, not 1 key split into 2 components.' + typical_evidence: 'E-CRY-04 - Key Management Standard + + E-CRY-05 - Sample key custodian acknowledgement form' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:1 + text: 1. Inspect and review the key management standard, to ensure that + the management operations are managed using split knowledge and dual controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:2 + text: 2. Observe and confirm a sample key custodian acknowledgement form. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:3 + text: 3. Inspect that if split knowledge is in place both key components + are 2 full keys, not 1 key split into 2 components. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-05 + name: Encryption of Data in Transit + description: Organization restricted data that is transmitted over public networks + is encrypted. + annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\ + \ Standard and Data Encryption Standard includes requirements for encrypting\ + \ data at rest.\n2. Ensure that the data sent in transit is encrypted by performing\ + \ the following:\na. Latest TLS version and cipher suites usage over browser.\n\ + b. Use valid digital certificates by the endpoint.\nc. Period check by running\ + \ a Qualys provided SSL labs feature that scans and endpoint and enumerates\ + \ all ciphers and TLS versions permitted on an end point\n3. If the service\ + \ does not have public facing endpoints, ensure that the configuration of\ + \ the load balancer and corresponding Security group with details of TLS versions\ + \ allows and cipher suites allowed.\n4. Ensure that the expired SSL certificates\ + \ are identified and remediated." + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard + + E-CRY-08 - Latest TLS Version evidence + + E-CRY-09 - Digital Certificates Validity + + E-CRY-10 - Qualys SSL Labs Scan Results + + E-CRY-11 - Load Balancer Configuration + + E-CRY-12 - Security Group Configuration + + E-CRY-13 - Remediation & Tracking of expired SSL' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:1 + text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\ + \ and Data Encryption Standard to determine whether requirements for encrypting\ + \ data at rest were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:2 + text: '2. Obtain the list of all public facing endpoints for the service. + Inspect each public facing endpoint to determine if data sent in transit + is encrypted by performing the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:3 + text: a. Inspecting the TLS version and cipher suites being used over browser. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:4 + text: b. Inspecting the validity of the digital certificates being used + by the endpoint. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:5 + text: c. Running a Qualys provided SSL labs feature that scans and endpoint + and enumerates all ciphers and TLS versions permitted on an end point + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:6 + text: 3. If the service does not have public facing endpoints, obtain configuration + of the load balancer and corresponding Security group with details of + TLS versions allows and cipher suites allowed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:7 + text: 4. Obtain the list of expired SSL certificates and validate whether. + tracking and remediation of the expired SSL were performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-06 + name: Encryption of Data at Rest + description: Organization restricted data at rest is encrypted. + annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\ + \ Standard and Data Encryption Standard includes requirements for encrypting\ + \ data at rest.\n2. Where data at rest shall be encrypted as per Data Classification\ + \ and Handling Standard, ensure the following:\na. Ensure encryption is enabled\ + \ along with type of encryption algorithm being used as applicable (e.g. for\ + \ AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases).\n\ + b. Ensure that only strong encryption algorithms mandated by Organization\ + \ Cryptography standard are in use where applicable.\nc. Establish a process\ + \ to periodically check the list of all cloud storage resources and determine\ + \ whether encryption was appropriately applied as applicable." + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard + + E-CRY-14 - Sample confirmation on databases/storage location list + + E-CRY-16 - List of cloud storage resources + + E-CRY-15 - Evidence of encryption enabled' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:1 + text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\ + \ and Cryptography Standard to determine whether requirements for encrypting\ + \ restricted data at rest have been defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:2 + text: '2. Obtain confirmation from teams that storage of data is in place. + For services storing restricted data at rest, obtain and inspect the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:3 + text: a. List of all databases/storage locations (AWS/Azure Databases, On + prem databases, etc.) where data is stored at rest. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:4 + text: b. For all the above locations, obtain evidence showing that encryption + is enabled along with the type of encryption algorithm being used as applicable + (e.g. for AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases) + to ensure that only strong encryption algorithms mandated by Organization + Cryptography standard are in use where applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:5 + text: c. Obtain the list of all cloud storage resources and determine whether + encryption was appropriately applied as applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-07 + name: Approved Cryptographic Technology + description: Where applicable, strong industry standard cryptographic ciphers + and keys with an effective strength greater than 112 bits are required for + cryptographic security operations. + annotation: '1. Ensure that the encryption is enabled along with type of encryption + algorithm being used as applicable (e.g. for AWS S3 - AWS SSE-KMSetc., full + disk encryption for on prem databases). + + 2. Ensure that strong industry standard cryptographic ciphers and keys with + an effective strength greater than 112 bits are required for cryptographic + security operations.' + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:1 + text: 1. Validate evidence showing that encryption is enabled along with + type of encryption algorithm being used as applicable (e.g. for AWS S3 + - AWS SSE-KMSetc., full disk encryption for on prem databases) to ensure + that only strong encryption algorithms mandated by Organization Cryptography + standard are in use where applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:2 + text: 2. Validate whether the keys have a strength greater than 112 bits + for cryptographic security operations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-08 + name: Key Repository Access + description: Access to the cryptographic keystores is limited to authorized + personnel. + annotation: 1. Ensure that the access lists of the key repositories have authorized + users and reviewed periodically. + typical_evidence: E-CRY-17 - Access List of Key Repository + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08:question:1 + text: 1. Inspect the access lists of the key repositories and ensure that + the users listed are authorized and reviewed previously. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-09 + name: Key Store Review + description: Management reviews and authorizes key store locations. + annotation: '1. Establish a process to review key management services to ensure + that they are still authorized key stores. + + 2. The list of authorized key stores shall be reviewed periodically.' + typical_evidence: E-CRY-18 - Review history of authorized key stores list + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:1 + text: 1. Inspect and review key management services to ensure that they + are still authorized key stores. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:2 + text: 2. Review the list of authorized key stores and their last date of + review. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-10 + name: Full Disk Encryption Access + description: Where full disk encryption is used, logical access must be managed + independently of operating system authentication; decryption keys must not + be associated with user accounts. + annotation: '1. Ensure that the decryption keys are stored in a Trusted Platform + Module (TPM). + + 2. Ensure that the decryption keys are not stored as plain text in insecure + storage locations.' + typical_evidence: 'E-CRY-19 - Process documentation for Decryption key storage + + ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:1 + text: 1. Confirm that the decryption keys are stored in a Trusted Platform + Module (TPM). + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:2 + text: 2. Confirm that the decryption keys are not stored as plain text in + insecure storage locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-11 + name: Key Custodians Agreement + description: "Cryptographic Key Custodians\_and\_Cryptographic Materials Custodians\ + \ (CMC) acknowledge in writing or electronically that they understand and\ + \ accept their cryptographic-key-custodian responsibilities." + annotation: 1. Ensure that Key Custodian Acknowledgements are signed by cryptographic + key custodians, which will provide assurance of appropriate acknowledgement + to the key custodian responsibilities. + typical_evidence: E-CRY-20 - Sample of signed Key Custodian Acknowledgements + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11:question:1 + text: 1. Obtain and inspect a sample of signed Key Custodian Acknowledgements + to validate that cryptographic key custodians have appropriately acknowledged + their key custodian responsibilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-12 + name: Approved Certificate Authorities + description: Organization restricts the use of digital certificates to those + that are signed by approved certificate authorities; a certification path + to an accepted trust anchor is established. + annotation: 1. Establish a process for executing periodic SSL tests to ensure + that only digital certificates that are signed by approved certificate authorities + are accepted. + typical_evidence: E-CRY-21 - Sample of SSL Test results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:1 + text: 1. Observe a sample of servers and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:2 + text: 2. Observe the SSL test and confirm that only digital certificates + that are signed by approved certificate authorities are accepted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-13 + name: 'Installation of Software: Certificate Verification' + description: Digital Certificates are verified by information system components + prior to installation on the production network. + annotation: 1. Establish a process for executing periodic SSL tests and configuration + files to ensure that digital certificates are verified prior to installation + on production networks. + typical_evidence: 'E-CRY-21 - Sample of SSL Test results + + E-CRY-22 - SSL Configuration Files' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:1 + text: 1. Observe a sample of servers and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:2 + text: 2. Observe the SSL test and configuration files and ensure that digital + certificates are verified prior to installation on production networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-14 + name: Public Key Infrastructure-based Authentication + description: Information systems are configured to follow an established certification + path to an accepted trust anchor; in the case of network failure, a local + cache of revocation data is maintained to support validation. + annotation: 1. Establish a process for executing periodic SSL tests to ensure + that the identified Certificate authority is authorized to act as a trust + anchor. + typical_evidence: E-CRY-21 - Sample of SSL Test results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:1 + text: 1. Observe a sample of servers and domains and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:2 + text: 2. Observe the Certificate authority and ensure that it is an authorized + to act as a trust anchor. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-15 + name: Software Signing + description: "Organization uses a software signing infrastructure to restrict\ + \ access to organization\u2019s code signing private keys used to sign organization\ + \ authorized software builds." + annotation: '1. Ensure that a process is defined and documented for software + signing. + + 2. Ensure that the private keys used for software signing are accessible only + to a restricted set of personnel.' + typical_evidence: 'E-CRY-23 - Software Development Lifecycle Policy + + + E-CRY-24 - Configuration evidence for accessing software signing keys' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:1 + text: 1. Inspect and validate that a process is defined and documented for + software signing. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:2 + text: 2. Validate whether the private keys used for software signing are + accessible only to a restricted set of personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:3 + text: 3. Validate that periodic access reviews are performed for these keys. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + assessable: false + depth: 1 + name: Data Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-01 + name: Data Classification Criteria + description: Organization's data classification criteria are periodically reviewed, + approved by management, and communicated to authorized personnel; the data + security management team determines the treatment of data according to its + designated data classification level. + annotation: '1. Ensure that a Data Classification Criteria is defined and documented. + + 2. Ensure that this criteria is reviewed and approved periodically and appropriate + documentation for the review is retained. + + 3. Ensure that a process is defined and implemented to ensure data is treated + according to its data classification level. ' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-02 - Periodic Review Records + + E-DM-03 - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:1 + text: "1. Inspect Organization's policy and/or standard to determine whether\ + \ Organization\u2019s data classification criteria is defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:2 + text: 2. Inspect whether the criteria is periodically reviewed and approved + by the management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:3 + text: 3. Validate using sample testing that data is categorized and treated + according to its data classification level and defined controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-02 + name: Data Inventory + description: Organization should identify, label and classify Data based on + the Data Classification Criteria. + annotation: '1. Ensure that a process for identifying data is defined and documented + in the organization. + + 2. Ensure that the data is labelled and classified as per the Data Classification + criteria.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-03 - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:1 + text: 1. Inspect and validate in the Organization's policy and/or standard + whether a process for identifying data is defined in the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:2 + text: 2. Validate for a sample of data, that it is labelled and classified + as per the Data Classification criteria. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-03 + name: Terms of Service + description: Consent is obtained for Organization's Terms of Service (ToS) prior + to collecting personal information and when the ToS is updated. + annotation: '1. Ensure that organizations Terms of Service are defined and documented. + + 2. Ensure that a process is defined for updating the Terms of Service which + includes recapturing of consent. + + 3. Ensure that the consent is taken for the Terms of Service prior to collecting + personal information.' + typical_evidence: 'E-DM-04 - Terms of Service + + E-DM-05 - Consent Records + + E-DM-06 - Terms of Service Update Process' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:1 + text: 1. Inspect and validate whether Terms of Service are defined and documented + for the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:2 + text: 2. Inspect whether the Terms of Service are updated periodically and + ensure that consent is recaptured after updates. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:3 + text: 3. For sample of customers validate whether consent was obtained before + collection of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-04 + name: Personal Information Access Requests + description: In accordance with Organization policy, upon request, authenticated + individuals are provided with a copy of their personal information or disclosures + of their personal information in an understandable form and within the defined + timeframe. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting a copy of personal information. + + 2. Ensure that on request a copy of personal information is provided to authenticated + individuals as per the policy. + + 3. Ensure that the information is provided in an understandable form and in + a timely manner as per the policy' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-07 - Data Access Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for requesting a copy of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:2 + text: 2. Validate whether on request a copy of personal information was + provided to authenticated individuals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:3 + text: 3. Validate that the information was provided in an understandable + form and in a timely manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-05 + name: Personal Information Deletion Requests + description: In accordance with Organization policy, Organization processes + requests for the deletion of personal information. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting deletion of personal information. + + 2. Ensure that on request personal information is deleted as per the policy.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-08 - Data Deletion Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for requesting deletion of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:2 + text: 2. Validate whether on request personal information was deleted as + per organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-06 + name: External Privacy Inquiries + description: In compliance with Organization policy, Organization reviews privacy-related + inquiries, complaints, and disputes. + annotation: '1. Ensure that a process is defined, documented and communicated + for review of privacy-related inquiries, complaints, and disputes. + + 2. Ensure that these inquiries, complaints, and disputes are addressed in + a timely and well communicated manner.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-09 - Privacy inquiry Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for review of privacy-related inquiries, complaints, and + disputes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:2 + text: 2. Validate for a sample whether these inquiries, complaints, and + disputes are addressed in a timely and well communicated manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-07 + name: Test Data Sanitization + description: Restricted data is redacted prior to use in a non-production environment. + annotation: '1. Ensure that a process is defined, documented, and communicated + for redacting or not using production data in test environments. + + 2. Ensure that sufficient tools and processes exists for creation of dummy + test data for testing purposes.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-DM-10 - Sample Test Data' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for redacting or not using production data in test environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:2 + text: 2. Validate for a sample, whether any production data is used in test + environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:3 + text: 3. Validate how test data is generated and used for testing. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-08 + name: Personal Information Updates + description: Organization allows authenticated users to review and update their + personal information. + annotation: '1. Ensure that a process is defined, documented, and communicated + regarding access and update to personal information. + + 2. Ensure that appropriate justifications are provided for any denied access + or update requests. + + 3. Ensure that a process is defined, documented, and communicated for appealing + the denial of access or update request.' + typical_evidence: 'E-DM-11 - Access or update process document + + E-DM-12 - Personal information access/update request records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:1 + text: 1. Inspect and validate whether a documented process exists regarding + access and update to personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:2 + text: 2. Validate that for any denied access or update requests, appropriate + justifications were provided. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:3 + text: 3. Inspect and validate whether a documented process exists for appealing + the denial of access or update request. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:4 + text: 4. Ensure that the access or update request process is well communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-09 + name: Credit Card Data Restrictions + description: Organization does not store full track credit card data, credit + card authentication information, credit card verification code, or credit + personal identification number (PIN) which Organization processes for payment. + annotation: '1. Ensure that a process is defined and documented for redaction + of credit card data. + + 2. Ensure that the organization does not store full track credit card data, + credit card authentication information, credit card verification code, or + personal identification number (PIN).' + typical_evidence: E-DM-13 - Database Screenshots + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09:question:1 + text: 1. Validate that full credit card track data and sensitive authentication + data is not stored in the databases of the Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-10 + name: Primary Account Number Data Restrictions + description: Organization restricts primary account number (PAN) data such that + only the first six and last four digits are displayed; authorized users with + a legitimate business need may be provided the full PAN. + annotation: '1. Ensure that a process is defined and documented for redaction + of credit card data. + + 2. Ensure that the organization restricts primary account number (PAN) data + such that only the first six and last four digits are displayed. + + 3. Ensure that a process is defined to provide full PAN to authorized users + with a legitimate business need.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-13 - Database Screenshots + + E-DM-14 - PAN authorization records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:1 + text: 1. Inspect and validate whether a documented process exists for redaction + of credit card data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:2 + text: 2. Validate that primary account number is stored such that only the + first six and last four digits are displayed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:3 + text: 3. Inspect and validate whether a documented process exists to provide + full PAN to authorized users with a legitimate business need. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-11 + name: Personal Information Inventory + description: Organization maintains a documented inventory of media containing + personal information. + annotation: '1. Ensure that an inventory of media containing personal information + is documented, approved, and communicated to appropriate stakeholders. + + 2. Ensure that this inventory is reviewed and update periodically.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-15 - Personal Information Media Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:1 + text: 1. Inspect and validate whether an inventory of media containing personal + information is formally documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:2 + text: 2. Ensure that a process is defined to review and update the inventory + periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-12 + name: Changes to Data at Rest + description: Organization uses mechanisms to detect direct changes to the integrity + of customer data and personal information; Organization takes action to resolve + confirmed unauthorized changes to data. + annotation: '1. Ensure that a process is defined and documented to detect unauthorized + changed to customer data. + + 2. Ensure that appropriate alerts are sent and actions are taken to resolve + unauthorized changes.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-16 - Integrity Checks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:1 + text: 1. Inspect and validate that a process is defined and documented to + detect unauthorized changed to customer data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:2 + text: 2. Validate whether alerts are sent and actions were taken to resolve + unauthorized changes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-13 + name: Data Processing Integrity + description: System checks are in place to ensure both complete and accurate + capture of data in process. + annotation: '1. Ensure that a process is defined and documented for ensuring + data integrity in transit and at rest + + 2. Ensure appropriate tests are used to check checksums or hashes to ensure + data integrity.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-16 - Integrity Checks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:1 + text: 1. Inspect and validate that a process for ensuring data integrity + in transit and at rest is defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:2 + text: 2. Validate and inspect the tests used to check checksums or hashes + to ensure data integrity + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-14 + name: Secure Disposal of Media + description: Organization securely erases media containing decommissioned restricted + data and obtains a certificate or log of erasure; media pending erasure are + stored within a secured facility. + annotation: '1. Ensure that requirements for destroying media containing decommissioned + restricted data are defined and documented. + + 2. Ensure that the requirements for maintaining a log of such activities is + defined. + + 3. Ensure that appropriate records are maintained for such activities. + + 4. Ensure a security facility is designated to store such media prior to erasure. + + 5. Ensure a certificate of erasure is obtained for such media post erasure + completion.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-17 - Media Erasure records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:1 + text: 1. Inspect and validate whether requirements for destroying media + containing decommissioned restricted data are defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:2 + text: 2. Inspect and validate that the requirements for maintaining a log + of such activities is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:3 + text: 3. Validate that appropriate records are maintained for such activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:4 + text: 4. For a sample of records, validate that a certificate of erasure + was obtained for such media post erasure completion. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-15 + name: Customer Data Retention and Deletion + description: Organization purges or archives data according to customer requests + or legal and regulatory mandates. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting deletion or archival of personal information. + + 2. Ensure that on customer''s request or as per legal/regulatory mandates, + personal information is deleted/archived as per the policy.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-08 - Data Deletion Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:1 + text: 1. Inspect and validate whether a documented process is defined & + communicated for requesting deletion/archival of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:2 + text: 2. Validate whether on customer's request or as per legal/regulatory + mandates personal information is deleted/archived as per the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-16 + name: Removal of PHI from Media + description: Organization removes electronic protected health information from + electronic media if the media is made available for re-use. + annotation: '1. Ensure that a process is defined and documented for removal + of Protected Health Information from electronic media if the media is made + available for reuse. + + 2. Ensure that validation is done to ensure that no protected health information + exists on the media before reuse.' + typical_evidence: E-DM-01 - Data Management Policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:1 + text: 1. Inspect and validate that a process is defined and documented for + removal of Protected Health Information from electronic media if the media + is made available for reuse. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:2 + text: 2. Inspect whether validation is done to ensure that no protected + health information exists on the media before reuse. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-17 + name: 'Secure Disposal of Media: Testing' + description: Organization tests sanitization procedures and equipment annually + for effectiveness. + annotation: '1. Ensure that a process is defined and documented for testing + of sanitization procedures. + + 2. Ensure that the sanitization procedures are tested annually and appropriate + records are maintained.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-18 - Sanitization Procedures Testing Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:1 + text: 1. Inspect and validate that a process is defined and documented for + testing of sanitization procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:2 + text: 2. Validate whether the sanitization procedures were tested annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-18 + name: Personal Information Retention and Deletion + description: Organization retains and deletes personal information from Organization + and service provider systems in accordance with Organization policy. + annotation: '1. Ensure that a process is defined and documented for retention + and deletion of personal information. + + 2. Ensure that the personal information is retained and deleted as per the + process from organization and service provider systems.' + typical_evidence: "E-DM-01 - \nE-DM-19 - Personal Information Deletion Records" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:1 + text: 1. Inspect and validate that a process is defined and documented for + retention and deletion of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:2 + text: 2. Validate whether the personal information was retained and deleted + as per the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-19 + name: Temporary Storage of Personal Information + description: Temporary files and documents containing personal information are + deleted in accordance with a timeframe consistent with Organization policy. + annotation: '1. Ensure that a process is defined and documented for deletion + of temporary files. + + 2. Ensure that temporary files are deleted within a defined timeframe as per + the process.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-20 - Temporary Files deletion configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:1 + text: 1. Inspect and validate that a process is defined and documented for + deletion of temporary files. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:2 + text: 2. Validate the configuration for deletion of temporary files and + ensure that the timeframe is as per the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-20 + name: Social Media + description: Sharing Organization restricted data via messaging technologies, + social media, and public websites is prohibited. + annotation: '1. Ensure that a process is defined, documented, and communicated + which prohibits sharing of restricted data via messaging technologies, social + media, and public websites. + + 2. Ensure that appropriate mechanisms are in place to detect such activities.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-21 - Sample Alerts showcasing restricted data via public websites is + prohibited' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:1 + text: 1. Inspect and validate whether a process is defined, documented and + communicated which prohibits sharing of restricted data via messaging + technologies, social media, and public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:2 + text: 2. Validate whether appropriate mechanisms are in place to detect + such activities and alerts are generated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-21 + name: Publicly Accessible Content + description: 'Organization protects its public information system presence with + the following processes: only authorized and trained individuals may post + public information, content is reviewed prior to publishing, information on + public systems is reviewed periodically, and non-public information is removed + from public systems upon discovery.' + annotation: '1. Ensure that a process is defined, documented, and communicated + regarding publishing of information on public websites. + + 2. Ensure public information is reviewed periodically. + + 3. Ensure appropriate process is defined for removing non-public information + from public websites. + + 4. Ensure appropriate access control exists for posting information on public + websites.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-23 - Configuration for posting on Public Websites' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:1 + text: 1. Inspect and validate whether a process is defined, documented, + and communicated regarding publishing of information on public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:2 + text: 2. Validate whether public information is reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:3 + text: 3. Validate the process for removing non-public information from public + websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:4 + text: 4. Validate that appropriate access control exists for posting information + on public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-22 + name: Data Loss Prevention + description: Data loss prevention capabilities are implemented to protect sensitive + information as it is stored, transmitted, and processed. + annotation: '1. Ensure that Data Loss Prevention solution is enabled on systems + to protect sensitive data as it is stored, transmitted, and processed. + + 2. Ensure appropriate alerts are sent and actions are taken to remediate any + deviations.' + typical_evidence: 'E-DM-22 - DLP Configuration + + E-DM-21 - Sample Alerts showcasing restricted data via public websites is + prohibited' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:1 + text: 1. Validate whether that Data Loss Prevention solution is enabled + on a sample system. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:2 + text: 2. Validate whether appropriate alerts are sent and actions are taken + to remediate any deviations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + assessable: false + depth: 1 + name: Entity Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-01 + name: Board of Directors Structure and Purpose + description: "The Board of Directors provides corporate oversight, strategic\ + \ direction, and review of management for Organization. The Board of Directors\ + \ meets at least quarterly and has 3 sub-committees: \n\u2022 Audit Committee\n\ + \u2022 Executive Compensation and Nominating Committee\n\u2022 Governance\ + \ Committee" + annotation: '1. Document the Board of Directors responsibilities and members + within a charter. + + 2. Ensure Board of Directors meet at least quarterly, and document meeting + minutes of each meeting. + + 3. Ensure Board of directors have at least 3 sub-committees defined and formed, + audit committee, executive compensation and nominating committee, and governance + committee.' + typical_evidence: 'E-EM-01 - Board of directors charter + + E-EM-02 - Board of directors meetings minutes' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:1 + text: 1. Inspect that the board of directors information in the form of + Charter is available on the Organization governance website. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:2 + text: '2. Validate that board of directors meet at least quarterly to provide + corporate oversight and have at least 3 sub-committees defined: audit + committee, executive compensation and nominating committee, and governance + committee.' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-02 + name: Audit Committee + description: "The Audit Committee is governed by a Charter, is independent from\ + \ Organization Management, composed of outside directors (Industry Experts),\ + \ and meets quarterly. The Audit Committee oversees: \n\u2022Financial Statement\ + \ Quality \n\u2022Enterprise Risk Management\n\u2022Regulatory & Legal Compliance\n\ + \u2022Internal Audit Functions\n\u2022Information Security Functions\n\u2022\ + External Audit Functions" + annotation: '1. Ensure documented information on the Audit Committee and Audit + Committee Charter is created. + + 2. Ensure that the audit committee is independent and meets quarterly as defined + within the charter. Document the most recent meeting in the form of an audit + committee minutes. + + 3. Ensure that the audit committee includes outside directors (industry experts). + + 4. Ensure audit committee reviews financial statement quality, enterprise + risk management, regulatory & legal compliance, internal and external audit + function, and information security functions. + + 5. Follow up on any open items from previous audit committee meetings to ensure + they are being worked on and closed out.' + typical_evidence: 'E-EM-03 - List of members on the audit committee + + E-EM-04 - Audit committee charter + + E-EM-05 - Audit Committee meeting minutes + + E-EM-06 - Evidence of follow up items or action plans' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:1 + text: 1. Inspect the Charter of the Audit Committee of the Board of Directors + and meeting minutes to determine whether the Audit Committee is independent + from management, and is composed of outside directors. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:2 + text: '2. Validate that the audit committee is independent and meets quarterly + as defined within the charter. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:3 + text: 3. Inspect the minutes of meeting audit committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:4 + text: 4. Validate meeting minutes to ensure that financial statement quality, + enterprise risk management, regulatory & legal compliance, internal and + external audit function, and information security functions were reviewed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-03 + name: Organizational Structure + description: Organization Management ensures that its organization is aligned + with the corporate strategy by assigning key managers with responsibilities + to execute the corporate strategy. + annotation: '1. Ensure the organization has defined and documented a corporate + strategy including the responsibilities for key managers. + + 2. Ensure the strategy is available to the respective stakeholder and is communicated + effectively.' + typical_evidence: E-EM-07 - Documented corporate strategy in the Information + Security policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:1 + text: 1. Validate and ensure that the organization has established and documented + the strategy with the responsibilities for key managers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:2 + text: 2. Inspect whether the strategy is available to the respective stakeholder + and is communicated effectively. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-04 + name: Operating Plans + description: Annual operating plans are aligned with Corporate Objectives, which + are established on an annual basis during the Company's planning process. + Priorities are set and plans are communicated appropriately. + annotation: "1. Ensure that operating plans are established. \n2. Ensure that\ + \ these plans are updated and approved on an annual basis.\n3. Ensure priorities\ + \ are set and plans are communicated to the respective stakeholders." + typical_evidence: 'E-EM-08 - Operating plan procedure/process + + E-EM-09 - Evidence showcasing the plans are communicated to the stakeholders + (MOM)' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:1 + text: 1. Inspect the process of operating plans creation and update. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:2 + text: 2. Validate that the corporate strategy is an input to operating plans + update process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:3 + text: 3. Validate whether the plans are updated and approved at least annually + and communicated to the stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-05 + name: Cyber Security Insurance + description: Organization purchases cyber security insurance to mitigate risk + of material financial impact that could result from a cyber security event. + annotation: '1. Ensure cyber security insurance is being purchased by the organization + and is active for the audit period. + + 2. Ensure that a process is created for renewal of Cyber Security Insurance.' + typical_evidence: E-EM-10 - Latest Cyber Security Insurance + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05:question:1 + text: 1. Obtain and inspect the latest cyber security insurance to verify + that the insurance policy is active for the audit period. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-06 + name: Internal Audit Function + description: Quarterly, the Chief Audit Executive meets with the Audit Committee + to review key risk issues. The Audit Committee approves the annual Internal + Audit Plan. Results of quarterly audits and subsequent issue tracking summaries + are presented to the Audit Committee. + annotation: '1. Ensure key risk issues shall be reviewed at least quarterly + by the audit committee and document the issues identified along with the plan + of action for risk remediation. + + 2. Ensure the Internal audit plan is annually approved by the audit committee. + + 3. Ensure results of quarterly audits and issues identified as a part of audit + are presented to the Audit Committee.' + typical_evidence: 'E-EM-11 - Latest MOM of audit committee + + E-EM-12 - Internal audit plan + + E-EM-13 - Internal audit report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:1 + text: 1. Inspect Minutes of audit committee meeting and validate that it + highlights the key risks identified, plan of action along with the timeline. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:2 + text: ' ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:3 + text: 2. Check internal audit plan to ensure it was approved by the audit + committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:4 + text: 3. Inspect and validate whether results of quarterly audits are presented + to the audit committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-07 + name: Financial Control Review + description: Internal financial control assessment results are reported to the + Audit Committee by the Chief Audit Executive on a quarterly basis and support + the CEO/CFO 302/404 certifications. + annotation: 1. Ensure Chief Audit committee shall report the internal financial + control assessment results to the Audit Committee on a quarterly basis. + typical_evidence: E-EM-14 - Minutes of meeting showcasing the Internal financial + control assessment results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07:question:1 + text: 1. Inspect Minutes of the audit committee meeting to ensure internal + financial control assessment results are discussed and reported on a quarterly + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-08 + name: Information Security Function + description: Quarterly, the Chief Security Officer meets with the Audit Committee + to review key Information Security issues. Results of continuous monitoring + activities and current security compliance status are presented to the Audit + Committee and the Board of Directors. + annotation: '1. Ensure audit committee reviews the Information security issues + at least quarterly and document the issues identified along with the plan + of action for risk remediation. + + 2. Ensure Minutes of Meetings to be documented stating the compliance status. + + 3. Ensure results of continuous compliance activities and current compliance + status are reported to the Audit Committee and the Board of Directors in the + form of PowerPoints, documents, etc.' + typical_evidence: E-EM-15 - Minutes of meeting showcasing the security compliance + status and issues identified + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:1 + text: 1. Validate whether information security issues are reviewed at least + quarterly by the audit committee along with remediation plans. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:2 + text: 2. Inspect minutes of audit committee meeting with chief security + officer to ensure security compliance status along with the continuous + monitoring of action plan is discussed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-09 + name: Information Security Compliance Review + description: Information Security compliance results are reported to the Audit + Committee by the Chief Security Officer on a quarterly basis and support information + security compliance certifications + annotation: '1. Ensure Minutes of Meetings to be documented stating the compliance + results on a quarterly basis. + + 2. Ensure results of current security compliance status and issues identified + as a part of audit are reported to the Audit Committee in the form of PowerPoints, + documents, etc.' + typical_evidence: E-EM-16 - Minutes of meeting showcasing the security compliance + results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09:question:1 + text: 1. Obtain and inspect evidence that quarterly Information Security + compliance results were reported to the Audit Committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-10 + name: Common Controls Framework + description: Organization maintains a Common Control Framework (CCF) that is + used in the implementation of control measures as a risk mitigation strategy + to support organization operations, technology infrastructure, and security + management activities. + annotation: '1. Ensure that a control set is created to govern the organization''s + information security program. + + 2. Document the control set and ensure it is communicated with relevant stakeholders.' + typical_evidence: E-EM-17 - Organization's control set + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:1 + text: 1. Validate whether a control framework exists for managing the organization's + information security program. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:2 + text: 2. Ensure that this control set is documented and available to relevant + stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-11 + name: Service Agreement + description: "When customers sign-up for Organization\u2019s product and services,\ + \ the customer is required to acknowledge a service agreement which includes\ + \ considerations for protecting security, availability, confidentiality and\ + \ indicates the responsibilities of the users and organization\u2019s responsibilities\ + \ and commitments." + annotation: '1. Ensure that the customers acknowledge a service agreement including + considerations for protecting security, availability, confidentiality. + + 2. Ensure that the service agreement contains responsibilities of users and + the organization.' + typical_evidence: E-EM-18 - Customer service agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:1 + text: 1. Validate whether customers acknowledge a service agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:2 + text: 2. Validate whether the agreement contains considerations for protecting + security, availability, confidentiality. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:3 + text: 3. Validate whether the agreement contains users and organizations + responsibilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + assessable: false + depth: 1 + name: Identity and Access Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-01 + name: Logical Access Provisioning + description: Logical access provisioning to information systems requires approval + from appropriate personnel. + annotation: '1. Design and document a process for Logical Access and requirements + for access provisioning. + + 2. Ensure access approval logic is mandated in the access management portal + accordingly. + + 3. Ensure that the access management portal is updated with the relevant approvers.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-03 - Access Provisioning Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:1 + text: 1. Inspect Organization Logical Access Policy and/or Standard to determine + that the requirements for access provisioning were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:2 + text: 2. Inspect evidence of the workflow from access management portal + showing access requires approval and is provisioned upon approval. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:3 + text: 3. Inspect the system generated list of identity and access groups + which are in-scope and associated workgroups with approvers from access + management portal. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:4 + text: 4. Inspect access provisioning system logs for a selection of users + who were granted access to production systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-02 + name: Change of Access Notification + description: Changes made to system access trigger a notification that is sent + to designated personnel. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification. + + 2. Ensure that any change made to access triggers a notification in the access + management portal accordingly.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-04 - Access Modification Logs + + E-IAM-05 - Sample alert for Access Modification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:1 + text: 1. Inspect Organization Logical Access Policy and/or Standard to determine + the requirements for access provisioning were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:2 + text: 2. Validate for a sample access change, that a notification in the + access management portal was triggered to the management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-03 + name: Logical Access De-provisioning + description: Logical access that is no longer required in the event of a termination + is documented, communicated to management, and revoked. + annotation: '1. Design and document a process for Logical Access and requirements + for access de-provisioning. + + 2. Ensure access termination logic is mandated in the access management portal + accordingly.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-07 - Access De-Provisioning Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access de-provisioning or terminations\ + \ were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:2 + text: 2. Inspect the list of system generated population of terminated full-time + and temporary employees and contractors from the HR system. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:3 + text: 3. Inspect configurations to determine that user accounts are disabled + after they are no longer required.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:4 + text: 4. Inspect removals from the access management tool for a selection + of terminations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-04 + name: 'Logical Access De-provisioning: Notification' + description: The People Resources system sends a notification to relevant personnel + in the event of a termination of an information system user. + annotation: 1. Ensure that on access termination, the access management portal + triggers a notification to the relevant personnel. + typical_evidence: 'E-IAM-02 - Access Management Portal Workflow + + E-IAM-06 - Access Termination Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04:question:1 + text: 1. Inspect resource management portal to check if the relevant stakeholders + are informed upon an employee's termination of an information system user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-05 + name: Logical Access Review + description: Organization performs account and access reviews on a quarterly + basis; corrective action is taken where applicable. + annotation: '1. Design and document a process for Logical Access and requirements + for access reviews. + + 2. Ensure access reviews are performed as per defined frequency. + + 3. Ensure that the necessary corrective action has been taken, if required.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-08 - Access Review Reconciliation + + E-IAM-09 - Corrective Action in Access Management Portal' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access reviews were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:2 + text: 2. Inspect the access reviews reconciliation report on a quarterly + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:3 + text: '3. For a sample of services, inspect the access review for the selected + quarters. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:4 + text: 4. In case of any discrepancy, ensure that corrective action has been + taken and appropriate approval is obtained from the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-06 + name: 'Role Change: Access De-provisioning' + description: Upon notification of an employee reassignment or transfer, management + reviews the employee's access for appropriateness. Access that is no longer + required is revoked and documented. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification in case of transfer or reassignment. + + 2. Ensure access reviews are performed appropriately. + + 3. Ensure that the necessary corrective action has been taken, if required.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-08 - Access Review Reconciliation + + E-IAM-09 - Corrective Action in Access Management Portal' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access modifications were defined\ + \ and includes the case of employee reassignment or transfer." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:2 + text: 2. Inspect the user access reconciliation report to ensure that the + user access reviews are completed appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:3 + text: 3. In case of any discrepancy, ensure that corrective action has been + taken inspect the list of terminated users from the audit period. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:4 + text: 4. For a sample of terminated users, validate that access was terminated + in a timely and appropriate manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-07 + name: Shared Logical Accounts + description: Organization restricts the use of shared and group authentication + credentials. Authentication credentials for shared and group accounts are + reset every 90 days. + annotation: '1. Design and document a process for Logical Access and requirements + for rotation of shared credentials. + + 2. Ensure that shared secrets were rotated as per the defined policy.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-10 - Shared secret rotation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:1 + text: 1. Inspect the Logical Access Account Standard to determine whether + Organization requires the restriction of shared and group authentication + credentials, and that authentication credentials are rotated + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:2 + text: 2. For a sample of services validate that shared secrets were rotated + as per the defined policy and appropriate evidences are available. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-08 + name: 'Shared Logical Accounts: Group Member ' + description: Passwords for shared and group accounts are reset when a member + of the shared group leaves. + annotation: '1. Design and document a process for Password Policy and requirements + for changing password of shared and group accounts. + + 2. Ensure that the password is changed if a member of the shared group leaves.' + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-11 - Password Change evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:1 + text: 1. Inspect Organization's password policy and check requirement for + changing the password for shared and group accounts are clearly defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:2 + text: 2. Inspect shared credential storage tools to check the operational + effectiveness and ensure passwords are changed when a member of the shared + group leaves. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-09 + name: Shared Account Restrictions + description: Where applicable, the use of generic and shared accounts to administer + systems or perform critical functions is prohibited; generic user IDs are + disabled or removed. + annotation: '1. Ensure that there are no generic or shared accounts used. + + 2. Ensure that production access is controlled and does not use generic or + shared accounts.' + typical_evidence: 'E-IAM-12 - List of User IDs + + E-IAM-13 - Access to IAM groups' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:1 + text: 1. Review and ensure that there are no generic or shared accounts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:2 + text: 2. Validate for a sample of services that production access is controlled + and is configured to use unique user accounts and that a generic or shared + ID is not used.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-10 + name: 'Role Change: People Resources Notification' + description: The People Resources system sends a notification to relevant management + and relevant information system administrators in the event of an employee + reassignment or transfer of an information system user. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification in case of transfer or reassignment. + + 2. Ensure access management portal sends a notification to concerned personnel.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-04 - Access Modification Logs + + E-IAM-15 - Configuration showing trigger is configured' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10:question:1 + text: 1. Inspect resource management portal to check if the relevant stakeholders + are informed upon an event of an employee reassignment or transfer of + an information system user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-11 + name: Temporary Account Termination + description: Temporary and emergency accounts are automatically terminated 90 + days from the date they are generated. + annotation: '1. Design and document a process for Access control and requirements + for automatic termination of temporary and emergency accounts. + + 2. Ensure that the access management portal is configured to terminate temporary + and emergency accounts within 90 days.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-14 - Configuration showing 90 days termination' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:1 + text: '1. Inspect Organization''s access control policy to check policy + pertaining to temporary and emergency accounts are automatically terminated + 90 days from the date they are generated, is clearly defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:2 + text: 2. Check the access management tool to ensure the effectiveness of + termination of temporary and emergency accounts within 90 days.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-12 + name: Unique Identifiers + description: Organization requires unique identifiers for user accounts and + prevents identifier reuse. + annotation: 1. Ensure unique identifiers are used for user accounts. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-17 - Existing User listing' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:1 + text: 1. Inspect Organization's Authentication Standard to determine whether + unique identifier requirements are documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:2 + text: 2. Perform a walkthrough of user account creation of an existing user + to determine whether identifier reuse is prevented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:3 + text: 3. Obtain a complete list of existing users with identifiers to determine + whether same identifier is not used for any two users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-13 + name: Password Authentication + description: User and device authentication to privileged information systems + is protected by passwords that meet Organization's password complexity requirements. + annotation: 1. Ensure that user and device authentication to privileged information + systems is protected by passwords that meet Organization's password complexity + requirements. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-18 - Password policy from console' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:1 + text: "1. Inspect Organization\u2019s Authentication Standard to determine\ + \ whether the policies contain requirements for the creation, allocation,\ + \ change, distribution, and safeguarding of passwords." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:2 + text: 2. Inspect the accessmanagement tool setting to determine password + complexity, consecutive re-use, and change frequency requirements of passwords + is in accordance with organization password complexity requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-14 + name: Multifactor Authentication + description: "Multi-factor authentication is required for:\n\u2022 remote VPN\ + \ sessions\n\u2022 access to trusted data environments" + annotation: 1. Ensure remote connection to the corporate network is invoked + via VPN and VPN in turn invokes Multi-factor authentication + typical_evidence: 'E-IAM-19 - Remote Access Standard + + E-IAM-20 - VPN Connection walkthrough + + E-IAM-21 - System config for Multi Factor Authentication' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:1 + text: "1. Inspect Organization\u2019s Remote Access Standard to determine\ + \ whether requirements for remotely connecting to the corporate network\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:2 + text: 2. Observe a user remotely connect to the Organization Corporate Network + via VPN. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:3 + text: 3. Inspect system configuration of VPN software to determine whether + Multi-factor authentication is required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:4 + text: 4. Perform a walkthrough of system connecting to Organization network + remotely via vpn software to determine whether Multi- factor authentication + is required for remote VPN session. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-15 + name: Authentication Credential Maintenance + description: Authorized personnel verify the identity of users before modifying + authentication credentials on their behalf. + annotation: '1. Document and validate the process of modifying credentials. + + 2. Ensure that verification is done before modification' + typical_evidence: E-IAM-22 - Access Reset process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:1 + text: 1. Validate the process with the IT Helpdesk at least on an annual + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:2 + text: 2. Inspect whether necessary and updated documentation is available + on the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-16 + name: Session Timeout + description: Information systems are configured to terminate inactive sessions + after 15 minutes or when the user terminates the session. + annotation: 1. Ensure that information systems are configured to terminate inactive + sessions after 15 minutes or when the user terminates the session. + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-23 - Session timeout config for server' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access reviews were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:2 + text: 2. Inspect the server samples from the service team. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:3 + text: 3. Select the sample from the listing and inspect session timeout + configuration + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-17 + name: Session Limit + description: Information systems are configured to limit concurrent login sessions + and the inactive user interface is not displayed when the session is terminated. + annotation: "1. Ensure that the systems are configured to limit concurrent login\ + \ sessions. \n2. Ensure that inactive user interface is not displayed when\ + \ the session is terminated." + typical_evidence: 'E-IAM-24 - Access Management Policy + + E-IAM-25 - Active Directory Screenshot' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:1 + text: '1. Inspect Organization''s access control policy to check clauses + pertaining to limited concurrent login sessions and the inactive user + interface is not displayed when the session is terminated are clearly + defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:2 + text: 2. Check logical access systems to ensure the effectiveness for the + same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-18 + name: 'Account Lockout: Cardholder Data Environments' + description: Users are locked out of information systems after 6 invalid attempts + for a minimum of 30 minutes, or until an administrator enables the user ID. + annotation: 1. Ensure that user lock out parameters are defined and implemented + to lockout after 6 invalid attempts for minimum 30 minutes. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-26 - Account lockout parameters' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:1 + text: "1. Inspect Organization\u2019s Authentication Standard to determine\ + \ whether the policies contain requirements for the account lockout post\ + \ failed login attempts." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:2 + text: 2. Inspect the logical access systems setting to determine that account + lockout policy is configured with Organization password requirements to + lock a user's account after 6 failed attempts for a minimum of 30 minutes + or until it is reset by a System Administrator + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-19 + name: Account Lockout + description: Users are locked out of information systems after multiple, consecutive + invalid attempts within a defined period; accounts remain locked for a defined + period. + annotation: 1. Ensure that user lock out parameters are defined and implemented + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-26 - Account lockout parameters' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:1 + text: '1. Inspect Organization''s access control policy to check clauses + pertaining to accessing system by multiple failed attempts are clearly + defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:2 + text: 2. Check check logical access systems to ensure the effectiveness + for the same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-20 + name: Login Banner + description: "Systems leveraged by the U.S. Federal Government present a login\ + \ screen that displays the following language:\n\u2022 users are accessing\ + \ a U.S. Government information system\n\u2022 system usage may be monitored,\ + \ recorded, and subject to audit\n\u2022 unauthorized use of the system is\ + \ prohibited and subject to criminal and civil penalties\n\u2022 use of the\ + \ system indicates consent to monitoring and recording" + annotation: "1. Ensure that the Systems leveraged by the U.S. Federal Government\ + \ present a login screen that displays the following language:\n\u2022 users\ + \ are accessing a U.S. Government information system\n\u2022 system usage\ + \ may be monitored, recorded, and subject to audit\n\u2022 unauthorized use\ + \ of the system is prohibited and subject to criminal and civil penalties\n\ + \u2022 use of the system indicates consent to monitoring and recording" + typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:1 + text: '1. Inspect and validate for a sample system that Systems leveraged + by the U.S. Federal Government present a login screen that displays the + following language:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:2 + text: "\u2022 users are accessing a U.S. Government information system" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:3 + text: "\u2022 system usage may be monitored, recorded, and subject to audit" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:4 + text: "\u2022 unauthorized use of the system is prohibited and subject to\ + \ criminal and civil penalties" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:5 + text: "\u2022 use of the system indicates consent to monitoring and recording" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-21 + name: Credentials Validation + description: "Organization systems utilize Federal Identity, Credential, and\ + \ Access Management (FICAM) components and conform to FICAM-issued profiles;\ + \ systems verify and accept the following external credentials:\n\u2022 personal\ + \ Identity Verification (PIV) credentials from federal agencies, and\n\u2022\ + \ FICAM-approved credentials from non-federal third-parties\n" + annotation: '1. Ensure that the organization uses Federal Identity, Credential, + and Access Management (FICAM) components and conform to FICAM-issued profiles + for Federal Systems. + + 2. Ensure that the organization accepts personal Identity Verification (PIV) + credentials from federal agencies and FICAM-approved credentials from non-federal + third-parties' + typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:1 + text: 1. Inspect and validate whether the organization uses Federal Identity, + Credential, and Access Management (FICAM) components and conform to FICAM-issued + profiles for Federal Systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:2 + text: 2. Validate that the organization accepts personal Identity Verification + (PIV) credentials from federal agencies and FICAM-approved credentials + from non-federal third-parties + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-22 + name: 'Password Authentication Standard: Federal Systems' + description: "Organization information systems obscure feedback of authentication\ + \ information during the authentication process (e.g., the system does not\ + \ disclose error information such as \"'user1' is not a valid username\")\ + \ and have the following password requirements:\n\u2022 minimum of 12 characters\n\ + \u2022 contains at least one upper-case letter, lower-case letter, number,\ + \ and a special character\n\u2022 at least one of the characters is changed\ + \ when the new passwords are created.\n\u2022 the password life span is between\ + \ 1 to 60 days\n\u2022 password reuse is prohibited for 24 generations\n\u2022\ + \ only allow the use of temporary password system logons with an immediate\ + \ change to a permanent password" + annotation: "1. Ensure that failed authentication notes do not contain any error\ + \ information.\n2. Ensure that the password policy in the logical access system\ + \ is defined as below: \n-Minimum 12 character length\n-Password complexity\ + \ has one upper-case, lower-case, and a special character\n-Temporary Passwords\ + \ are immediately changed to a permanent password\n-Passwords cannot be the\ + \ same as the last 24 passwords\n-Passwords must be rotated at least every\ + \ 60 days" + typical_evidence: 'E-IAM-28 - Sample error information + + E-IAM-18 - Password policy from console' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:1 + text: 1. Inspect that failed authentication notes do not contain any error + information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:2 + text: '2. Inspect that the password policy in the logical access system + and ensure that it is defined as below: ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:3 + text: -Minimum 12 character length + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:4 + text: -Password complexity has one upper-case, lower-case, and a special + character + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:5 + text: -Temporary Passwords are immediately changed to a permanent password + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:6 + text: -Passwords cannot be the same as the last 24 passwords + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:7 + text: -Passwords must be rotated at least every 60 days + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-23 + name: Privileged Session Management + description: Privileged logical access to trusted data environments is enabled + through an authorized session manager; session user activity is recorded and + tunnelling to untrusted data environments is restricted. + annotation: '1. Ensure Privileged logical access to trusted data environments + is enabled through an authorized session manager. + + 2. Ensure session user activity is recorded and documented. + + 3. Tunnelling to untrusted data environments is restricted.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-29 - Authorized session manager evidence + + E-IAM-30 - List of privileged users + + E-IAM-31 - Access approval evidence + + E-IAM-32 - Tunneling restriction config evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:1 + text: '1. Observe user access management process for managing privileged + access to trusted data environments in accordance with organization policies + and verify the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:2 + text: "\u2022 Creation and allocation of privileged user accounts/IDs on\ + \ the information systems is controlled through a formal authorization\ + \ process." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:3 + text: "\u2022 Privilege access to trusted data environments are enabled\ + \ through an authorized session manager" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:4 + text: "\u2022 Privileged access rights are allocated to users on a time\ + \ bound need-to-use basis and on an event-by-event basis in line with\ + \ the access control policy, i.e. based on the minimum requirement for\ + \ their functional roles and shall be revoked post that defined time period;" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:5 + text: "\u2022 All session user activities are recorded and tunnelling to\ + \ untrusted data environments is restricted" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:6 + text: 2. Inspect list of users that have privileged logical access to trusted + data environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:7 + text: 3. For a sample of user, inspect evidence of screenshot showing privilege + access to trusted data environments is granted by authorized session manager. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:8 + text: 4. Inspect configuration showing that session recording for user activity + is recorded. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:9 + text: 5. Inspect configuration showing that tunneling to untrusted data + environments is restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-24 + name: Zero Trust Enterprise Network + description: Organization users are authenticated against a Zero Trust model + prior to gaining access to organization resources. + annotation: '1. Ensure that a process is defined and documented for the organization''s + zero trust architecture. + + 2. Ensure that a zero trust access authorization infrastructure is effectively + operating for accessing organization''s resources.' + typical_evidence: 'E-IAM-24 - Access Management Policy + + E-IAM-33 - Zero Trust Implementation Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:1 + text: 1. Inspect and validate that a process is defined and documented for + the organization's zero trust architecture. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:2 + text: 2. Validate whether all access to organization's resources are via + a zero trust method. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-25 + name: Logical Access Role Permission Authorization + description: Initial permission definitions, and changes to permissions, associated + with logical access roles are approved by authorized personnel. + annotation: '1. Ensure that access to systems is granted after appropriate approvals. + + 2. Ensure that production access is controlled via authentication methods.' + typical_evidence: 'E-IAM-12 - List of User IDs + + E-IAM-34 - Access grant evidences + + E-IAM-35 - Production access authentication' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:1 + text: 1. Observe and validate for a sample user, that the access to the + systems was approved by the appropriate party based on the business need. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:2 + text: 2. Validate for a sample of services, that production access is controlled + via appropriate authentication methods and is configured to use appropriate + logical access lists. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-26 + name: Source Code Security + description: Access to modify source code is restricted to authorized personnel. + annotation: 1. Ensure that access to modify source code is restricted to authorized + personnel. + typical_evidence: 'E-IAM-36 - Source Code access restrictions + + E-IAM-37 - Changes made to source code and logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:1 + text: 1. Observe and validate the change management process for code development + process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:2 + text: 2. Observe configurations in code source management tools showing + that only authorized users are able to make changes to source code. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:3 + text: 3. Observe a sample of code change tickets, to show that only authorized + personnel were able to make the appropriate change necessary. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-27 + name: Service Account Restrictions + description: Individual user or administrator use of service accounts for O/S, + applications, and databases is prohibited. + annotation: 1. Ensure that Individual user or administrator use of service accounts + for O/S, applications, and databases is prohibited. + typical_evidence: 'E-IAM-38 - Service accounts listing + + E-IAM-39 - Shared credential management tool screenshots' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:1 + text: 1. Review all interactive service accounts used within the environment + and confirm that they are disabled or removed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:2 + text: 2. If interactive service accounts are in use these accounts should + be stored in a shared credential management tool., and access to these + accounts need to be tied back to an individual user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-28 + name: PCI Account Restrictions + description: Organization clients with access to the cardholder data environment + (CDE), as users or processes, are assigned unique accounts that cannot modify + shared binaries or access data, server resources, or scripts owned by another + CDE or Organization; application processes are restricted from operating in + privileged-mode. + annotation: '1. Ensure that in cases of multi-tenant environments one organization + or user cannot effect the security or integrity of another organizations resources. + + 2. Ensure that users are restricted from using privileged-mode.' + typical_evidence: "E-IAM-24 - Access Management Policy\nE-IAM-40 - Network Diagram\ + \ \nE-IAM- 42 - " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:1 + text: 1. Review the network architecture diagram and confirm that in cases + of multi-tenant environments that one organization or user cannot effect + the security or integrity of another organizations resources. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:2 + text: 2. Observe the application processes showing that they are restricted + from using privileged-mode. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-29 + name: Least Privilege + description: Role-based access is defined and deployed to restrict privileged + access to information resources based on the concept of least privilege. + annotation: '1. Design and document the process for assigning least privilege + access. + + 2. Ensure access is granted as per required approvals.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-41 - Access approvals' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:1 + text: 1. Inspect logical access policy and validate that each role is assigned + the correct level of access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:2 + text: 2. Inspect the logical access systems and review how the access levels + are granted for types of roles (Developers, SWE, SRE). + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:3 + text: 3. For a sample of employees, inspect the level of access available + and correlate to the job role and confirm that they are congruent. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-30 + name: Virtual Private Network + description: Remote connections to the corporate network are accessed via VPN + through managed gateways. + annotation: "1. Design and document process for requirements of remote connection\ + \ to corporate network. \n2. Ensure all remote connections are via VPN." + typical_evidence: 'E-IAM-19 - Remote Access Standard + + E-IAM-43 - VPN Configuration and process' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:1 + text: 1. Inspect Remote Access Standard to determine whether requirements + for remotely connecting to the corporate network were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:2 + text: 2. Inspect a user remotely connect to the Corporate Network via VPN. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-31 + name: 'Virtual Private Network: Restrict Split-Tunneling' + description: VPN configurations restrict split-tunneling capabilities. + annotation: 1. Ensure split tunneling is not enabled. + typical_evidence: E-IAM-43 - VPN Configuration and process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31:question:1 + text: '1. Inspect the VPN configurations and ensure that split tunneling + is not enabled. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-32 + name: Ability to Disable Remote Sessions + description: Organization has a defined process and mechanisms in place to expeditiously + disable or disconnect remote access to information systems within a defined + time frame based on business need. + annotation: '1. Ensure that the server configuration for idle-session timeout + is set to 15 minutes. + + 2. Ensure that access credentials expiry configuration is present. + + 3. Ensure remote connection tools such as (VPN or Management consoles) have + session expirations enabled.' + typical_evidence: 'E-IAM-44 - Server configuration for idle session timeout + + E-IAM-45 - Credential expiry configuration + + E-IAM-46 - Session expiration enabled configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:1 + text: 1. Inspect the server configuration showing that idle-session timeout + is set to 15 minutes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:2 + text: 2. Validate that access credentials expiry configuration is present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:3 + text: 3. Inspect that remote connection tools such as (VPN or Management + consoles) have session expirations enabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-33 + name: 'Remote Maintenance: Authentication Sessions' + description: Vendor accounts used for remote access are enabled only during + the time period needed, disabled when not in use, and monitored while in use. + annotation: '1. Ensure that vendor accounts that are used for remote access, + have the following configurations: + + -Enabled only for the time period needed + + -Disabled when not in use + + -Monitored when in use' + typical_evidence: E-IAM-47 - Remote access configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:1 + text: '1. Validate that vendor accounts that are used for remote access, + have the following configurations:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:2 + text: -Enabled only for the time period needed + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:3 + text: -Disabled when not in use + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:4 + text: -Monitored when in use + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-34 + name: 'Remote Maintenance: Unique Authentication Credentials for each Customer' + description: Where applicable, Service providers with remote access to customer + premises (e.g., for support of POS systems or servers) must use a unique authentication + credential (such as a password/phrase) for each customer. + annotation: 1. Ensure that remote access to customer premises are using unique + individual credentials, and that there is no shared administrative access. + typical_evidence: E-IAM-48 - Remote Access credentials listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34:question:1 + text: 1. Inspect that remote access to customer premises are using unique + individual credentials, and that there is no shared administrative access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-35 + name: 'Remote Maintenance: Authentication' + description: 'Remote maintenance and diagnostic tool utilization are restricted + to the minimum required level, strong authentication is required, and remote + sessions are recorded. ' + annotation: '1. Ensure remote maintenance and diagnostic tools have the following + configurations: + + -Restricted to the minimum required level + + -Strong authentication + + -Remote sessions are recorded' + typical_evidence: E-IAM-47 - Remote access configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:1 + text: '1. Inspect remote maintenance and diagnostic tools and ensure that + they have the following configurations:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:2 + text: -Restricted to the minimum required level + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:3 + text: -Strong authentication + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:4 + text: -Remote sessions are recorded + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-36 + name: 'Remote Maintenance: Audit' + description: Organization documents and maintains records for vendor remote + maintenance, diagnostic activities, and permissions granted. A listing of + vendor remote maintenance connections is documented as well. + annotation: '1.Ensure vendor remote access is documented and that they include: + + -Maintenance activities + + -Diagnostic activities + + -Permissions granted + + 2. Ensure that there is no unauthorized access be vendor or third parties.' + typical_evidence: E-IAM-49 - Remote Vendor access listing and permissions granted + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:1 + text: 1. Inspect documents and records for vendor remote access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:2 + text: '2. Review the records and ensure that they include:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:3 + text: -Maintenance activities + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:4 + text: -Diagnostic activities + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:5 + text: -Permissions granted + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:6 + text: 3. Review the list of vendor remote connections and ensure that there + is no unauthorized access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-37 + name: End-user Environment Segmentation + description: Where applicable, processes that run as part of an Organization + shared hosting platform will run under unique credentials that permit access + to only one customer environment. + annotation: 1. Where applicable, ensure that the platform will run under unique + credentials that permit access to only one customer environment. + typical_evidence: E-IAM-50 - Credential Listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37:question:1 + text: 1. Inspect application processes and validate that, where applicable, + the platform will run under unique credentials that are permitted to access + only one customer environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-38 + name: End-user Access to Applications and Data + description: "Organization applications secure user data and maintain confidentiality\ + \ by default or according to permissions set by the individual; Organization\ + \ authenticates individuals with unique identifiers and passwords prior to\ + \ enabling access to: \n\u2022 use the application \n\u2022 view or modify\ + \ their own data" + annotation: "1. Ensure that individuals are given unique identifiers and passwords\ + \ prior to enabling access. \n2. Ensure that passwords used by the consumer\ + \ are protected using proper encryption in transmission and storage." + typical_evidence: 'E-IAM-51 - Identifiers listing + + E-IAM-52 - password setting mechanism + + E-IAM-53 - password encryption evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:1 + text: '1. Inspect the authentication method for consumers, and confirm that + individuals are given unique identifiers and passwords prior to enabling + access. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:2 + text: 2. Ensure that passwords used by the consumer are protected using + proper encryption in transmission and storage. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-39 + name: Hardware Tokens + description: Where applicable, hardware token-based authentication is facilitated + only by approved organizations. + annotation: "1. Design the process for hardware token-based authentication.\ + \ \n2. Ensure that the hardware tokens are assigned to the corresponding users." + typical_evidence: 'E-IAM-54 - Hardware Token Based Authentication Process document + + E-IAM-55 - Hardware token granting evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:1 + text: 1. Inspect the process by which hardware token-based authentication + is distributed, used, and collected. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:2 + text: 2. For a sample of users, inspect the inventory of the hardware tokens + and ensure that they are assigned to the corresponding users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + assessable: false + depth: 1 + name: Incident Response + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-01 + name: Incident Response Plan + description: "Organization defines the types of incidents that need to be managed,\ + \ tracked and reported, including:\n\u2022 procedures for the identification\ + \ and management of incidents \n\u2022 procedures for the resolution of confirmed\ + \ incidents\n\u2022 key incident response systems\n\u2022 incident coordination\ + \ and communication strategy\n\u2022 contact method for internal parties to\ + \ report incidents\n\u2022 support team contact information\n\u2022 notification\ + \ to relevant management in the event of a security breach\n\u2022 provisions\ + \ for updating and communicating the plan\n\u2022 provisions for training\ + \ of support team\n\u2022 preservation of incident information\n\u2022 management\ + \ review and approval, annually, or when major changes to the organization\ + \ occur" + annotation: '1. Prepare, document, and communicate the Incident Response Plan + and Incident Management Policy and ensure that the following are documented: + + a. Procedures for the assignment of Roles and Responsibilities for the design + implementation, maintenance and execution of the incident response plan + + b. Procedures for the identification and management of incidents + + c. Procedures for the resolution of confirmed incidents + + d. Procedures for the restoration of data and business operation + + e. Incident coordination and communication strategy + + f. Notification to relevant management in the event of a security breach + + g. Provisions for updating and communicating the plan + + h. Provisions for evaluating the effectiveness of incident response + + i. Post incident resolution including post mortem analysis and lessons learned + + 2. Ensure that a process exists to periodically review the changes which displays + revision history of the Incident Response Plan.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-02 - Incident Management Policy + + E-IR-03 - Review history' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:1 + text: '1. Inspect the Incident Response Plan and Incident Management Policy + to determine whether the following are documented:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:2 + text: a. Procedures for the assignment of Roles and Responsibilities for + the design implementation, maintenance and execution of the incident response + plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:3 + text: b. Procedures for the identification and management of incidents + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:4 + text: c. Procedures for the resolution of confirmed incidents + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:5 + text: d. Procedures for the restoration of data and business operation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:6 + text: e. Incident coordination and communication strategy + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:7 + text: f. Notification to relevant management in the event of a security + breach + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:8 + text: g. Provisions for updating and communicating the plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:9 + text: h. Provisions for evaluating the effectiveness of incident response + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:10 + text: i. Post incident resolution including post mortem analysis and lessons + learned + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:11 + text: 2. Review the changes which displays revision history of the Incident + Response Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-02 + name: Incident Response Testing + description: Organization tests incident response processes on an annual basis. + Results from the tests are documented. + annotation: '1. Ensure that a process exists to test the incident response process + on an annual basis. + + 2. Ensure that Incident Response Standard is updated at least annually. + + 3. Establish a process for conducting the trainings such as table top exercise + and ensure that all necessary personnel attended the training.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-04 - Incident Training Records + + E-IR-05 - Incident Training Material ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:1 + text: 1. Validate with the Incident response team of the completion of the + training and its documentation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:2 + text: 2. Validate that Incident Response Standard is updated at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:3 + text: 3. Review elements of the training such as table top exercise and + confirm that all necessary personnel attended the training. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-03 + name: Incident Response + description: Confirmed incidents are assigned a priority level and managed to + resolution. If applicable, Organization coordinates the incident response + with business contingency activities. + annotation: '1. Prepare, document, and communicate the Security Incident Management + Policy within the organization. + + 2. Ensure that priority level are assigned to a sample of incidents and that + they are tracked to resolution. + + 3. For any crisis declared incidents, validate that business contingency activities + are performed.' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-IR-06 - Sample of incidents' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:1 + text: 1. Inspect the Organization Security Incident Management Policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:2 + text: 2. Validate that priority level are assigned to a sample of incidents + and ensure that they are tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:3 + text: 3. Validate that for any crisis declared incidents, that business + contingency activities were performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-04 + name: External Communication of Incidents + description: "Organization defines external communication requirements for incidents,\ + \ including:\n\u2022 information about external party dependencies\n\u2022\ + \ criteria for notification to external parties as required by Organization\ + \ policy in the event of a security breach\n\u2022 contact information for\ + \ authorities (e.g., law enforcement, regulatory bodies, etc.)\n\u2022 provisions\ + \ for updating and communicating external communication requirement changes" + annotation: "1. Ensure that following details are documented in Incident Response\ + \ Plan and Standard:\n \u2022 information about external party dependencies\n\ + \ \u2022 criteria for notification to external parties as required by policy\ + \ in the event of a security breach\n \u2022 contact information for authorities\ + \ (e.g., law enforcement, regulatory bodies, etc.)\n \u2022 provisions for\ + \ updating and communicating external communication requirement changes\n\ + 2. Establish a process that flags the alerts as the defined escalation metrics." + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-02 - Incident Management Policy' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:1 + text: '1. Inspect the Incident Response Plan and Standard to determine whether + the following are documented:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:2 + text: " \u2022 information about external party dependencies" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:3 + text: " \u2022 criteria for notification to external parties as required\ + \ by policy in the event of a security breach" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:4 + text: " \u2022 contact information for authorities (e.g., law enforcement,\ + \ regulatory bodies, etc.)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:5 + text: " \u2022 provisions for updating and communicating external communication\ + \ requirement changes" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:6 + text: 2. Review the procedure for alert escalation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-05 + name: Incident Reporting Contact Information + description: "Organization provides a contact method to:\n\u2022 submit complaints\ + \ and inquiries\n\u2022 report incidents" + annotation: 1. Define a communication channel on the company public website + which shall include a contact method for external parties to submit complaints, + inquiries, and report incidents. + typical_evidence: E-IR-08 - Link to public website + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05:question:1 + text: 1. Review public website to determine whether the company provides + a contact method for external parties to submit complaints, inquiries, + and report incidents. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-06 + name: Incident External Communication + description: Organization communicates a response to external stakeholders as + required by the Incident Response Plan. + annotation: '1. Ensure that the Incident Response Plan and the Incident Legal + Communications Requirements Standard include a process for communicating a + response to external stakeholders is required. + + 2. Design a process to maintain the list of confirmed incidents which involved + external stakeholders. + + 3. Establish a process which sends out communications to external stakeholders + per the Incident Response Plan.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-09 - Incident Legal Communications Requirements Standard + + E-IR-06 - Sample of incidents' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:1 + text: 1. Inspect the Incident Response Plan and the Incident Legal Communications + Requirements Standard to determine whether communicating a response to + external stakeholders is required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:2 + text: 2. Obtain a list of confirmed incidents which involved external stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:3 + text: 3. Inspect a sample of confirmed incidents tickets to determine whether + communications required a response to external stakeholders per the Incident + Response Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-07 + name: 'External Communication of Incidents: Protected Health Information' + description: "Organization communicates the discovery and status of the breach\ + \ of Protected Health Information (PHI) to the covered entity within 60 days\ + \ or as required by the Business Associates Agreement (BAA) and provides the\ + \ following information if available:\n\u2022 description of the Event\n\u2022\ + \ description of the Information that was compromised\n\u2022 identification\ + \ of the Individuals whose PHI were compromised\n\u2022 steps Required to\ + \ Protect Individuals\n\u2022 investigation Plan\n\u2022 contact Information" + annotation: "1. Design the process to validate whether an incident includes\ + \ Personal Health information.\n2. Ensure that all incidents where there has\ + \ been a breach have been communicated to the covered entity within 60 days,\ + \ or following the covered entity's Business Associates Agreement.\n3. Ensure\ + \ that within the communication all the listed information was provided to\ + \ the covered entity:\n\u2022 description of the Event\n\u2022 description\ + \ of the Information that was Compromised\n\u2022 identification of the Individuals\ + \ whose PHI were Compromised\n\u2022 steps Required to Protect Individuals\n\ + \u2022 investigation Plan\n\u2022 contact Information" + typical_evidence: 'E-IR-10 - Business Associates Agreement + + E-IR-11 - Sample external communication of the incident' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:1 + text: 1. Validate all incidents have included Personal Health information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:2 + text: 2. Inspect whether all the incidents where there has been a breach + have been communicated to the covered entity within 60 days, or following + the covered entity's Business Associates Agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:3 + text: '3. Validate whether the communication was sent to the covered entity + and included all the listed information:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:4 + text: "\u2022 description of the Event" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:5 + text: "\u2022 description of the Information that was Compromised" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:6 + text: "\u2022 identification of the Individuals whose PHI were Compromised" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:7 + text: "\u2022 steps Required to Protect Individuals" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:8 + text: "\u2022 investigation Plan" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:9 + text: "\u2022 contact Information" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-08 + name: Problem Management + description: Organization resolves customer support inquiries. + annotation: 1. Establish a process to support customer inquires and ensure that + they have been resolved and documented. + typical_evidence: E-IR-12 - Sample of customer support inquiry + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08:question:1 + text: 1. Review a sample of customer support inquires and ensure that they + have been resolved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + assessable: false + depth: 1 + name: Mobile Device Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-01 + name: Mobile Device Enrollment + description: Mobile devices (i.e., laptops, smartphones, tablets) must be configured + with the appropriate Mobile Device Management (MDM) profile when used as a + medium to access Organization internal resources. + annotation: '1. Ensure that a Mobile device management process is defined and + documented. + + 2. Ensure that all mobile devices are registered and configured within the + appropriate Mobile Device Management (MDM) to access the internal resources.' + typical_evidence: 'E-MDM-01 - Mobile device management policy + + E-MDM-02 - List of all mobile devices registered with MDM tool + + E-MDM-03. - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:1 + text: 1. Inspect the Mobile device Policy to ensure that a Mobile Device + management process is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:2 + text: 2. Inspect the list of mobile devices to verify that the devices are + registered within the Mobile Device Management (MDM) tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:3 + text: 3. For a sample of devices, validate that the devices are configured + with the MDM tool and that it cannot be disabled from the end user device. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-02 + name: Mobile Device Encryption + description: Mobile devices (i.e., laptops, smartphones, tablets) that are used + to access data from Organization internal resources are encrypted. + annotation: 1. Ensure that mobile devices are encrypted and is configured with + the Mobile Device Management (MDM) tool. + typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM + tool + + E-MDM-04 - Sample mobile device screenshots showcasing the devices are encrypted + in the MDM tool' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:1 + text: 1. Review the Mobile Device Management (MDM) tool and ensure that + a device encryption tool is enabled for all registered devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:2 + text: 2. Review a sample of mobile devices and verify that device encryption + tools are enabled on devices and cannot be disabled by the end user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-03 + name: 'Configuration Management: Mobile Devices' + description: Organization Mobile devices (i.e., laptops, smartphones, tablets) + are configured to ensure unnecessary hardware capabilities and functionalities + are disabled, and management defined security features are enabled. + annotation: '1. Ensure that mobile devices are configured to ensure unnecessary + hardware capabilities and functionalities are disabled. + + 2. Ensure security features defined by the management shall be enabled within + the MDM tool.' + typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM + tool + + E-MDM-05 - Sample mobile device configuration screenshots showcasing the security + features are enabled' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:1 + text: 1. Review the Mobile Device Management (MDM) tool and confirm that + there is a policy implemented that restricts the use of unnecessary hardware + capabilities and functionalities are disabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:2 + text: 2. For a sample of mobile devices, verify security features are enabled + in the MDM tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:3 + text: 3 Review a sample of user devices and verify that the end user cannot + use hardware capabilities and functionalities that have been disabled + by the MDM tool per its policy and that these functionalities are not + able to be re-activated by the end user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-04 + name: 'Configuration Management: High Risk Travel Locations' + description: Organization has a documented list of travel locations considered + high risk for the use of mobile devices (i.e., laptops, smartphones, tablets). + Employees procure alternate equipment before traveling to these locations. + annotation: "1. Ensure that a process is defined and documented for handling\ + \ travel to high-risk locations.\n2. Ensure that a documented list of travel\ + \ locations considered to be high risk for the use of mobile devices is maintained.\ + \ \n3. Ensure alternate equipment is provided to employees before traveling\ + \ to these locations." + typical_evidence: 'E-MDM-06 - List of high risk travel locations + + E-MDM-03 - Sample mobile device configuration screenshots from the MDM tool' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:1 + text: 1. Inspect and validate that a process is defined and documented for + handling travel to high-risk locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:2 + text: '2. Validate the list of travel locations considered to be high risk + for the use of mobile devices ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:3 + text: 3. Validate the process for providing alternate equipment to employees + before traveling to these locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + assessable: false + depth: 1 + name: Network Operations + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-01 + name: Network Policy Enforcement Points + description: Network traffic to and from untrusted networks passes through a + policy enforcement point; firewall rules are established in accordance with + identified security requirements and business justifications. + annotation: '1. Ensure that necessary process and documentation are established + for network traffic management. + + 2. Ensure necessary requirements are defined for managing network traffic + to and from untrusted networks in the policy. + + 3. Ensure firewall rules are established to determine specific configuration + requirements have been documented for network devices within the policy.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-02 - Firewall Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:1 + text: 1. Inspect Network Security Policy and/or Standard to determine whether + requirements have been defined for managing network traffic to and from + untrusted networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:2 + text: 2. Review firewall rules to ensure they are defined according to the + requirements of the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-02 + name: 'Inbound and Outbound Network Traffic: DMZ Requirements' + description: Network traffic to and from untrusted networks passes through a + Demilitarized Zone (DMZ). + annotation: '1. Ensure necessary requirements are defined which outlines the + use of a DMZ and firewalls must be used wherever necessary to enforce perimeter + security between separate networks in the policy. + + 2. Ensure DMZ is enabled and configured within the network traffic.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-03 - DMZ Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that outlines the use of a DMZ + and firewalls must be used wherever necessary to enforce perimeter security + between separate networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:2 + text: 2. Observe a sample of network security rules or firewall rulesets + and confirm that the DMZ or DMZ equivalents are operating in the rulesets. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-03 + name: Ingress and Egress Points + description: "Organization maintains an inventory of ingress and egress points\ + \ on the production network and performs the following for each: \n\u2022\ + \ inventory is reduced to the minimum possible level\n\u2022 permitted ports,\ + \ protocols and services are inventoried and validated\n\u2022 documents security\ + \ features that are implemented for insecure protocols" + annotation: "1. Ensure a process is maintained for inventory of ingress and\ + \ egress points on the production network\n2. Ensure network security rules\ + \ are defined and established with the following: \n\u2022 permitted ports,\ + \ protocols and services are inventoried and validated\n\u2022 documented\ + \ security features that are implemented for insecure protocols" + typical_evidence: 'E-NO-04 - Network security rules inventory + + E-NO-05 - Security Rules Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:1 + text: 1. Observe the inventory of ingress and egress points on the production + network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:2 + text: 2. Observe network security rules and validate to ensure no insecure + ports, protocols, and services are present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:3 + text: 3. If applicable, for any insecure ports, protocols, and services, + ensure that additional security features are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-04 + name: Non-disclosure of Routing Information + description: Organization does not disclose private IP addresses and routing + information to unauthorized parties. + annotation: 1. Ensure necessary requirements are defined that prohibits the + disclosure of private IP addresses and routing information to unauthorized + parties in the policy. + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-07 - NAT Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that prohibits the disclosure of + private IP addresses and routing information to unauthorized parties. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:2 + text: 2. Review the configuration to determine the non-disclosure of private + IP Addresses and Network Address Translation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-05 + name: Dynamic Packet Filtering + description: Where applicable, Organization enables dynamic packet filtering + on the network. + annotation: '1. Ensure that Network Security Policy/Standard specifies when + to use dynamic packet filtering on the network. + + 2.Ensure dynamic packet filtering is turned on applicable systems.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-06 - Dynamic packet filtering configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that outlines that dynamic packet + filtering on the network should be enabled when applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:2 + text: 2. For a sample of applicable systems review the configurations for + the devices and ensure that dynamic packet filtering has been enabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-06 + name: Firewall Rule Set Review + description: Network infrastructure rule sets are reviewed every 6 months. + annotation: "1. Ensure that a process is defined and documented for performing\ + \ Network Infrastructure rules every six months. \n2. Ensure network infrastructure\ + \ rules are reviewed and appropriate documentation is maintained for this\ + \ review." + typical_evidence: E-NO-08 - Network Infrastructure Rules Review Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06:question:1 + text: 1 Observe the Network infrastructure rules review documentation and + verify that it was last reviewed within the last 6 months. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-07 + name: 'Ingress and Egress Points: Fail Secure' + description: 'The information system fails securely in the event of an operational + failure of a boundary protection device. + + ' + annotation: '1. Ensure that appropriate fail safe procedures are defined for + network boundary protection devices. + + 2. Ensure all network systems are configured to fail securely in the event + of an operational failure.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-09 - Sample of network configuration settings for applicable systems' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:1 + text: 1. Inspect Network Security Policy/Standard to determine whether requirements + have been defined that outlines that in the event of an operation failure + that information systems fail securely. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:2 + text: 2. For a sample of applicable systems review the configurations for + the devices and confirm that in the event of failure that the systems + will fail securely. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-08 + name: 'Traffic Flow: Managed Proxy' + description: Organization requires egress traffic initiated from within the + Organization network to pass through a managed proxy. + annotation: '1. Ensure that a process is defined and documented so that all + egress traffic from within the organization passes through a proxy. + + 2.Ensure that proxy servers have been deployed on application systems for + the filtering of traffic.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-10 - Sample of network architecture for applicable systems' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines that all egress traffic initiated from within the + Organization's network passes through a managed proxy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:2 + text: 2. For a sample of applicable systems review the architecture and + ensure that all egress traffic from within the network is passed through + the managed proxy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-09 + name: Domain Name Services Security Extensions (DNSSec) + description: Organization establishes a DNSSec implementation standard and uses + mechanisms to verify the DNS infrastructure for compliance. + annotation: '1. Ensure that a process is defined and documented for a DNSSec + implementation. + + 2. Ensure appropriate mechanism are in place to validate DNS infrastructure + for compliance.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-11 - Configuration of DNS Servers' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines a DNSSec implementation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:2 + text: 2. Review a sample of DNS infrastructure used and ensure that they + are following the DNSSec implementation requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-10 + name: Email Spam Protection + description: 'Organization has documented procedures and protection mechanisms + in place to protect its information and information systems from spam and + ensures that signature definitions are updated whenever new releases are available. + + ' + annotation: "1. Ensure that a process is defined and documented to ensure spam\ + \ protection on emails. \n2. Ensure that appropriate controls are deployed\ + \ to prevent spam from emails.\n3. Ensure that spam signature definitions\ + \ are updated when new releases are available." + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-12 - Email Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:1 + text: 1. Inspect the documentation to ensure a process is defined for spam + protection. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:2 + text: 2. For a sample of applicable systems such as mail servers ensure + that anti-spam filters are enabled and are updated to the most recent + version possible. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-11 + name: Denial of Service (DOS) + description: Organization implements a Denial of Service (DOS) protection plan, + identifies threatening DOS attacks, and configures boundary protection devices + according to the DOS plan. + annotation: '1. Ensure a process is defined and documented to prevent from Denial + of Service (DoS) attacks. + + 2. Ensure that boundary protection devices are configured as per the process + to enable Denial of Service Attack Protection.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-23 - Denial of Service Protection Plan Configuration on network devices' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines that a Denial of Service (DoS) protection plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:2 + text: 2. For a sample of applicable system ensure that configuration aligns + with the Denial of Service Protection Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-12 + name: Trusted Connections + description: "All trusted connections are documented and approved by authorized\ + \ personnel; management ensures the following documentation is in place prior\ + \ to approval: \n\u2022 agreement with vendor\n\u2022 security requirements\n\ + \u2022 nature of transmitted information" + annotation: '1. Ensure that a process is defined and documented for managing + trusted connections. + + 2. Ensure that all trusted connections are documented and approved by authorized + personnel. + + 3. Ensure that appropriate agreements with vendors exist before establishing + trusted connection.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-13 - Vendor Agreement' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for managing trusted connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:2 + text: 2. Validate for a sample trusted connections that it was documented + and approved by authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:3 + text: 3. Validate whether appropriate agreement with vendors existed before + establishing trusted connection. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-13 + name: Network Segmentation + description: Production environments are logically segregated from non-production + environments. + annotation: '1. Ensure that a process is defined and documented to ensure that + production and non-production environments are logically segregated. + + 2. Ensure that for all systems production and non-production environments + are logically segregated and this is reflected via appropriate architecture + diagrams.' + typical_evidence: 'E-NO-14 - Network Architecture Diagram + + E-NO-16 - Configuration of Logical Segregation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:1 + text: 1. Inspect and validate whether a process is defined and documented + to ensure that production and non-production environments are logically + segregated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:2 + text: 2. Validate for a sample system whether production and non-production + environments are logically segregated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-14 + name: Card Processing Environment Segmentation + description: Where applicable, Organization segregates the Primary Account Number + (PAN) infrastructure including payment card collection devices; Organization + limits access to the segregated environment to authorized personnel. + annotation: '1. Ensure that a process is defined and documented for segregating + PCI Environment from non-PCI environment. + + 2. Ensure that network segmentation testing is performed on a semi-annual + basis. + + 3. Ensure that the Data flow and architecture diagram is updated periodically + and reviewed by required officials.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-15 - Network Segmentation Testing Records + + E-NO-17 - Data Flow Diagrams + + E-NO-14 - Network Architecture Diagram' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for segregating PCI Environment from non-PCI environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:2 + text: 2. Validate whether network segmentation testing was performed on + a semi annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:3 + text: 3. Validate whether the Data flow and architecture diagram were updated + periodically and were approved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-15 + name: Traffic Flow + description: Organization documents the approved traffic flow at each managed + interface and configures the managed interface accordingly. Exceptions to + traffic flow are documented, reviewed periodically, and removed when there + is no longer a business requirement. + annotation: '1. Ensure a process is defined and documented for managing traffic + flow at each interface. + + 2. Ensure all managed interfaces are configured as per the approved traffic + flow. + + 3. Ensure all exceptions are documented, reviewed periodically, and removed + when there is no longer a business requirement. ' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-18 - Approved Traffic Flow and configuration + + E-SG-04 - Sample Policy Exceptions' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for managing traffic flow at each interface. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:2 + text: 2. Validate for a sample of managed interface that it is configured + as per the approved traffic flow. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:3 + text: '3. Validate for a sample of exceptions whether they were documented, + reviewed periodically, and removed when there was no longer a business + requirement. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-16 + name: Disable Rogue Wireless Access Points + description: Organization employs mechanisms to detect and disable the use of + unauthorized wireless access points. + annotation: '1. Ensure a process is defined and documented to detect unauthorized + wireless access points. + + 2. Ensure network monitoring software is in place to identify unauthorized + wireless access points send alerts to the appropriate personnel. + + 3. Ensure that alerts are regularly reviewed, and if necessary, actions are + taken to fix any issues.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-19 - Network Monitoring Software Configuration + + E-NO-20 - Sample alerts sent showcasing unauthorized wireless access points' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:1 + text: 1. Inspect and validate that a process is defined and documented to + detect unauthorized wireless access points. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:2 + text: 2. Validate the configuration of network monitoring software to check + if it detects unauthorized wireless access points send alerts to the appropriate + personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:3 + text: 3. Validate sample alerts and inspect whether they were reviewed, + and if necessary, actions were taken to fix any issues. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-17 + name: Wireless Access Points + description: Organization maintains an inventory of authorized wireless access + points including a documented business justification. + annotation: 1. Ensure that a formal inventory of authorized wireless access + points is documented which includes information of the function of the wireless + point and its business justification. + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-21 - Wireless Access Point Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:1 + text: 1. Inspect and validate that an inventory of authorized wireless points + is maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:2 + text: 2. Validate that the inventory contains the business need and the + function of each wireless access point + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-18 + name: 'Authentication: Wireless Access Points' + description: Organization restricts access to network services via wireless + access points to authenticated users and services; approved wireless encryption + protocols are required for wireless connections. + annotation: '1. Ensure that a process is defined and documented to restrict + access to network services via wireless access points to authenticated users + and services + + 2. Ensure Approved wireless encryption protocols are required for wireless + connections.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-22 - Wireless Connections Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:1 + text: 1. Inspect and validate that a process is defined and documented to + restrict access to network services via wireless access points to authenticated + users and services + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:2 + text: 2. Validate whether approved wireless encryption protocols are required + for wireless connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + assessable: false + depth: 1 + name: People Resources + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-01 + name: Background Checks + description: New hires are required to pass a background check as a condition + of their employment. + annotation: '1. Ensure that a process is defined and documented to conduct background + checks for new hires. + + 2. Ensure that a background check is completed prior to the hire date for + all new hires.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-02 - Background Check Evidence for sample new hire employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:1 + text: '1. Inspect documentation to validate whether requirements for background + checks have been defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:2 + text: 2 For a sample of new hires, validate that background checks defined + in the policy were performed prior to their hire date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-02 + name: Performance Management + description: Organization has established a check-in performance management + process for on-going dialogue between managers and employees. Quarterly reminders + are sent to managers to perform their regular check-in conversation. + annotation: '1. Document and maintain a check-in performance management process + for on-going dialogue between managers and employees. + + 2. Ensure reminders are sent to managers on a quarterly basis for performing + regular check-in.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-03 - Sample Quarterly Check In Reminders' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:1 + text: 1. Inspect relevant documentation to validate whether a process regarding + check-in performance management has been defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:2 + text: 2. For a sample of quarters, inspect the mail communication to determine + whether quarterly reminders are sent to managers to perform their regular + check-in conversation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-03 + name: Hiring Process + description: Job candidates apply for roles that are listed on the Organization + career portal; candidates are interviewed to determine their knowledge and + competence for their prospective roles and compatibility with Organization + values. + annotation: '1. Ensure that a process is defined and documented that outlines + the requirements for hiring of employees. + + 2. Ensure all job roles are posted on career portal for application. + + 3. Ensure appropriate hiring process is followed to determine competence before + hiring.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-04 - Career Portal Snapshot + + E-PR-05 - Hiring Process for a sample employee' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:1 + text: 1. Inspect and validate that a process is defined and documented that + outlines the requirements for hiring of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:2 + text: 2. Validate sample job roles and check if they are posted on career + portal for application. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:3 + text: 3. For sample employees validate the hiring process followed and evaluate + whether it was according to the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-04 + name: Organization Property Collection + description: 'Upon employee termination, management is notified to collect Organization + property from the terminated employee. + + ' + annotation: '1. Ensure a process is defined and documented to notify the management + in case of employee termination and collect organization property. + + 2. Ensure termination procedures are followed to collect organization property + from the employee.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-06 - Termination Process Evidence for sample employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:1 + text: 1. Inspect the relevant documentation to determine whether a process + is defined and documented to notify the management in case of employee + termination and collect organization property. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:2 + text: 2. For a sample of terminated employees, validate that termination + procedures were followed to collect organization property. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-05 + name: Exit Interviews + description: Upon employee termination, management conducts exit interviews + for the terminated employee. + annotation: '1. Ensure a process is defined and documented to notify the management + in case of employee termination and conduct exit interviews + + 2. Ensure exit interviews are conducted once a user is terminated in HR Management + System and relevant stakeholders are involved. + + 3. Ensure that a record of the interview is retained.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-07 - For sample employees, evidence of an exit interview' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:1 + text: 1. Inspect the relevant documentation to determine whether a process + is defined and documented to notify the management in case of employee + termination and conduct exit interviews + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:2 + text: 2. Inspect records of the exit interview for terminated employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:3 + text: '3. For a sample of terminated employees, validate that termination + procedures were followed including the performance of an exit interview. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-06 + name: Disciplinary Process + description: Employees that fail to comply with Organization policies are subject + to a disciplinary process. + annotation: '1. Ensure that a disciplinary process is defined and documented + and is appropriately communicated. + + 2. Ensure that the disciplinary process is followed for all employees violating + organizational policies. ' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-08 - Evidence of action taken for employees violating policies, if any' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:1 + text: 1. Inspect relevant documentation to validate that a disciplinary + process is defined and appropriately communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:2 + text: '2. Validate that disciplinary process was followed for all employees + violating organizational policies. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-07 + name: Code of Ethics + description: Organization has a Code of Ethics for Senior Officers. The Senior + Officers and CEO certify that they understand the Code on an annual basis. + annotation: '1. Ensure that a Code of Ethics has been established for senior + officers and the CEO. + + 2. Ensure all senior officers and CEO have documented certification of Code + of Ethics on an annual basis.' + typical_evidence: 'E-PR-09 - Code of Ethics + + E-PR-10 - Evidence of annual certification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:1 + text: 1. Inspect and validate that a Code of ethics is defined and documented + for senior officers and CEO. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:2 + text: 2. Validate that all senior officers and CEO have documented certification + of code of ethics at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-08 + name: Business Ethics Hotline + description: Organization has a business ethics hotline for employees and external + parties to report ethical misconduct. Allegations are investigated and Organization + will take appropriate action for confirmed violations. Hotline reports are + reported to the Audit Committee on a quarterly basis. + annotation: '1. Ensure that a process has been defined and documented for reporting + ethical misconduct. + + 2. Ensure that allegations made through the hotline are investigated and appropriate + action is taken. + + 3. Ensure Hotline reports are reported to the Audit Committee on a quarterly + basis.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-11 - Hotline Case Tracking Evidence + + E-PR-12 - Audit Committee Communication Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:1 + text: 1. Inspect the relevant documentation to validate that a process has + been defined and documented for reporting ethical misconduct. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:2 + text: 2. Validate that the allegations made through the hotline are investigated + and appropriate action is taken for a sample of reports. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:3 + text: 3. Validate whether the hotline reports are reported to the Audit + Committee on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-09 + name: National Security Clearance + description: Organization conducts screening and rescreening of authorized personnel + for roles that require national security clearances. For national security + clearances; a reinvestigation is required during the 5th year for top secret + security clearance, the 10th year for secret security clearance, and 15th + year for confidential security clearance. In addition, for law enforcement + and high impact public trust level, a reinvestigation is required during the + 5th year. + annotation: "1. Document and maintain a process on screening/rescreening or\ + \ vetting of employees that need national security clearances.\n2. Ensure\ + \ list of roles requiring national security clearances is reviewed and kept\ + \ up-to-date.\n3. Ensure that screening and rescreening of authorized personnel\ + \ are conducted for roles that require national security clearances.\n4. For\ + \ national security clearances, ensure that rescreening is conducted for the\ + \ following:\n\u2022 5th year for top secret security clearance\n\u2022 10th\ + \ year for secret security clearance\n\u2022 15th year for confidential security\ + \ clearance\n5. For law enforcement an high impact public trust level, ensure\ + \ that an reinvestigation is conducted during the 5th year" + typical_evidence: 'E-PR-13 - List of roles that requires national security clearances + + E-PR-14 - List of personnel with national security clearances + + E-PR-15 - Screening and Rescreening Evidences + + E-PR-16 - Reinvestigation Evidences' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:1 + text: 1. Inspect relevant documentation and validate that a process on screening/rescreening + or vetting of employees that need national security clearances is established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:2 + text: 2. Validate whether a list of roles requiring national security clearances + is reviewed and kept up-to-date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:3 + text: 3. Validate for a sample employee requiring National Security Clearance + that screening and rescreening was conducted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:4 + text: '4. For sample national security clearances, validate that rescreening + was conducted for the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:5 + text: "\u2022 5th year for top secret security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:6 + text: "\u2022 10th year for secret security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:7 + text: "\u2022 15th year for confidential security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:8 + text: 5. For sample law enforcement and high impact public trust level security + clearance, validate that a reinvestigation was conducted during the 5th + year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-10 + name: Code of Business Conduct + description: Organization has documented the Code of Business Conduct and Business + Partner Code of Conduct, which are reviewed, updated if applicable, and approved + by senior management annually. + annotation: '1. Ensure that a Code of Business Conduct and Business Partner + Code of Conduct is defined, documented, and approved by senior management. + + 2. Ensure that these documents are reviewed, updated, and approved at least + on an annual basis.' + typical_evidence: 'E-PR-17 - Code of Business Conduct + + E-PR-18 - Business Partner Code of Conduct' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:1 + text: 1. Inspect and validate that a Code of Business Conduct and Business + Partner Code of Conduct is defined, documented, and approved by senior + management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:2 + text: 2. Validate that these documents are reviewed, updated, and approved + at least on an annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + assessable: false + depth: 1 + name: Privacy + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-01 + name: Privacy Program + description: Organization privacy policies for individuals, including relevant + updates, are communicated on the public company website or on the internal + corporate network. + annotation: '1. Ensure the organization has created a privacy policy. + + 2. Ensure the policy is updated and approved on regular intervals. + + 3. Ensure the policy is communicated and is available for employees and relevant + stakeholders.' + typical_evidence: E-PRIV-01 - Privacy Policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:1 + text: 1. Inspect privacy policies and confirm that the policy is updated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:2 + text: '2. Confirm that anytime the privacy policy is updated, these updates + are present on the intranet or public website. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-02 + name: Privacy Program Review + description: "On an annual basis, Organization performs a review of privacy\ + \ practices to ensure the following:\n\u2022 consent is obtained for users\ + \ whose personal information (PI) is managed by Organization\n\u2022 PI inventory\ + \ integrity and accuracy\n\u2022 data access request response template is\ + \ understandable\n\u2022 standard agreement templates are up-to-date\n\u2022\ + \ requests to delete, access or update PI are processed accurately and within\ + \ a timeframe consistent with Organization policy\n\u2022 compliance with\ + \ Organization's privacy commitments\n\u2022 known privacy issues are remediated\n\ + \u2022 opt-in and opt-out compliance with applicable law\n\u2022 Organization\ + \ privacy documentation and practices are relevant to applicable law\n\u2022\ + \ compliance with relevant industry Codes of Conduct (e.g., EDAA)\n\u2022\ + \ if applicable, joint controller responsibilities are clearly defined and\ + \ communicated to both data controllers and the data subject" + annotation: '1. Ensure that the organization has established a privacy program. + + 2. Ensure that the program is reviewed on at least an annual basis. + + 3. Ensure that the privacy program contains controls regarding consent, data + access requests, modification requests, SLAs, privacy issues, roles and responsibilities. + + 4. Ensure that agreement templates are reviewed and updated.' + typical_evidence: E-PRIV-02 - Privacy Review Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:1 + text: '1. Collect and inspect the organization''s annual privacy review. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:2 + text: 2. Validated that the annual privacy review covers all components. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-03 + name: Privacy Readiness Review + description: Organization performs privacy readiness reviews to identify high-risk + processing activities that impact personal data; identified non-compliance + with Organization privacy practices is tracked through remediation. + annotation: '1. Ensure that a process has been established for privacy readiness + reviews. + + 2. Ensure privacy readiness reviews are conducted for high-risk processing + activities. + + 3. Ensure necessary actions are taken for the remediation of findings from + privacy readiness reviews.' + typical_evidence: E-PRIV-03 - Privacy Readiness Review Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:1 + text: '1. Inspect privacy readiness reviews and ensure that remediation + activities were launched for any non-compliant actions. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:2 + text: 2. Validate that remediation activates were resolved and remediated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-04 + name: Privacy Notice + description: Individuals are given appropriate notice and an opportunity to + consent or decline to Organization privacy practices such as accessing, collecting, + processing, transferring, or storing personal information. + annotation: '1. Ensure that a consent notice is established for users regarding + privacy guidelines. + + 2. Ensure that the users have an option to accept or decline the consent.' + typical_evidence: E-PRIV-04 - Consent Notice Snapshot + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04:question:1 + text: 1. Inspect Data Protection Policy and procedure documents to ensure + individuals are given appropriate notice and an opportunity to consent + or decline to organization privacy practices such as accessing, collecting, + processing, transferring, or storing personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-05 + name: 'Personal Information Notice and Consent: Additional Processing Activities' + description: Where appropriate, Organization obtains individual consent for + processing activities for which consent has not been previously obtained. + annotation: '1. Ensure that consent is obtained for processing user data. + + 2. Ensure that any change in processing activities is followed by an update + of consent.' + typical_evidence: E-PRIV-04 - Consent Notice Snapshot + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05:question:1 + text: 1. Inspect Data Protection Policy and procedure documents to determine + whether organization obtains individual consent for processing activities + for which consent has not been previously obtained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-06 + name: Notice of Personal Information Disclosure + description: In accordance with Organization policy, Organization provides notice + to individuals regarding legally-required disclosures of personal information. + annotation: '1. Ensure that a process is established for disclosing user data + in case of legal enquiries. + + 2. Ensure appropriate notice is provided to the users regarding disclosure + of their data.' + typical_evidence: E-PRIV-05 - Legal Disclosure Process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06:question:1 + text: 1. Inspect Organization policy related to disclosure of personal information + to determine whether process of providing notice to individuals regarding + legally required disclosures of personal information is documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-07 + name: PII Processing Agreements + description: Personal information is handled and processed in accordance with + contractual requirements. + annotation: '1. Ensure that appropriate agreements are established to define + PII processing requirements. + + 2. Ensure all customers sign PII processing agreements. + + 3. Ensure all PII is handled and processed as per contractual requirements.' + typical_evidence: 'E-PRIV-06 - PII Processing Agreements + + E-PRIV-07 - Customer Sample PII Agreement' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:1 + text: 1. Inspect and validate that appropriate agreements are established + and documented that define PII processing requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:2 + text: 2. For a sample customer validate that PII processing agreement has + been signed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:3 + text: 3. Validate that all PII is handled and processed as per contractual + requirements and the employees are briefed of these requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-08 + name: Record of Processing Activity + description: Organization documents, reviews, and approves a record of processing + activities related to personal information. + annotation: '1. Ensure appropriate process has been established to document + and record all processing activities related to Personal Information. + + 2. Ensure the records of PII processing activities are reviewed periodically + as per contractual requirements. + + 3. Ensure that the record is approved by appropriate personnel. ' + typical_evidence: E-PRIV-08 - PII Processing Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08:question:1 + text: 1. Inspect a sample of reviews related to processing of personal information + and validate that it is approved by the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-09 + name: 'Document Management Standard: HIPAA' + description: Documentation that impacts personal health information, including + policies, procedures, and the documentation of actions, activities, or assessments, + are retained for 6 years from the date of its creation, or the date when it + last was in effect, whichever is later. + annotation: '1. Ensure that a process is defined and documented for retaining + documentation related to personal health information. + + 2. Ensure that this documentation is retained at least for 6 years from the + date of creation or when it was last effective. + + 3. Ensure this documentation consists of polices and procedures of actions, + activities and/or assessments.' + typical_evidence: E-PRIV-09 - Personal Health Information Documentation Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:1 + text: 1. Validate documented retention configuration is set to at least + 6 years for policies, procedures, and assessment for the documents that + impacts personal health information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:2 + text: '2. Inspect a sample of documentation going back to the earliest document + or at least 6 years. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-10 + name: Law Enforcement Requests + description: Law enforcement agencies may submit requests for evidence; submitted + requests are reviewed and tracked to resolution. + annotation: '1. Ensure a process is defined, documented, and approved for law + enforcement agencies to submit evidence requests for investigation. + + 2. Ensure these requests are appropriately tracked and resolved as per contractual + and legal requirements. + + 3. Ensure any evidence sharing is done via secure methods to avoid unauthorized + access to data. + + 4. Ensure only customer data relevant to the investigation is segregated and + submitted if needed.' + typical_evidence: 'E-PRIV-10 - Law enforcement Process + + + + E-PRIV-11 - Sample investigation requests + + E-PRIV-12 - Evidence Sharing method screenshot' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:1 + text: 1. Inspect and validate that a process is defined, documented, and + approved for law enforcement agencies to submit evidence requests for + investigation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:2 + text: 2. Validate for a sample of requests that they are appropriately tracked + and resolved as per contractual and legal requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:3 + text: 3. Validate for a sample request whether the evidence sharing was + done via secure methods to avoid unauthorized access to data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:4 + text: 4. Validate how customer data relevant to the investigation was segregated + and submitted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + assessable: false + depth: 1 + name: Proactive Security + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-01 + name: Endpoint Detection and Response + description: Endpoint Detection and Response (EDR) software is deployed to continuously + monitor, detect, and respond to cyber threats and patterns of malicious behavior + and activity. + annotation: '1. Deploy Endpoint Detection and Response (EDR) software to continuously + monitor, detect, and respond to cyber threats and patterns of malicious behavior + and activity. + + 2. Ensure that the EDR configurations are periodically reviewed.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-PS-01 - Network Security Standard' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:1 + text: 1. For a sample of endpoints, validate whether Endpoint Detection + and Response (EDR) software is installed and continuously monitor, detect, + and respond to cyber threats and patterns of malicious behavior and activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:2 + text: 2. Inspect whether the EDR configurations are reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-02 + name: Threat Hunting + description: Organization performs threat hunting to identify, track, and disrupt + threats that evade existing security controls. + annotation: '1. Conduct cyber threat hunting activities according to an organization-defined + frequency and/or organization-defined event to detect, track, and disrupt + threats that evade existing controls. + + 2. Establish a threat hunting methodology in accordance with the organization''s + security objectives. + + 3. Define threat indicator information and effective mitigations.' + typical_evidence: 'E-PS-02 - EDR Configuration Documentation + + E-PS-03 - Threat Hunting program documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:1 + text: 1. Inspect whether cyber threat hunting activities are performed as + per defined frequency to detect, track, and disrupt threats that evade + existing controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:2 + text: 2. Validate whether a threat hunting methodology exists in accordance + with the organization's security objectives. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:3 + text: 3. Inspect the threat indicator information and effective mitigations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-03 + name: Threat Modeling + description: Organization performs periodic threat modeling to ensure that potential + threats are identified and assessed. + annotation: 1. Ensure that an organization performs periodic threat modeling + to ensure that potential threats are identified and assessed. + typical_evidence: E-PS-04 - Threat indicator documentation + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03:question:1 + text: 1. Validate whether an organization performs threat modeling periodically + to identify and assess potential threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-04 + name: Adversary Intelligence + description: Organization gathers intelligence on adversary personas to assist + in the prioritization of security activities. + annotation: 1. Establish a process through which an organization gathers intelligence + on adversary personas to assist in the prioritization of security activities. + typical_evidence: E-PS-05 - Periodic Threat Modeling documentation + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04:question:1 + text: 1. Validate whether a process exists through which an organization + gathers intelligence on adversary personas to assist in the prioritization + of security activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + assessable: false + depth: 1 + name: Risk Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-01 + name: Service Risk Rating Assignment + description: Annually, Organization prioritizes the frequency of vulnerability + discovery activities based on an assigned service risk rating. + annotation: '1. Ensure Risk management standard is in place and documented which + defines the frequency of vulnerability discovery activities based on an assigned + service risk rating. + + 2. Ensure all the identified vulnerabilities are remediated based on the risk + rating.' + typical_evidence: 'E-RM-01 - Vulnerability management standard + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:1 + text: 1. Validate that the organization has a defined vulnerability management + standard. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:2 + text: 2. For a sample of vulnerabilities, test that it was remediated based + on risk ranking. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-02 + name: Risk Assessment + description: Organization management performs an annual risk assessment. Results + from risk assessment activities are reviewed to prioritize mitigation of identified + risks. + annotation: '1. Ensure Risk Management Standard shall be in place which RM-01 + defines the requirements for annual risk assessment. + + 2. Ensure that the results of risk assessment are reviewed and mitigation + is performed on priority. + + 3. Any identified issues should have a corresponding risk treatment plan or + corrective action plan in place. Each issue shall be tracked to completion.' + typical_evidence: 'E-RM-03 - Risk Management Standard + + E-RM-04 - Risk assessment report + + E-RM-05 - Sample evidences for the risks treatment plan for the identified + risks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:1 + text: 1. Validate that Risk Management Standard is in place and defines + the requirements for annual risk assessment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:2 + text: 2. Validate evidence for the review of results of risk assessment + and mitigation of risks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:3 + text: 3. Validate that any identified issues were tracked to completion, + according to its corresponding risk treatment plan or corrective action + plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-03 + name: 'Risk Assessment: HIPAA Criteria' + description: "Organization's periodic risk assessment for systems that process,\ + \ transmit or store Protected Health Information (PHI) includes the following:\n\ + \u2022 identify and classify assets\n\u2022 identify threats\n\u2022 identify\ + \ vulnerabilities\n\u2022 identify controls\n\u2022 perform threat likelihood\ + \ analysis\n\u2022 perform threat impact analysis\n\u2022 identify residual\ + \ risk\n\u2022 identify appropriate safeguards" + annotation: "1. Ensure risk assessment for systems that process, transmit or\ + \ store Protected Health Information (PHI) shall be in place and includes\ + \ the information listed below:\n\u2022 identify and classify assets\n\u2022\ + \ identify threats\n\u2022 identify vulnerabilities\n\u2022 identify controls\n\ + \u2022 perform threat likelihood analysis\n\u2022 perform threat impact analysis\n\ + \u2022 identify residual risk\n\u2022 identify appropriate safeguards" + typical_evidence: E-RM-06 - Risk Assessment HIPAA Report + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:1 + text: '1. Review Risk Assessment for a sample system that process, transmit + or store Protected Health Information (PHI) and validate whether it includes + the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:2 + text: "\u2022 identify and classify assets" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:3 + text: "\u2022 identify threats" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:4 + text: "\u2022 identify vulnerabilities" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:5 + text: "\u2022 identify controls" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:6 + text: "\u2022 perform threat likelihood analysis" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:7 + text: "\u2022 perform threat impact analysis" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:8 + text: "\u2022 identify residual risk" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:9 + text: "\u2022 identify appropriate safeguards" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-04 + name: Continuous Monitoring + description: The design and operating effectiveness of internal controls are + continuously evaluated against the established Common Controls Framework by + Organization. Corrective actions related to identified deficiencies are tracked + to resolution. + annotation: '1. Ensure that a process is defined and documented for the continuous + monitoring of internal controls against the common controls framework. + + 2. Ensure any gaps identified are remediated as per the organization''s policy.' + typical_evidence: 'E-RM-07 - Compliance Review report + + E-RM-08 - Sample evidences of corrective actions taken in case of any deficiencies + identified' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:1 + text: 1. Validate that a process is defined and documented for the continuous + monitoring of internal controls against the common controls framework. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:2 + text: 2. For sample gaps validate that they were remediated as per the organization's + policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-05 + name: 'Self-Assessments: PCI' + description: "On a quarterly basis, reviews shall be performed with approved\ + \ documented specification to confirm personnel are following security policies\ + \ and operational procedures pertaining to:\n\u2022 daily log reviews\n\u2022\ + \ firewall rule-set reviews\n\u2022 applying configuration standards to new\ + \ systems\n\u2022 responding to security alerts\n\u2022 change management\ + \ processes" + annotation: "1. Establish a quarterly process to ensure that the following policies\ + \ and operational procedures are being reviewed and approved by authorized\ + \ personnel: \n\u2022 daily log reviews\n\u2022 firewall rule-set reviews\n\ + \u2022 applying configuration standards to new systems\n\u2022 responding\ + \ to security alerts\n\u2022 change management processes" + typical_evidence: 'E-RM-03 - Risk Management Standard + + E-RM-09 - Quarterly Review Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:1 + text: '1. Inspect whether a process exists for reviewing the following on + a quarterly basis:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:2 + text: "\u2022 daily log reviews" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:3 + text: "\u2022 firewall rule-set reviews" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:4 + text: "\u2022 applying configuration standards to new systems" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:5 + text: "\u2022 responding to security alerts" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:6 + text: "\u2022 change management processes" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:7 + text: 2. Validate using the last review whether any deviations were noted + and if applicable, were tracked till resolution + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-06 + name: Internal Audits + description: Organization establishes internal audit requirements based on the + Common Controls Framework by Organization and executes audits on information + systems and processes at planned intervals. + annotation: 1. Ensure that the organization sets audit rules based on its Common + Controls Framework and conducts audits on its information systems and processes + at scheduled times + typical_evidence: 'E-RM-10 - Common Controls Framework + + E-RM-11 - Audit Reports and associated documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06:question:1 + text: '1. Inspect internal and external audit results. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-07 + name: ISMS Internal Audit Requirements + description: Internal audit establishes and executes a plan to evaluate applicable + controls in the Information Security Management System (ISMS) at least once + every 3 years. + annotation: '1. Ensure that the organization possesses an audit program document + that enumerates the particular controls slated for testing within its Information + Security Management System (ISMS). + + 2. Ensure that the outcomes of internal audit for ISMS controls is reviewed + on a periodic basis.' + typical_evidence: 'E-RM-12 - Audit Plan + + E-RM-13 - Audit Checklist + + E-RM-11 - Audit Reports and associated documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:1 + text: '1. Inspect audit program document that lists out specific controls + to be tested in the ISMS. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:2 + text: '2. Inspect the results of internal audit of ISMS controls and note + the cadence of such audits. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-08 + name: Remediation Tracking + description: Management prepares a remediation plan to formally manage the resolution + of findings identified in risk assessment activities. + annotation: '1. Ensure that there is a well-defined and documented remediation + plan in place to address and resolve any findings from risk assessment activities. + + 2. Ensure that the findings identified are resolved within the agreed timeframe.' + typical_evidence: 'E-RM-14 - Remediation Plan + + E-RM-03 - Risk Management Standard + + E-RM-15 - Finding documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:1 + text: '1. Inspect documentation of remediation plan for any risk assessment + activities. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:2 + text: 2. Validate whether the findings created are remediated in the defined + timeframe. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-09 + name: ISMS Corrective Action Plans + description: Management prepares a Corrective Action Plan (CAP) to manage the + resolution of nonconformities identified in independent audits. + annotation: 1. Ensure that there is an audit finding document generated following + an external, independent audit and used as a basis for implementing necessary + improvements and corrective actions. + typical_evidence: 'E-RM-15 - Finding documentation + + E-RM-16 - Documented Corrective Action Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:1 + text: '1. Inspect audit finding document prepared after external, independent + audit. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:2 + text: '2. For a sample of findings, examine evidence of resolution or a + plan of action for audit findings. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-10 + name: Statement of Applicability + description: 'Management prepares a statement of applicability that includes + control objectives, implemented controls, and business justification for excluded + controls. Management aligns the statement of applicability with the results + of the annual risk assessment. ' + annotation: 1. Ensure that the statement of applicability (SOA) is approved + by the management and in alignment with the outcomes of the annual risk assessment + to ensure consistency and relevance. + typical_evidence: E-RM-17 - Statement of Applicability (SOA) + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:1 + text: '1. Inspect the organization''s statement of applicability (SOA) and + compares it with the result of the annual risk assessment. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:2 + text: '2. Validate whether the statement of applicability is approved by + management. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + assessable: false + depth: 1 + name: System Design Documentation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + ref_id: SDD-01 + name: System Documentation + description: Documentation of system boundaries and key aspects of their functionality + are published to authorized Organization personnel on the Organization intranet. + annotation: '1. Ensure that appropriate documentation is established for system + boundaries and key aspects of functionality. + + 2. Ensure that these diagrams are available to authorized personnel through + intranet.' + typical_evidence: E-SDD-01 - Evidence of system diagrams + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:1 + text: 1. Inspect and validate that appropriate documentation is established + for system boundaries and key aspects of functionality. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:2 + text: 2. Validate that these diagrams are available to authorized personnel + through intranet. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + ref_id: SDD-02 + name: Whitepapers + description: Organization publishes whitepapers to its public website that describe + the purpose, design and boundaries of the system and system components. + annotation: '1. Ensure that the organization''s public website have published + whitepapers describing the purpose, design, and boundaries of the in-scope + services and system components. + + 2. Ensure that these whitepapers are reviewed periodically for accuracy and + approved by relevant personnel prior to publishing.' + typical_evidence: E-SDD-02 - Evidence of whitepapers + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02:question:1 + text: 1. Inspect the organization's public website to determine whether + whitepapers for in-scope services are published. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + assessable: false + depth: 1 + name: Security Governance + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-01 + name: Policy and Standard Review + description: Organization's policies and standards are periodically reviewed, + approved by management, and communicated to Organization personnel. + annotation: '1. Ensure that the organization''s policies and standards are well-defined, + documented and communicated with relevant personnel. + + 2. Ensure that these policies and standards are reviewed periodically and + are approved by the management.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-02 - Evidence of periodic review of organization''s policies and standards + (with version history) + + E-SG-03 - Sample of communication mail sent to employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:1 + text: 1. Inspect organization's Policy to determine whether requirements + for periodic reviews, management approval, and communication of policies + and standards are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:2 + text: 2. Inspect a sample of organization's policies and standards to determine + whether they are documented, periodically reviewed, and approved by management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:3 + text: '3. Inspect the corporate intranet or email communication sent to + employee that validates these policies are communicated within the organization. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-02 + name: Exception Management + description: Organization reviews exceptions to policies, standards and procedures; + exceptions are documented and approved based on business need and removed + when no longer required. + annotation: '1. Ensure that a process for the handling of exceptions is well + defined and documented. + + 2. Ensure exceptions observed have thorough documentation, approval from higher + management, and are promptly removed when no longer needed.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-04 - Sample Policy Exceptions' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:1 + text: 1. Inspect organization's policy and/or standards to determine whether + requirements to review, approve, and document exceptions to policies, + standards, and procedures are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:2 + text: 2. Inspect a sample of exceptions to determine whether each exception + is reviewed, approved, and documented based on business need and removed + when no longer required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-03 + name: Document Control + description: Organization's document management criteria is periodically reviewed, + approved by management, and communicated to authorized personnel; management + determines the treatment and retention of documentation according to legal + and regulatory requirements. + annotation: '1. Ensure that the organization has a well defined and documented + document management criteria. + + 2. Ensure that the criteria is reviewed and approved by the management periodically. + + 3. Ensure that the criteria is communicated to authorized personnel. + + 4. Ensure that the documentation is treated and retained according to legal + and regulatory requirements.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-05 - Document Management Criteria + + E-SG-06 - Document Retention Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:1 + text: 1. Inspect the organization's policy and/or standard to validate that + the organization has a well defined and documented document management + criteria. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:2 + text: 2. Validate that the criteria is reviewed and approved by the management + periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:3 + text: 3. Validate whether the criteria is communicated to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:4 + text: 4. Validate for a sample documentation that it is treated and retained + according to legal and regulatory requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-04 + name: Information Security Program Content + description: 'The Chief Security Officer conducts a periodic staff meeting to + communicate and align on relevant security threats, program performance, and + resource prioritization. ' + annotation: '1. Ensure that a process is defined and documented for conducting + periodic staff meetings with the Chief Security Officer. + + 2.Ensure that the meeting agenda consists of security threats, Information + Security Management Program Performance and Resource Prioritization.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-15 - MOM of management meetings' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:1 + text: 1. Inspect and validate that a process is defined and documented for + conducting periodic staff meetings with the Chief Security Officer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:2 + text: 2. Validate that the meeting agenda consists of security threats, + Information Security Management Program Performance and Resource Prioritization + for sample quarters. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-05 + name: Procedures + description: Organization's key control capabilities are supported by documented + procedures that are communicated to authorized personnel. + annotation: '1. Ensure that a process is defined and documented so that all + key control capabilities are supported by documented procedures. + + 2. Ensure that these procedures are communicated to authorized personnel.' + typical_evidence: E-SG-01 - Information Security Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:1 + text: 1. Inspect and validate that a process is defined and documented so + that all key control capabilities are supported by documented procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:2 + text: 2. Validate that these procedures are communicated to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-06 + name: Proprietary Rights Agreement + description: Organization regular employees consent to a proprietary rights + agreement. + annotation: "1. Ensure that all employees are required to sign a proprietary\ + \ rights agreement prior to joining the organization. \n2. Ensure that appropriate\ + \ records are maintained for retaining this information." + typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's + network access agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:1 + text: 1. Inspect the procedure for employees to sign proprietary rights + agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:2 + text: '2. Inspect a sample of employee''s proprietary rights agreement. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-07 + name: Review of Confidentiality Agreements + description: The Organization Proprietary Rights Agreement and Organization + Network Access Agreement are reviewed on a periodic basis. + annotation: "1. Ensure all employees sign the organization's proprietary rights\ + \ agreement and network access agreement prior to joining the organization.\ + \ \n2. Ensure these agreements are updated on a need-to-know basis and communicated\ + \ to stakeholders." + typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's + network access agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07:question:1 + text: '1. Inspect organization''s proprietary rights agreement and network + access agreement and check for periodic review. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-08 + name: Information Security Program + description: Organization has an established security leadership team including + key stakeholders in the Organization Information Security Program; goals and + milestones for deployment of the information security program are established + and communicated to the company through the periodic security all-hands meeting. + annotation: "1. Ensure there is a dedicated information security management\ + \ standard which consists of requirements pertaining to security leadership\ + \ team and the establishment and communication of security goals and milestones.\ + \ \n2. Ensure the organization's information security management standard\ + \ is uploaded on corporate intranet and made available to all employees.\n\ + 3. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes\ + \ are documented and communicated to relevant stakeholders." + typical_evidence: "E-SG-01 - Information Security Management Standard\nE-SG-08\ + \ - Information Security management Standard is uploaded on intranet \nE-SG-09\ + \ - MOM of ISMS steering committee " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:1 + text: 1. Inspect Information Security Management Standard to determine whether + requirements for a security leadership team and the establishment and + communication of security goals and milestones are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:2 + text: 2. Observe organization's corporate intranet to determine whether + the Information Security Management Standard is communicated to the company. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:3 + text: 3. Inspect the most recent ISMS Steering minutes to determine the + participation from the security leadership team, and the establishment + and communication of security goals and milestones. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-09 + name: Accessibility Program + description: Organization has an established accessibility leadership team including + key stakeholders; goals and milestones for deployment of the accessibility + program are established and communicated to the company. + annotation: '1. Prepare a list of accessibility key stakeholders and objectives + of accessibility program. + + 2. Review ISMS standard to ensure that it includes the information related + to accessibility program and made available to the employees of the organization.' + typical_evidence: E-SG-01 - Information Security Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:1 + text: 1. Validate that the ISMS standard lists key stakeholders and objectives + of the accessibility program. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:2 + text: 2. Observed how the ISMS standard includes information about the accessibility + program and whether it is readability available to employees of the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-10 + name: Information Security Management System Scope + description: Information Security Management System (ISMS) boundaries are formally + defined in an ISMS scoping document. + annotation: '1. Ensure a process has been defined and documented to create an + ISMS scoping document. + + 2. Ensure that this document is appropriately reviewed and updated to refelct + accurate boundaries for the information security management system.' + typical_evidence: E-SG-10 - ISMS Scope document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to create an ISMS scoping document. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:2 + text: 2. Validate whether this document was appropriately reviewed and updated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-11 + name: Security Roles and Responsibilities + description: Roles and responsibilities for the governance of Information Security + within Organization are formally documented within the Information Security + Management Standard and communicated on the Organization intranet. + annotation: '1. Ensure organization''s information security standard consists + of roles and responsibilities for the governance of information security within + organization and uploaded on the corporate intranet and made available to + all employees. + + 2. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes + are documented and communicated to relevant stakeholders.' + typical_evidence: E-SG-10 - ISMS Scope document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:1 + text: 1. Inspect Organization's Information Security Management Standard + to determine whether it was communicated and defined information security + roles and responsibilities for the governance of information security + within Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:2 + text: 2. Observed Organization's corporate intranet to determine whether + the Information Security Management Standard is communicated to the company. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:3 + text: 3. Inspect the most recent ISMS Steering Committee Meeting minutes + to determine the participation from the security leadership team, and + establishment and communication of security goals and milestones. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-12 + name: 'Security Roles and Responsibilities: Risk Designations' + description: Organization defined security roles and responsibilities are assigned + risk designations and reviewed at least once every three years. + annotation: 1. Ensure there is a risk management policy, and risk matrix (which + consists of risk severity, risk treatment, risk mitigation plan, and compensatory + control) which are updated once in every 3 years or on a need-to-know basis. + typical_evidence: 'E-SG-11 - Risk Management Policy + + E-SG-12 - Risk Matrix ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12:question:1 + text: 1. Inspect Organization's Risk Management policy and risk control + matrix and ensure they are updated once in every 3 years or on a need-to-know + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-13 + name: 'Security Roles and Responsibilities: PCI Compliance' + description: Roles and responsibilities and a program charter for the governance + of PCI DSS compliance within Organization are formally documented and communicated + by management. + annotation: 1. Define roles and responsibilities for PCI DSS governances which + is approved by the organization's management and documented well in PCI Charter. + typical_evidence: 'E-SG-13 - PCI charter ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13:question:1 + text: 1. Inspect Organization's PCI Charter and organization chart to determine + that roles and responsibilities for PCI DSS governances are appropriately + documented and disseminated by Organization Management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-14 + name: Information Security Resources + description: "Information systems security implementation and management are\ + \ included as part of the budget required to support the Organization\_Security\ + \ Program." + annotation: "1. Allocate resources as per the Organization's Security program\ + \ and the defined budget. \n2. Ensure management meets monthly or on a need-to-know\ + \ basis to discuss the critical security requirements across organization\ + \ based on multiple factors as well as justifications basis which budget is\ + \ allocated for management of Organization's security program and corresponding\ + \ records are maintained.\n3. Each department spend and allocate resources\ + \ as per the defined budget and security program which aligns with the business\ + \ objectives.\n4. Ensure budget is approved by top management for spending\ + \ to be aligned with business justification." + typical_evidence: 'E-SG-14 - Approved budget allocation documentation + + E-SG-15 - MOM of management meetings' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:1 + text: 1. Inspect all the security requirements for which budget is required + as a part of Organization's Security program and corresponding business + justification are identified, documented and maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:2 + text: 2. Ensure that as a part of regular periodic management review meetings + identified critical security requirements across organization are reviewed + as well as analyzed and based on multiple factors as well as justifications + basis which budget is allocated for management of Organization's security + program and corresponding records are maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:3 + text: 3. Inspect documentation around representation from all the key departments + to ensure allocation of budget for security program is aligned with business + objectives. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:4 + text: 4. Inspect the approval obtained by top management for spending of + allocated budget to be aligned with business justification. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-15 + name: Management Review + description: 'The Information Security Management System (ISMS) steering committee + conducts a formal management review of ISMS scope, risk assessment activities, + control implementation, and audit results on an annual basis. ' + annotation: '1. Conduct ISMS steering committee meeting on monthly basis or + on a need-to-know basis to discuss and review the current scope (products + included), audit progress, ISMS scope, risk assessment activities, control + implementation, and audit results. + + 2. Document the attendance of each member.' + typical_evidence: 'E-SG-09 - MOM of ISMS steering committee ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:1 + text: 1. Validate that ISMS Steering committee meet at least annually, and + inspect meeting minutes from each meeting. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:2 + text: 2. Inspect attendees of the steering committee meeting shall be documented, + and members of the information steering committee shall include relevant + members from the offering's organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:3 + text: '3. Each meeting shall include an discussion and review of current + scope (products included), audit progress, ISMS scope, risk assessment + activities, control implementation, and audit results. Included shall + be action items for any audit findings. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-16 + name: Enterprise Data Catalog + description: Organization maintains an enterprise data catalog that encompasses + key organizational data, environment metadata, and product information to + facilitate continuous monitoring of the internal control environment. The + enterprise data catalog is updated as part of the continuous monitoring process + and upon the introduction of new service offerings and acquisitions. + annotation: '1. Ensure there is a documented enterprise data catalogue which + consists of details that include but not limited to: key organizational data, + environment metadata, and product information to facilitate continuous monitoring + of the internal control environment. + + 2. Ensure that the documented enterprise data catalogue is reviewed and updated + annually or as in when required. ' + typical_evidence: 'E-SG-16 - Enterprise Data Catalogue ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:1 + text: 1. Inspect the Enterprise Data Catalog to determine that it includes + key organizational data, environment metadata, and product information + to facilitate continuous monitoring of the internal control environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:2 + text: 2. Inspect that the data catalog is reviewed and updated periodically + and further, upon the introduction of new service offerings and acquisitions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-17 + name: Software Usage Restrictions + description: Organization maintains software license contracts and monitors + its compliance with usage restrictions. + annotation: '1. Ensure there is a formal documented software license agreement/policy + which defines the criteria for the installation of software. + + 2. Ensure software license agreement/policy is reviewed and updated on annual + basis or when required. + + 3. Continuous monitoring of installed software to ensure the compliance posture + as per the defined criteria.' + typical_evidence: 'E-SG-17 - Software License Agreement/Policy + + E-SG-18 - Software monitoring compliance report to ensure the compliance posture ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:1 + text: '1. Identify and document the inventory of software license contracts + corresponding to different software. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:2 + text: 2. Inspect management approved procedures for license maintenance + and usage are in place and maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:3 + text: 3. Ensure that monitoring is in place to check the compliance effectiveness + with usage restrictions defined as part of software license maintenance + as well as usage contracts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:4 + text: 4. Ensure monitoring records of period review/audits are maintained + to ensure adherence to the requirements of the software license contracts + and usage restrictions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:5 + text: 5. Licenses and contracts are reviewed as needed, and increased supply + of licenses and contracts are obtained if needed to meet use/demand. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + assessable: false + depth: 1 + name: Service Lifecycle + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-01 + name: Service Lifecycle Workflow + description: Major software releases are subject to the Service Life Cycle, + which requires acceptance via Concept Accept and Project Plan Commit phases + prior to implementation. + annotation: "1. Ensure there is a documented standard for organization product\ + \ lifecycle and secure product lifecycle which consists requirements for acceptance\ + \ via concept accept and project plan commit phases prior to implementation.\n\ + 2. Ensure the standard for organization product lifecycle and secure product\ + \ lifecycle are reviewed and updated as required. \n3. Implement a procedure\ + \ to document the acceptance via concept accept and project plan commit phases\ + \ prior to implementation for each and every major release." + typical_evidence: "E-SLC-01 - Organization product lifecycle standard \nE-SLC-02\ + \ - Secure product lifecycle" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:1 + text: 1. Inspect Organization's Product Lifecycle Standard and Secure Product + Lifecycle Standard to determine whether requirements for acceptance via + Concept Accept and Project Plan Commit phases prior to implementation + are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:2 + text: 2. Inspect documentation for a selection of major releases to determine + whether it includes documentation of acceptance via Concept Accept and + Project Plan Commit phases prior to implementation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-02 + name: Source Code Management + description: Source code is managed with Organization-approved version control + mechanisms. + annotation: "1. Ensure there is a documented organization's source code security\ + \ standard and it is updated on need to know basis. \n2. Ensure source code\ + \ repositories used by service team as per the approved version control mechanisms/systems." + typical_evidence: "E-SLC-03 - Source code standard \nE-SLC-04 - Source code\ + \ repository " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:1 + text: 1. Inspect Organization's Source Code Security Standard to determine + whether requirements for Organization-approved version control software + are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:2 + text: 2. For a sample of services, inspect source code repository used by + services to determine that source code is managed with Organization-approved + version control mechanisms/systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-03 + name: Secrets in Code + description: 'Organization manages source code secrets in a centralized repository; + secrets are rotated at least annually and immediately if the security of secrets + is compromised. ' + annotation: '1. Each service should have a central source code repository where + all secrets are managed. + + 2. Secrets of the service are rotated once every year and in cases where the + securiy of secrets is compromised. Logs for the same are maintained and documented.' + typical_evidence: 'E-SLC-05 - Central Source Code Repository + + E-SLC-06 - Shared Secret Rotation Logs ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:1 + text: 1. For a sample of services, inspect the Organization's centralized + repository to determine that source code secrets are managed in a centralized + repository. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:2 + text: 2. Obtain evidence to validate secrets are rotated at least annually + and immediately if the security of secrets is compromised. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-04 + name: Project Budget Approval + description: 'Approval for project initiation and budget is obtained from IT + management and business owners. + + ' + annotation: 1. Prepare a project management plan that includes but not limited + to project initiation guidelines and budget from IT management and business + owners. + typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting + + E-SLC-08 - Formal sign-off on the project plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04:question:1 + text: 1. Obtain evidence of approval for project initiation and budget from + IT management and business owners. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-05 + name: Project Scope Change + description: 'Changes to finalized project scope and requirements require the + review and approval from the business team and project manager. + + ' + annotation: '1. Prepare a project management plan that outlines the project + scope, and requirements. + + 2. Project Management plan is approved by business team.' + typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting + + E-SLC-08 - Formal sign-off on the project plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:1 + text: 1. Review the changes that have been modified and finalized for project + scope and requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:2 + text: 2. Obtain evidence of approval from the business team and project + management for finalization of project scope and requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-06 + name: Information System Operation Authorization + description: Senior management authorizes the operation of new information systems, + based on security and business requirements, prior to implementation. The + information system authorization is refreshed every 3 years or when significant + change occurs. + annotation: '1. Ensure there is documented service lifecycle program which is + updated on a need-to-know basis + + 2. Ensure there is a documented information system operation authorization + which is approved by the senior management and updated once in every 3 years + or on a need-to-know basis.' + typical_evidence: 'E-SLC-09 - Service Lifecycle Program + + E-SLC-10 - Information system Operation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:1 + text: 1. Inspect the approval matrix for Service Lifecycle Program Management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:2 + text: 2. Inspect the approval matrix for Information System Operation Authorization + by the authorized senior management to determine the operation of new + information systems + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:3 + text: 3. Review the information system authorization is updated every 3 + years or when significant changes occurs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-07 + name: System Acquisition Approval + description: "Information system acquisitions require approval from authorized\ + \ personnel based on verification of the following documented evidence:\n\u2022\ + \ security function, strength, and assurance requirements\n\u2022 requirements\ + \ for protecting security-related documentation\n\u2022 system development\ + \ and test requirements\n\u2022 acceptance criteria for releases\n\u2022 enumeration\ + \ of Security controls\n\u2022 security control implementation and monitoring\ + \ requirements\n\u2022 components are FIPS-201 approved" + annotation: "1. Define and implement a procedure for the formal approval from\ + \ an authorized personnel Information system acquisitions based on verification\ + \ of the following documented evidence:\n\u2022 security function, strength,\ + \ and assurance requirements\n\u2022 requirements for protecting security-related\ + \ documentation\n\u2022 system development and test requirements\n\u2022 acceptance\ + \ criteria for releases\n\u2022 enumeration of Security controls\n\u2022 security\ + \ control implementation and monitoring requirements\n\u2022 components are\ + \ FIPS-201 approved" + typical_evidence: 'E-SLC-11 - Formal Approval/documents from the authorized + personnel ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:1 + text: '1. Obtain evidence of approval from authorized personnel for Information + system acquisitions based on verification of the following documented + evidence:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:2 + text: "\u2022 security function, strength, and assurance requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:3 + text: "\u2022 requirements for protecting security-related documentation" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:4 + text: "\u2022 system development and test requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:5 + text: "\u2022 acceptance criteria for releases" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:6 + text: "\u2022 enumeration of Security controls" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:7 + text: "\u2022 security control implementation and monitoring requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:8 + text: "\u2022 components are FIPS-201 approved" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + assessable: false + depth: 1 + name: Systems Monitoring + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-01 + name: Audit Logging + description: Organization logs critical information system activity. + annotation: "1. Ensure that the Organization's Logging Standard includes logging\ + \ requirements for critical system activity.\n2. Ensure that the following\ + \ system logging configurations (at the least, but not limited to) for a selection\ + \ of production systems to determine the following:\na. Log aggregation tool\ + \ is configured for the service.\nb. Whether the below logs are being sent\ + \ to the log aggregation tool:\ni. System OS logs\nii. AWS Config (configuration\ + \ monitoring resource in AWS)\niii. Cloud Trail (All account level activity\ + \ including API calls, IAM role/user)\niv. VPC Flow Logs (Showing all network\ + \ connections to and from a VPC)\nv. Guard Duty (AWS provided threat detection\ + \ service)\nc. PCI Specific - Whether critical information system activity\ + \ is logged such as the following:\ni. Access to all audit trails (Covered\ + \ through CloudTrail)\nii. Invalid logical access attempts.\niii. Use of and\ + \ changes to identification and authentication mechanisms, including: All\ + \ elevation of privileges. All changes, additions, or deletions to any account\ + \ with root or administrative privileges. \niv. Initialization of audit logs\n\ + v. Stopping or pausing of audit logs\nvi. Creation and deletion of system\ + \ level objects\nvii. Alerts are in place to be triggered when the aforementioned\ + \ logs are not forwarded/face an error in being sent by the log aggregation\ + \ tool." + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-02 - Logging configuration + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + requirements are defined for critical system activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:2 + text: '2. Inspect system logging configurations for a sample of production + systems to determine the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:3 + text: a. Log aggregation tool is configured for the service. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:4 + text: 'b. Whether the below logs are being sent to the log aggregation tool:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:5 + text: i. System OS logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:6 + text: ii. AWS Config (configuration monitoring resource in AWS) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:7 + text: iii. Cloud Trail (All account level activity including API calls, + IAM role/user) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:8 + text: iv. VPC Flow Logs (Showing all network connections to and from a VPC) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:9 + text: v. Guard Duty (AWS provided threat detection service) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:10 + text: 'c. PCI Specific - Whether critical information system activity is + logged such as the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:11 + text: i. Access to all audit trails (Covered through CloudTrail) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:12 + text: ii. Invalid logical access attempts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:13 + text: 'iii. Use of and changes to identification and authentication mechanisms, + including: All elevation of privileges. All changes, additions, or deletions + to any account with root or administrative privileges. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:14 + text: iv. Initialization of audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:15 + text: v. Stopping or pausing of audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:16 + text: vi. Creation and deletion of system level objects + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:17 + text: vii. Alerts are in place to be triggered when the aforementioned logs + are not forwarded/face an error in being sent by the log aggregation tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-02 + name: Secure Audit Logging + description: Organization logs critical information system activity to a secure + repository. Organization disables administrators ability to delete or modify + enterprise audit logs; the number of administrators with access to audit logs + is limited. + annotation: '1. Ensure that Organization''s Logging Standard includes logging + requirements for critical system activity to mandate log forwarding and storage + in a central repository. + + 2. Establish a process for periodic review of appropriate access of the administrators + to SIEM tool. + + 3.Ensure that only a defined list of users are allowed to delete/modified + SIEM logs.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-04 - Access review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + requirements are defined for critical system activity to mandate log forwarding + and storage in a central repository. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:2 + text: 2. Inspect the list of SIEM tool Administrators and validate that + their access is appropriate. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:3 + text: 3. Validate the list of users allowed to delete/modified SIEM tool + logs and ensure it is restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-03 + name: 'Audit Logging: Cardholder Data Environment Activity' + description: "Organization logs the following activity for cardholder data environments:\n\ + \u2022 individual user access to cardholder data\n\u2022 administrative actions\n\ + \u2022 access to logging servers\n\u2022 failed logins\n\u2022 modifications\ + \ to authentication mechanisms and user privileges\n\u2022 initialization,\ + \ stopping, or pausing of the audit logs\n\u2022 creation and deletion of\ + \ system-level objects\n\u2022 security events\n\u2022 logs of all system\ + \ components that store, process, transmit, or could impact the security of\ + \ cardholder data (CHD) and/or sensitive authentication data (SAD)\n\u2022\ + \ logs of all critical system components\n\u2022 logs of all servers and system\ + \ components that perform security functions (e.g., firewalls, intrusion-detection\ + \ systems/intrusion-prevention systems (IDS/IPS), authentication servers,\ + \ e-commerce redirection servers, etc.)" + annotation: '1. Ensure that the following activity types are being logged in + SIEM tool: + + a. individual user access to cardholder data + + b. administrative actions + + c. access to logging servers + + d. failed logins + + e. modifications to authentication mechanisms and user privileges + + f. initialization, stopping, or pausing of the audit logs + + g. creation and deletion of system-level objects + + h. security events + + i. logs of all system components that store, process, transmit, or could impact + the security of cardholder data (CHD) and/or sensitive authentication data + (SAD) + + j. logs of all critical system components + + k. logs of all servers and system components that perform security functions + (e.g., firewalls, intrusion-detection systems/intrusion-prevention systems + (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:1 + text: '1. Inspect SIEM Logs for a sample of in-scope production servers + to validate that the below activity types are being logged:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:2 + text: a. individual user access to cardholder data + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:3 + text: b. administrative actions + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:4 + text: c. access to logging servers + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:5 + text: d. failed logins + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:6 + text: e. modifications to authentication mechanisms and user privileges + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:7 + text: f. initialization, stopping, or pausing of the audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:8 + text: g. creation and deletion of system-level objects + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:9 + text: h. security events + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:10 + text: i. logs of all system components that store, process, transmit, or + could impact the security of cardholder data (CHD) and/or sensitive authentication + data (SAD) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:11 + text: j. logs of all critical system components + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:12 + text: k. logs of all servers and system components that perform security + functions (e.g., firewalls, intrusion-detection systems/intrusion-prevention + systems (IDS/IPS), authentication servers, e-commerce redirection servers, + etc.) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-04 + name: 'Audit Logging: Cardholder Data Environment Event Information' + description: "Organization records the following information for confirmed events\ + \ in the cardholder data environment:\n\u2022 user identification\n\u2022\ + \ type of event\n\u2022 date and time\n\u2022 event success or failure indication\n\ + \u2022 origination of the event\n\u2022 identification of affected data, system\ + \ component, or resource" + annotation: '1. Ensure that the below information is being logged for all critical + security events: + + a. user identification + + b. type of event + + c. date and time + + d. event success or failure indication + + e. origination of the event + + f. identification of affected data, system component, or resource' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:1 + text: '1. Inspect SIEM Logs for a sample of in-scope production servers + to validate that the below information is being logged for all critical + security events:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:2 + text: a. user identification + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:3 + text: b. type of event + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:4 + text: c. date and time + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:5 + text: d. event success or failure indication + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:6 + text: e. origination of the event + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:7 + text: f. identification of affected data, system component, or resource + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-05 + name: 'Audit Logging: Service Provider Logging Requirements' + description: "Organization establishes unique logging and audit trails for each\ + \ entity's cardholder data environment and complies with the following:\n\u2022\ + \ logs are enabled for third-party applications\n\u2022 logs are active by\ + \ default\n\u2022 logs are available for review by and communicated to the\ + \ owning entity" + annotation: "1. Establish a process that ensures that Organization's audit trails/audit\ + \ logs:\n\u2022 each and every third-party application for every entity.\n\ + \u2022 logs are active by default\n2. Establish a process in the Organization's\ + \ logging and monitoring mechanism which ensures that logs are reviewed periodically\ + \ and on a need-to-do basis. Additionally, the same shall be communicated\ + \ to the concerned stakeholders." + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:1 + text: '1. Inspect Organization''s audit trails/audit logs for:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:2 + text: "\u2022 each and every third-party application for every entity." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:3 + text: "\u2022 logs are active by default" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:4 + text: 2. Inspect Organization's logging and monitoring mechanism to ensure + that logs are reviewed periodically and on a need-to-do basis. Additionally, + validate whether the same is being communicated to the concerned stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-06 + name: 'Configuration Management: Remote Logging' + description: Where applicable, devices are configured to send audit log data + to a remote server + annotation: 1. Establish a data flow mechanism to ensure that the devices are + configured to send audit log data to a remote server. + typical_evidence: 'E-NO-17 - Data Flow Diagrams + + E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06:question:1 + text: 1. Inspect Organization's data flow mechanisms to ensure that the + devices are configured to send audit log data to a remote server. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-07 + name: Chain of Accountability + description: Organization implements audit trails to link authentication events + to individuals users in production systems. + annotation: '1. Establish organization''s logging and monitoring process. + + 2. Ensure logs contain identifiers to establish audit trails to systems and + users.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:1 + text: 1. Validate the organizations logging and monitoring process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:2 + text: 2. Validate whether the logs contain identifiers to establish audit + trails to systems and users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-08 + name: Audit Record Time Stamps + description: Organization records time stamps for audit records that can be + mapped to a centralized time source. + annotation: 1. Ensure that the time sync is enabled, stratums are defined, and + the time servers are working. + typical_evidence: E-SM-05 - NTP logs and configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:1 + text: 1. Validate whether time sync is enabled, stratums are defined, and + the time servers are working. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:2 + text: 2. For a sample of audit records, review time stamps to determine + whether time stamps for audit records can be mapped to a centralized time + source. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-09 + name: 'Log Reconciliation: CMDB' + description: Organization reconciles the established device inventory against + the enterprise log repository on a quarterly basis; devices which do not forward + log data are remediated. + annotation: '1. Design a process to prepare a quarterly Log reconciliation report + which includes reconciliation of the established device inventory against + the enterprise log repository. + + 2. Wherever deviation is identified from the reconciliation, ensure that the + actions are taken for remediation of the devices which do not forward log + data.' + typical_evidence: 'E-SM-06 - Quarterly Log reconciliation report + + E-SM-07 - Sample of remediation documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:1 + text: 1. Inspect Organization's Log reconciliation report to determine that + the established device inventory against the enterprise log repository + is reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:2 + text: 2. Inspect the actions taken for remediation of the devices which + do not forward log data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-10 + name: Audit Log Capacity and Retention + description: Organization allocates audit record storage capacity in accordance + with logging storage and retention requirements; Audit logs are retained for + 1 year with 90 days of data immediately available for analysis. + annotation: '1. Document Organization''s Logging Standard which includes logging + retention requirements for critical system activity to mandate logs be available + for a minimum for 1 year. + + 2. Implement SIEM tool configuration to retrieve the relevant logs for a minimum + period of 1 year with 90 days of logs be available for immediate analysis.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-02 - Logging configuration + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + retention requirements are defined for critical system activity to mandate + logs being available for a minimum for 1 year + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:2 + text: 2. Inspect sample logs for in-scope services to validate that the + SIEM tool stores relevant logs for a minimum period of 1 year with 90 + days of logs being available for immediate analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:3 + text: 3. Evaluate the SIEM tool configuration to validate the retention + settings for 1 year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-11 + name: Enterprise Antivirus Logging + description: If applicable, Organization's managed enterprise antivirus deployments + generate audit logs which are retained for 1 year with 90 days of data immediately + available for analysis. + annotation: '1. Enable configurations for Enterprise Antivirus solutions to + ensure that antivirus logs are being forwarded to the SIEM + + 2. Ensure that relevant logs are stored for a minimum period of 1 year with + 90 days of logs being available for immediate analysis.' + typical_evidence: 'E-SM-08 - Enterprise Antivirus Solution configuration + + E-SM-09 - Sample of antivirus logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:1 + text: 1. Inspect configurations for Enterprise Antivirus solutions to validate + that antivirus logs are being forwarded to SIEM. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:2 + text: 2. Inspect sample antivirus logs for in-scope services to validate + that relevant logs are stored for a minimum period of 1 year with 90 days + of logs being available for immediate analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-12 + name: Security Monitoring Alert Criteria + description: Organization defines security monitoring alert criteria, how alert + criteria will be flagged, and identifies authorized personnel for flagged + system alerts. + annotation: '1. Document Organization''s Security Monitoring Standard to include + requirements for security monitoring alert criteria. + + 2. Establish a process to periodically review and maintain a list of security + monitoring rules.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules + + E-SM-12 - Sample of alert rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:2 + text: 2. Obtain list of security monitoring rules that are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:3 + text: 3. For a sample of alert rules from a sample of services, inspect + the monitoring tool configuration to determine that rules are implemented + to flag events, and notify authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-13 + name: Security Monitoring Alert Criteria Review + description: Organization reviews security monitoring alert on an annual basis. + annotation: '1. Document Organization''s Security Monitoring Standard to include + requirements for security monitoring alert criteria. + + 2. Establish a process to ensure that the monitoring tool is configured to + review the security alerts on an annual basis by the authorized personnel. ' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules + + E-SM-12 - Sample of alert rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:2 + text: '2. For a sample of alert rules from a sample of services, inspect + the monitoring tool configuration to determine that security alerts are + reviewed on an annual basis by the authorized personnel. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-14 + name: Log-tampering Detection + description: Organization monitors and flags tampering to the audit logging + and monitoring tools in the production environment. + annotation: '1. Ensure Organization''s Security Monitoring Standard to include + requirements for monitoring and flagging, tampering to the audit logging and + monitoring tools in the production environment. + + 2. Ensure specific mechanisms to monitor and flag tampering to the audit logging + and monitoring tools in the production environment are defined and documented. + + 3. Ensure appropriate mechanisms are implemented for protecting integrity + of logs and to prevent/detect logs from being modified/tampered at the storage + location. Additionally, ensure such activities are recorded and controlled. + + 4. Restrict and control administrative permissions to manage and modify audit + logs to authorized personnel only. + + 5. Ensure all administrative and operational activities are logged and events + are captured to trace back to a particular user in case of any modifications/tampering + performed. + + 6. Replicate and store all applicable logs on a centralized server and restrict + access to only authorized personnel.' + typical_evidence: "E-SM-10 - Security Monitoring Standard\nE-SM-11 - List of\ + \ monitoring rules\nE-SM-13 - Log integrity checks \nE-SM-04 - Access review\ + \ documentation" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:1 + text: 1. Obtain relevant organizational policy/standard and ensure defined + process regarding enabling audit logging and monitoring are adhered to. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:2 + text: 2. Validate specific mechanisms to monitor and flag tampering to the + audit logging and monitoring tools in the production environment are defined + and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:3 + text: 3. Validate whether appropriate mechanisms are implemented to protect + the integrity of logs and to prevent/detect logs from being modified/tampered + at the storage location. Additionally, ensure such activities are recorded + and controlled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:4 + text: 4. Inspect whether administrative permissions to manage and modify + audit logs are restricted to authorized personnel only. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:5 + text: 5. For a sample of events, inspect whether all administrative and + operational activities are logged and events are captured to trace back + to a particular user in case of any modifications/tampering performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:6 + text: 6. Validate whether all applicable logs are replicated and stored + on a centralized server and access is restricted to only authorized personnel, + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-15 + name: Unauthorized Devices Addition + description: "Unauthorized devices connected to the Organization Network are:\n\ + \u2022 detected within a maximum of five minutes, and\n\u2022 the unauthorized\ + \ device is disabled, or a notification is sent to authorized Organization\ + \ personnel" + annotation: "1. Enable Organization's monitoring tool configurations to ensure\ + \ that unauthorized devices are:\n\u2022 detected within a maximum of five\ + \ minutes, and\n\u2022 the unauthorized device is disabled, or a notification\ + \ is sent to authorized Organization personnel" + typical_evidence: E-SM-14 - Monitoring tool configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:1 + text: '1. Inspect Organization''s monitoring tool configurations to ensure + that the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:2 + text: "\u2022 detected within a maximum of five minutes, and" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:3 + text: "\u2022 the unauthorized device is disabled, or a notification is\ + \ sent to authorized Organization personnel" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-16 + name: 'Security Monitoring Alert Criteria: Guest, Anonymous and Temp Accounts' + description: Organization defines security monitoring alert criteria for the + use of guest, anonymous, and temporary accounts on Organization's network. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for the use of guest, + anonymous, and temporary accounts on Organization''s network. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on the use of guest, anonymous, and temporary accounts + on Organization''s network. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: E-SM-10 - Security Monitoring Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for the use + of guest, anonymous, and temporary accounts on Organization's network + are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on the + use of guest, anonymous, and temporary accounts on Organization's network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-17 + name: 'Security Monitoring Alert Criteria: VoIP Usage' + description: Organization defines security monitoring alert criteria to detect + deviations from Voice over IP (VoIP) activity standards. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria to detect deviations from + Voice over IP (VoIP) activity standards are defined. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on deviations from Voice over IP (VoIP) activity standards. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: E-SM-10 - Security Monitoring Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + requirements for security monitoring alert criteria to detect deviations + from Voice over IP (VoIP) activity standards are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on deviations + from Voice over IP (VoIP) activity standards. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-18 + name: 'Prohibited Activity Monitoring: Remote Access' + description: Remote sessions are monitored for prohibited activity. + annotation: 1. Ensure that the monitoring reports or evidence of logs from remote + sessions are reviewed for prohibited activity. + typical_evidence: E-SM-15 - Log evidence from remote sessions + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18:question:1 + text: 1. Review the monitoring reports or evidence of logs from remote sessions + to determine that the remote sessions are reviewed for prohibited activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-19 + name: 'Prohibited Activity Monitoring: Client Run Time Technologies' + description: Organization monitors and flags the use of prohibited client run + time technologies on information systems. + annotation: '1. Ensure that the monitoring software are installed on information + systems. + + 2. Enable the alerting criteria to ensure it monitors prohibited execution.' + typical_evidence: 'E-SM-16 - Evidence of monitoring tool installation + + E-SM-17 - Alerting criteria' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:1 + text: 1. Validate and inspect if monitoring software are installed on information + systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:2 + text: 2. Inspect the alerting criteria to ensure it monitors prohibited + execution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-20 + name: 'Security Monitoring Alert Criteria: Wireless Access Point' + description: Organization defines security monitoring alert criteria for attack + attempts against wireless access points. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for attack attempts against + wireless access points. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on potential failed login attempts. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for attack + attempts against wireless access points are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:2 + text: 2. Obtain list of security monitoring rules that are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-21 + name: 'Security Monitoring Alert Criteria: Failed Logins' + description: Organization defines security monitoring alert criteria for failed + login attempts on Organization's network. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for failed login attempts + on Organization''s network. + + 2. Ensure a sample of security monitoring rules, to validate that the rules + are defined to look for and alert applicable personnel on potential failed + login attempts. + + 3. Ensure that alerts being generated are sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for failed + login attempts on Organization's network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on potential + failed login attempts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-22 + name: 'Security Monitoring Alert Criteria: Privileged Functions' + description: Organization defines security monitoring alert criteria for privileged + functions executed by both authorized and unauthorized users. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for privileged functions + executed by both authorized and unauthorized users. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on privileged functions executed by both authorized and + unauthorized users. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for privileged functions executed by both authorized + and unauthorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on privileged + functions executed by both authorized and unauthorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-23 + name: 'Security Monitoring Alert Criteria: Audit Log Integrity' + description: Organization defines security monitoring alert criteria for changes + to the integrity of audit logs. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for changes to the integrity + of audit logs. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on changes to the integrity of audit logs. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for changes to the integrity of audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on changes + to the integrity of audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-24 + name: 'Security Monitoring Alert Criteria: Cardholder System Components' + description: Organization defines security monitoring alert criteria for system + components that store, process, transmit, or could impact the security of + cardholder data and/or sensitive authentication data. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for system components + that store, process, transmit, or could impact the security of cardholder + data and/or sensitive authentication data. + + 2. Ensure that the security monitoring rules are defined, enabled, and alert + applicable personnel on checks for any impact to the CDE. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:1 + text: 1. Inspect whether the security logs from various sources are sent + to the monitoring tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on checks + for any impact to the CDE. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-25 + name: System Security Monitoring + description: Critical systems are monitored in accordance with predefined security + criteria and alerts are sent to authorized personnel. Confirmed incidents + are tracked to resolution. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for responding to flagged system alerts and confirmed incidents. + + 2. Configure security monitoring tool to ensure that critical information + system activity is monitored. + + 3. Ensure that the events are triaged and resolved by authorized personnel + as applicable.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements are defined for responding to flagged system alerts + and confirmed incidents. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:2 + text: 2. For a sample of services, inspect security monitoring tool to determine + whether critical information system activity is monitored. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:3 + text: 3. Inspect a sample of security events to determine whether the events + are triaged and resolved by authorized personnel as applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-26 + name: Intrusion Detection Systems + description: "Organization has an Intrusion Detection System (IDS) or Intrusion\ + \ Prevention System (IPS) deployment(s) and ensures the following:\n\u2022\ + \ signature definitions are updated including the removal of false positive\ + \ signatures\n\u2022 non-signature based attacks are defined\n\u2022 IDS/IPS\ + \ are configured to capture malicious (both signature and non-signature based)\ + \ traffic\n\u2022 alerts are reviewed and resolved by authorized personnel\ + \ when malicious traffic is detected" + annotation: "1. Ensure that the Organization has a policy or standard that covers\ + \ the use and management of intrusion detection system (IDS) or intrusion\ + \ prevention system (IPS) tools on its in-scope systems.\n2. Ensure that there\ + \ is an intrusion detection system (IDS) or intrusion prevention system (IPS)\ + \ deployed on all in-scope systems.\n3. Ensure that IDS/IPS tool is configured\ + \ in a manner that:\n\u2022 signature definitions are updated including the\ + \ removal of false positive signatures\n\u2022 non-signature based attacks\ + \ are defined\n\u2022 IDS/IPS are configured to capture malicious (both signature\ + \ and non-signature based) traffic\n\u2022 alerts are reviewed and resolved\ + \ by authorized personnel when malicious traffic is detected\n4. Ensure that\ + \ the ability to disable IDS/IPS tools are restricted to limited personnel,\ + \ and can only be disabled with a proper justification and for a limited time." + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:1 + text: 1. Inspect the Organization has a policy or standard that details + the use and management of intrusion detection system (IDS) or intrusion + prevention system (IPS) tools on its in-scope systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:2 + text: 2. Obtain a list of all in-scope systems, and for a given sample, + confirm that IDS/IPS is running on those systems, and that they are up + to date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:3 + text: '3. Inspect the IDS/IPS rulesets and ensure that they are configured + with the items below:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:4 + text: "\u2022 signature definitions are updated including the removal of\ + \ false positive signatures" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:5 + text: "\u2022 non-signature based attacks are defined" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:6 + text: "\u2022 IDS/IPS are configured to capture malicious (both signature\ + \ and non-signature based) traffic" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:7 + text: "\u2022 alerts are reviewed and resolved by authorized personnel when\ + \ malicious traffic is detected" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:8 + text: 4. For a sample of alerts, confirm that they were reviewed and resolved + by the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:9 + text: 5. Observe configuration showing that IDS/IPS tools cannot be disabled + except by authorized personnel and can only be disabled with a proper + justification and for a limited time. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-27 + name: System Monitoring Legal Opinion + description: Organization obtains legal opinion with regard to monitoring activities + in accordance with applicable requirements and mandates. + annotation: '1. Design a legal process to ensure that only approved monitoring + criteria is established as per applicable legal, contractual, and government + requirements. + + 2. Ensure any change in monitoring criteria takes legal sign off into consideration.' + typical_evidence: E-SM-20 - Sample of legal sign off on monitoring criteria + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:1 + text: 1. Inspect organization's legal process to ensure approved monitoring + criteria is established as per applicable legal, contractual, and government + requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:2 + text: 2. Validate whether any change in monitoring criteria takes legal + sign off into consideration. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-28 + name: Privileged Session Monitoring + description: 'Organization monitors trusted data environments for unauthorized + logical access connections. ' + annotation: "1. Ensure that Organization's Security Monitoring standard includes\ + \ the requirements for session monitoring.\n2. Configure monitoring tool to\ + \ ensure least privileged principle is followed. \n3. Ensure that the organization\ + \ monitors trusted data environments for unauthorized logical access connections." + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-14 - Monitoring tool configuration + + E-SM-21 - Alerting criteria for unauthorized logical access connections' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:1 + text: 1. Inspect Organization's Security Monitoring standard to determine + whether the requirements for session monitoring are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:2 + text: '2. Inspect configurations of monitoring tool to ensure least privileged + principle is followed. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:3 + text: 3. Inspect evidence of the Organization monitoring trusted data environments + for unauthorized logical access connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-29 + name: Availability Monitoring Alert Criteria + description: Organization defines availability monitoring alert criteria, how + alert criteria will be flagged, and identifies authorized personnel for flagged + system alerts. + annotation: '1. Ensure that a documented Availability Monitoring Standard is + present including requirements defined for responding to alerts and confirmed + incidents. + + 2. Establish a process to ensure that the availability monitoring rules are + defined and implemented to flag events, and notify authorized personnel. + + 3. Ensure that the system configurations of monitoring tools include Availability + Monitoring Alert Criteria.' + typical_evidence: 'E-SM-22 - Availability Monitoring Standard + + E-SM-23 - Availability Monitoring Rules + + E-SM-24 - Availability Monitoring Tool Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:1 + text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\ + \ determine whether requirements for availability monitoring alert criteria\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:2 + text: 2. Inspect availability monitoring tool to determine whether availability + monitoring rules are defined and implemented to flag events, and notify + authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:3 + text: 3. Inspect system configurations of monitoring tools for a sample + of services to determine whether Availability Monitoring Alert Criteria + are configured for monitoring and alerting purposes on in-scope systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-30 + name: Availability Monitoring Alert Criteria Review + description: Organization reviews availability monitoring alert criteria on + an annual basis. + annotation: '1. Ensure that a documented Security Monitoring Standard is present + including process regarding availability monitoring alert criteria. + + 2.. Ensure that the availability monitoring alerts are reviewed on an annual + basis.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-25 - Sample of Availability Monitoring Alerts' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:1 + text: 1. Inspect Security Monitoring Standard to ensure process regarding + availability monitoring alert criteria is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:2 + text: 2. Inspect evidence of availability monitoring alerts to ensure it + is reviewed on an annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-31 + name: System Availability Monitoring + description: Critical systems are monitored in accordance with predefined availability + criteria and alerts are sent to authorized personnel. + annotation: '1. Ensure that a documented Availability Monitoring Standard is + present including requirements defined for responding to alerts and confirmed + incidents. + + 2. Ensure that a process has been established which generates alerts against + the availability incidents identified. + + 3. Ensure that the alerts are resolved in a timely manner by authorized personnel.' + typical_evidence: 'E-SM-22 - Availability Monitoring Standard + + E-SM-26 - Sample of Availability Incident Tickets' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:1 + text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\ + \ determine whether requirements are defined for responding to alerts\ + \ and confirmed incidents." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:2 + text: 2. Inspect a sample of availability incident tickets from alerts generated + to determine whether the alerts were resolved in a timely manner by authorized + personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-32 + name: 'Remote Access: Activity Log Audit' + description: Logs from remote sessions are audited for prohibited activity on + a weekly basis. + annotation: 1. Establish a process that ensures the logs from remote sessions + be reviewed for prohibited activity on a weekly basis. + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-27 - Remote Session logs + + E-SM-28 - Periodic log review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32:question:1 + text: 1. Inspect evidence of logs of remote sessions to determine that the + logs are reviewed for prohibited activity on a weekly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + assessable: false + depth: 1 + name: Site Operations + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-01 + name: Secured Facility + description: Physical access to restricted areas of the facility is protected + by walls with non-partitioned ceilings, secured entry points, and/or manned + reception desks. + annotation: '1. Ensure that the Organization-owned data center facility is protected + with: Non-partitioned ceilings Secured entry points; and/or Manned reception + desks. ' + typical_evidence: E-SO-01 - Images/Physical inspection confirming Non-partitioned + ceilings Secured entry points; and/or Manned reception desks + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01:question:1 + text: '1. Observe the Organization-owned data center facility to determine + whether the facility is protected with: Non-partitioned ceilings Secured + entry points; and/or Manned reception desks. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-02 + name: Physical Protection and Positioning of Cabling + description: Organization power and telecommunication lines are protected from + interference, interception, and damage. + annotation: 1. Ensure that the Organization-owned data center facility has power + and telecommunication lines tagged and labelled properly to protect from + interference, interception, and damage. + typical_evidence: E-SO-02 - Images/Physical inspection confirming data center + facility has power and telecommunication lines tagged and labelled + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02:question:1 + text: 1. Inspect Organization-owned data center facility to determine whether + power and telecommunication lines are tagged and labelled properly to protect + from interference, interception, and damage. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-03 + name: 'Global Coordination of Critical Functions: Information Security Safeguards' + description: Organization consistently applies information security safeguards + in datacenters and campuses. + annotation: "1. Ensure that information security safeguards are in place in\ + \ datacenters and campuses including but not limited to : \nAccess Machines\ + \ at entry/exit\nFire extinguishers\nFire Alarms etc." + typical_evidence: E-SO-03 - Images/Physical inspection confirming information + security safeguards in place at Access Machines at entry/exit, Fire extinguishers, + Fire Alarms etc. + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:1 + text: '1 Observe whether information security safeguards are in place in + datacenters and campuses including but not limited to : ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:2 + text: Access Machines at entry/exit + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:3 + text: Fire extinguishers + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:4 + text: Fire Alarms etc. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-04 + name: Provisioning Physical Access + description: "Physical access provisioning to an Organization datacenter requires\ + \ management approval and documented specification of: \n\u2022 account type\ + \ (e.g., standard, visitor, or vendor)\n\u2022 access privileges granted\n\ + \u2022 intended business purpose\n\u2022 visitor identification method, if\ + \ applicable\n\u2022 temporary badge issued, if applicable\n\u2022 access\ + \ start date\n\u2022 access duration" + annotation: '1. Ensure all physical access to organization data centers have + management approval and documentation. + + 2. Ensure physical access is granted after appropriate approvals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-09 - Approval evidences for physical access' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:1 + text: '1. Inspect the physical security system workflow to determine whether + requests for physical access required management approval and required + documented specification of:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:2 + text: "\u2022Account type (e.g., visitor, vendor, or regular)." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:3 + text: "\u2022Access privileges granted." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:4 + text: "\u2022Intended business purpose." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:5 + text: "\u2022Visitor identification method, if applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:6 + text: "\u2022Temporary badge issued, if applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:7 + text: "\u2022Access start date." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:8 + text: "\u2022Access duration." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:9 + text: '2. Inspect physical access request documentation for a sample of + new physical access requests to the Organization-owned data center and + data rooms to determine whether access is approved. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-05 + name: De-provisioning Physical Access + description: Physical access that is no longer required in the event of a termination + or role change is revoked. If applicable, temporary badges are returned prior + to exiting facility. + annotation: '1. Design and document a process for temporary badges being returned + prior to exiting the facility. + + 2. Ensure access is revoked in case of employee termination or role change.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-10 - De-provisioning evidences' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:1 + text: 1. Inspect Physical Access Policy to determine whether it contains + the requirement for temporary badges to be returned prior to exiting the + facility. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:2 + text: '2. Obtain evidence to ensure no physical access is active for the + terminated employees or unnecessary physical access for employees with + a change in their roles and responsibilities. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-06 + name: Periodic Review of Physical Access + description: Organization performs physical account and access reviews on a + quarterly basis; corrective action is taken where applicable. + annotation: '1. Design and document a process for physical access review and + frequency. + + 2. Ensure access review is performed as per defined frequency and necessary + action is taken, if required..' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-11 - Physical Access Review evidence + + E-SO-12 - termination Process Evidence for sample employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:1 + text: "1. Inspect Organization\u2019s Physical Access Policy to determine\ + \ whether requirements for physical access review are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:2 + text: 2. Inspect quarterly physical access review documentation for a sample + of quarters and a sample of Organization-owned data rooms to determine + whether the access review is completed, and corrective actions is documented + and resolved for any access that should be revoked. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-07 + name: Physical Access Role Permission Authorization + description: Initial permission definitions, and changes to permissions, associated + with physical access roles are approved by authorized personnel. + annotation: '1. Ensure all physical access to organization data centers have + management approval and documentation. + + 2. Ensure physical access is granted after appropriate approvals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-09 - Approval evidences for physical access' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:1 + text: 1 Inspect the physical security system workflow to determine whether + requests for physical access require approval. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:2 + text: 2 Inspect an approval of authorized personnel, for any initial permission or + modifications of permissions, ensure they are associated to physical access + roles. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-08 + name: Monitoring Physical Access + description: Intrusion detection and video surveillance are installed at Organization + datacenter locations; confirmed incidents are documented and tracked to resolution. + annotation: '1. Ensure that the Organization data center intrusion detection + and video surveillance system are installed at Organization data center. + + 2. Ensure that event logs are used for resolution of incidents.' + typical_evidence: 'E-SO-04 - Sample CCTV video of data center from intrusion + detection and video surveillance system + + E-IR-07 - Logs of Incident maintained' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:1 + text: 1. Observe the Organization data center intrusion detection and video + surveillance system to determine whether intrusion detection and video + surveillance systems are installed at Organization data center. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:2 + text: 2. If applicable, for a sample of incident observe that event logs + were used for the resolution of the incident. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-09 + name: Surveillance Feed Retention + description: Surveillance feed data is retained for 90 days. + annotation: 1. Ensure that surveillance feed data is stored for 90 days. + typical_evidence: E-SO-05 - Configuration from the camera management system + that shows that it is configured to retain surveillance video data for 90 + days + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:1 + text: 1. Observe a sample of video footage showing the date and timestamp + from the day of collection and one that is from 90 days before that. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:2 + text: 2. Observe a configuration from the camera management system that + shows that it is configured to retain surveillance video data for 90 days + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-10 + name: Visitor Access + description: Physical access for visitors is managed through monitoring, maintaining + records, escorting, and reviewing access monthly. Visitor access records to + the facilities are kept for at least a year. + annotation: '1. Design and document the requirement for visitor access, maintaining + records, escorting, and reviewing access monthly. + + 2. Ensure visitor access is approved, with an escort. + + 3. Ensure monthly access reviews are performed. + + 4. Ensure retention of visitor access for at least a year.' + typical_evidence: "E-SO-08 - \nE-SO-13 - Visitor Approval records\nE-SO-14\ + \ - Visitor access monthly reviews" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:1 + text: 1. Inspect Physical Access Policy to determine whether it contains + the requirement for visitor access, maintaining records, escorting. and + reviewing access monthly. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:2 + text: 2. Obtain and validate evidence that visitor access is approved, with + an escort. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:3 + text: 3. Obtain and validate evidence of monthly access reviews. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:4 + text: 4. Obtain and validate evidence of retention of visitor access for + at least a year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-11 + name: Physical Access Devices + description: Physical access devices (i.e., keys, combinations, access cards, + etc.) are maintained through an inventory and restricted to authorized individuals. + Appropriate devices are rotated when compromised or upon employee termination + or transfer. + annotation: '1. Ensure inventory of physical access devices is maintained. + + 2. Ensure access to inventory is limited to authorized personnel. + + 3. Ensure rotation of physical access devices when compromised, or employee + termination or transfer.' + typical_evidence: 'E-SO-15 - List of physical devices + + E-SO-16 - Access list to inventory + + E-SO-17 - Evidence of Key Rotation when compromised/ employee termination + or transfer' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:1 + text: 1 Inspect the list of physical access devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:2 + text: 2 Inspect the list of individuals who has an access to physical devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:3 + text: 3 Inspect whether physical access devices were rotated when compromised + or upon employee termination or transfer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-12 + name: Temperature and Humidity Control + description: Temperature and humidity levels of datacenter environments are + monitored and maintained at appropriate levels. + annotation: "1. Ensure temperature and humidity monitoring system configurations\ + \ at organization-owned data center are set to determine whether temperature\ + \ and humidity levels are being monitored and configured to alert appropriate\ + \ personnel when temperature or humidity levels exceed set limits. \n2.Ensure\ + \ that temperature and humidity alarms are generated over the threshold." + typical_evidence: 'E-SO-18 - Temperature and Humidity configuration + + E-SO-19 - Temperature and Humidity Threshold defined in system + + E-SO-20 - Temperature and Humidity Alarms triggered and remediation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:1 + text: '1. Inspect the temperature and humidity monitoring system and configurations + at organization-owned data center to determine whether temperature and + humidity levels are being monitored and configured to alert appropriate + personnel when temperature or humidity levels exceed set limits. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:2 + text: 2.Inspect the temperature and humidity alarms generated over the threshold + to determine if any alarms were triggered. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-13 + name: Fire Suppression Systems + description: Emergency responders are automatically contacted when fire detection + systems are activated; the design and function of fire detection and suppression + systems are maintained at appropriate intervals. + annotation: '1. Ensure fire detection systems are in place and emergency responders + are contacted, if required. + + 2. Ensure detection and suppression systems are tested at regular intervals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-06 - Images/Physical inspection confirming the fire detection/suppression + systems in use at the Organization-owned data center + + E-SO-21 - fire suppression/detection certifications ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:1 + text: 1. Inspect Organization's Physical Security Policy, Alarm Management + and System Maintenance Standard to determine whether requirements for + fire detection/suppression systems are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:2 + text: 2. Observe the fire detection/suppression systems in use at the Organization-owned + data center to determine whether they are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:3 + text: 3. Inspect the fire detection system monitoring contract in place + to determine whether Organization has contracted with a third party to + monitor fire detection systems for the Organization-owned data center. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:4 + text: 4. Inspect fire suppression/detection certifications at the Organization + owned data center to determine whether the design and function of these + systems are tested at appropriate intervals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-14 + name: Power Failure Protection + description: Organization employs uninterruptible power supplies (UPS) and generators + to support critical systems in the event of a power disruption or failure. + The design and function of relevant equipment is certified at appropriate + intervals. + annotation: '1. Ensure UPS and generators are employed to support critical systems + in the event of a power disruption or failure. + + 2. Ensure that UPS and generator are certified at appropriate intervals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-07 - Images/Physical inspection confirming UPS and generators at a selection + of Organization-owned data center + + E-SO-22 - UPS and generator maintenance certificates' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:1 + text: 1. Observe the UPS and generators at a sample of Organization-owned + data center and data rooms to determine whether they are employed to support + critical systems in the event of a power disruption or failure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:2 + text: 2. Inspect UPS and generator certifications for in-scope Organization + owned-data center and data rooms to determine whether the equipment is + certified at appropriate intervals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-15 + name: Emergency Shutoff + description: Organization employs emergency power shut-off capabilities. Access + to shut off power is restricted to authorized individuals. + annotation: '1. Ensure process is documented for emergency power shut-off. + + 2. Ensure access to shut-off power is limited to authorized personnel.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-23 - List of authorized personnel with access to shut-off power' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:1 + text: 1 Inspect documentation related to emergency power shut-off capabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:2 + text: 2 Obtain and validate a list of authorized personnel who have access + to shut off power. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-16 + name: Emergency Lighting + description: Organization employs emergency lighting in the event of a power + disruption or failure. The design and function of relevant equipment is certified + at appropriate intervals. + annotation: 1. Ensure emergency lighting equipment's are tested at regular intervals. + typical_evidence: E-SO-24 - Emergency lighting equipment certificates + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16:question:1 + text: 1 Inspect certification of relevant equipment which may be used during + emergency lighting in the event of a power disruption or failure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + assessable: false + depth: 1 + name: Training and Awareness + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-01 + name: General Security Awareness Training + description: Organization personnel complete security awareness training, which + includes annual updates about relevant policies and how to report security + events to the authorized response team. Records of training completion are + documented and retained for tracking purposes. + annotation: "1. Ensure that the requirements for completion of security awareness\ + \ training are defined in the Organization\u2019s Compliance Training Policy\ + \ and Security Awareness Training Standard.\n2. Ensure that the Organization's\ + \ Security Awareness Training Material is well defined, documented, and up\ + \ to date.\n3. Ensure that there is a record of active employees and contractors\ + \ maintained and updated by the organization.\n4. Ensure that security awareness\ + \ training is provided on a regular basis and the progress of all contractors\ + \ and employees participating in the training tracked and documented.." + typical_evidence: 'E-TA-01 - Compliance Training Policy + + + + + + E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:1 + text: "1. Inspect Organization\u2019s Compliance Training Policy and Security\ + \ Awareness Training Standard to determine whether requirements for completion\ + \ of security awareness training are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:2 + text: "2. Inspect Organization\u2019s Security Awareness Training material\ + \ to determine whether it details: Version history of the SAT to determine\ + \ materials are updated during the audit period. How to report security\ + \ events to the appropriate response team" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:3 + text: 3. Obtain the list of active employees and contractors. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:4 + text: 4. For a sample of active employees and contractors, obtain and inspect + the security awareness training completion records to determine whether + training is completed annually and completion is tracked and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-02 + name: Code of Conduct Training + description: Organization full-time and temporary employees and interns complete + a code of business conduct training. + annotation: '1. Ensure that requirements for completion of business code of + conduct training are defined with the organization''s Compliance Training + Policy. + + 2. Ensure that the training material for the Organization''s Code of Business + Conduct outlines the responsibilities of both full-time and temporary employees + in adhering to the code. + + 3. Ensure employees have completed the Code of Business Conduct training as + per the policy by examining training completion records for a group of new + and existing employees.' + typical_evidence: 'E-TA-01 - Compliance Training Policy + + + + + + E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:1 + text: "1. Inspect Organization\u2019s Compliance Training Policy to determine\ + \ whether requirements for completion of business code of conduct training\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:2 + text: "2. Inspect Organization\u2019s Code of Business Conduct training\ + \ material to determine whether it includes Organization full-time and\ + \ temporary Employees\u2019 responsibilities for adhering to the business\ + \ code of conduct." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:3 + text: 3. Inspect Code of Conduct training completion records for a selection + of new and current employees to determine whether new hires and existing + employees have completed Code of Business Conduct training in accordance + with the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-03 + name: Accessibility Training + description: Organization personnel complete accessibility awareness training, + which includes annual updates about relevant policies and how to report accessibility + events internally. Records of training completion are documented and retained + for tracking purposes. + annotation: '1. Ensure that the training material includes information about + annual updates to relevant policies and instructions on how to report accessibility + events internally. + + 2. Ensure that well defined and documented records of training completion + are maintained by the organization.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:1 + text: '1 Inspect training material to determine whether it detailed annual + updates about relevant policies and how to report accessibility events + internally. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:2 + text: 2 Inspect training completion records for a sample of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-04 + name: Phishing Awareness + description: Organization performs periodic phishing campaigns. + annotation: 1. Ensure that the organization conducts regular phishing campaigns + to help employees get better at spotting and handling real phishing threats + typical_evidence: E-TA-04 - Evidence of phishing campaigns set up by the organization + (Eg - mails sent etc) + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04:question:1 + text: 1. Verify that the organization performs periodic phishing campaigns + to evaluate and improve their employees' ability to recognize and respond + to real phishing threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-05 + name: Developer Security Training + description: Organization's software engineers are required to complete training + based on secure coding techniques on an annual basis. + annotation: '1. Ensure that review of the security training material includes + guidance on yearly Secure Coding Training for PCI developers and software + engineers. + + 2. Ensure that the secure coding training was provided and completed by the + employees within the last 365 days. + + 3. Make sure that engineers are registered for the Security Engineering Training + program as required.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:1 + text: 1. Inspect the Security Training Material to validate that the standard + provides guidance on annual Secure Coding Training for PCI developers + and software engineers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:2 + text: 2. For a sample of employees obtain evidences showing secure coding + training completion. Validate that the date of completion is in the last + 365 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:3 + text: 3. Ensure that all engineers are enrolled in the Security Engineering + Training program as needed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-06 + name: Payment Card Processing Security Awareness Training + description: "Organization personnel that interact with cardholder data systems\ + \ receive awareness training to be aware of attempted tampering or replacement\ + \ of devices. Training should include the following:\n\u2022 verify the identity\ + \ of third-party persons claiming to be repair or maintenance personnel, prior\ + \ to granting them access to modify or troubleshoot devices.\n\u2022 do not\ + \ install, replace, or return devices without verification\n\u2022 be aware\ + \ of suspicious behavior around devices (e.g., attempts by unknown persons\ + \ to unplug or open devices)\n\u2022 report suspicious behavior and indications\ + \ of device tampering or substitution to authorized personnel (e.g., to a\ + \ manager or security officer)" + annotation: "1. Ensure that the training materials to check if they cover the\ + \ following topics:\n\u2022 Confirming the identity of third-party repair\ + \ or maintenance personnel before giving them access to devices.\n\u2022 Not\ + \ making changes or returning devices without proper verification.\n\u2022\ + \ Being alert to unusual behavior around devices, like unauthorized attempts\ + \ to tamper with them.\n\u2022 Reporting any suspicious behavior or signs\ + \ of device tampering to authorized personnel, such as a manager or security\ + \ officer." + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:1 + text: '1 Inspect training material to determine whether it detailed:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:2 + text: "\u2022 verify the identity of third-party persons claiming to be\ + \ repair or maintenance personnel, prior to granting them access to modify\ + \ or troubleshoot devices." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:3 + text: "\u2022 do not install, replace, or return devices without verification" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:4 + text: "\u2022 be aware of suspicious behavior around devices (e.g., attempts\ + \ by unknown persons to unplug or open devices)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:5 + text: "\u2022 report suspicious behavior and indications of device tampering\ + \ or substitution to authorized personnel (e.g., to a manager or security\ + \ officer)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:6 + text: 2 Inspect training completion records for a selection of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-07 + name: 'Role-based Security Training: HIPAA' + description: Organization personnel with access to personal health information + (PHI) are required to attend and complete HIPAA privacy training. + annotation: "1. Ensure access to sensitive information including (PHI) is given\ + \ to limited employees (based on roles and responsibilities) and records for\ + \ the same shall be maintained. \n2. Ensure all employee that accesses PHI\ + \ shall complete mandatory training of HIPAA security and privacy.\n3. Training\ + \ records for the same needs to be maintained for tracking purpose." + typical_evidence: 'E-TA-05 - Access records who have access to PHI + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:1 + text: 1. Inspect the population of Organization personnel who have access + to PHI. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:2 + text: '2. Inspect completion records for a sample of employees with access + to PHI, for evidence that the employees had completed HIPAA security and + privacy training. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-08 + name: Role-based Security Training + description: "Organization personnel with key security responsibilities complete\ + \ relevant role-based training on an annual basis:\n\u2022 personnel must\ + \ complete training prior to obtaining access to privileged security systems\n\ + \u2022 personnel with contingency responsibilities must complete role-based\ + \ training within 10 days of assuming the role\n\u2022 records of training\ + \ completion are documented and retained for tracking purposes" + annotation: '1. Ensure role-based training material contains details around + key security responsibilities. + + 2. Training records for each employee shall be maintained for future tracking.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:1 + text: 1 Inspect training material to determine whether it detailed key security + responsibilities relevant to role-based trainings. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:2 + text: 2 Inspect training completion records for a sample of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-09 + name: Security Champion Training + description: Service teams select a "Security Champion" to ensure security engagement + responsibilities are assigned and tracked to completion; Security Champions + receive training on how to execute responsibilities. + annotation: '1. Ensure there is a process by which the service teams select + a "Security Champion" and they complete their security champions training. + + 2. Maintain training records for the Security Champions.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:1 + text: '1. Inspect documentation related to Security Champions and verify + that they are defined for selected service teams. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:2 + text: 2. Inspect training completion records for a sample of Security Champions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + assessable: false + depth: 1 + name: Third-Party Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-01 + name: Third-Party Assurance Review + description: On a periodic basis, management reviews controls within third-party + assurance reports to ensure that they meet organizational requirements; if + control gaps are identified in the assurance reports, management takes action + to address impact the disclosed gaps have on the organization. + annotation: "1. Ensure there is a documented procurement policy and information\ + \ security standard which consists information that includes but not limited\ + \ to third-party assurance reviews. \n2. Ensure a formal questionnaire is\ + \ prepared, which will be used for assessing third-party risks during the\ + \ onboarding process.\n \n3. Ensure there is an action plan for control gaps\ + \ identified at the time of vendor security review for their third-party controls.\n\ + \ " + typical_evidence: "E-TPM-01 - Procurement Policy \nE-TPM-07 - \nE-TPM-02 -\ + \ Questionnaire for assessing third party risks\nE-TPM-03 - " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:1 + text: 1. Inspect Organization Procurement Policy and Vendor Information + Security Standard to determine whether requirements for third-party assurance + reviews are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:2 + text: 2. Observe Organization Risk Assessment system to determine whether + a questionnaire for systematically assessing third-party risks is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:3 + text: "3. For a sample of vendors, inspect whether the corresponding Vendor\ + \ Security Review (VSR) is completed to determine whether management has\ + \ assessed the third party\u2019s controls to determine Organization requirements\ + \ are met and management took action on control gaps as applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-02 + name: Vendor Risk Management + description: Organization performs a risk assessment to determine the data types + that can be shared with a managed service provider. + annotation: '1. Ensure there is process to conduct vendor security review and + all vendors must go through the review; records for documentation and risk + rating needs to be maintained. ' + typical_evidence: E-TPM-04 - Vendor Security Reviews Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:1 + text: 1. Validate for a sample for service providers that an assessment + was conducted and a risk rating is assigned to them as part of the VSR + process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:2 + text: 2. Validate that the vendors are listed in the vendor management tool + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-03 + name: Forensic Investigations + description: Organization enables procedures to conduct a forensic investigation + in the event that a hosted merchant or service provider is compromised. + annotation: "1. Ensure there is documented process for conducting a forensic\ + \ investigation in the event when a hosted merchant or service provider is\ + \ compromised. \n2. Ensure documentation for the same needs to be maintained\ + \ for tracking purposes and corrective actions." + typical_evidence: "E-TPM-05 - Forensic investigation process document \nE-TPM-06\ + \ - \n\nSample Forensic Investigations" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:1 + text: 1. Inspect documentation to determine whether procedures to conduct + a forensic investigation in the event when a hosted merchant or service + provider is compromised, are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:2 + text: 2. For sample investigations validate whether appropriate documentation + is retained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-04 + name: Privacy Risk Assessment + description: Organization reviews the privacy practices of service providers + who access, collect, process, transfer, or store personal information on Organization's + behalf upon initial procurement and renewal; non-compliance is tracked through + remediation. + annotation: "1. Ensure that a process is defined and documented to review the\ + \ privacy practices of service providers who access, collect, process, transfer,\ + \ or store personal information on Organization's behalf.\n2. Ensure that\ + \ the reviews are conducted at the time of initial procurement and at renewal.\n\ + 3. Ensure that any non-compliances are tracked to remediation.\n " + typical_evidence: "E-TPM-07 - \nE-TPM-08 - Privacy Review Evidence\nE-TPM-09\ + \ - Remediation Evidence of non-compliances identified during Vendor Security\ + \ Reviews" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:1 + text: 1. Inspect and validate that a process is defined and documented to + review the privacy practices of service providers who access, collect, + process, transfer, or store personal information on Organization's behalf. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:2 + text: 2. Validate for a sample vendor that the reviews are conducted at + the time of initial procurement and at renewal. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:3 + text: 3. Validate for a sample non-compliance event that it was tracked + to remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:4 + text: ' ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-05 + name: 'Network Access Agreement: Vendors' + description: Third-party entities which gain access to the Organization network + sign a network access agreement. + annotation: 1. Ensure that all third-party vendors sign the network access agreement + before accessing the organization's network. + typical_evidence: E-TPM-10 - Network access Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05:question:1 + text: 1. For a sample of vendors validate whether a signed Network Security + Agreement Exists prior to onboarding. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-06 + name: Vendor Non-disclosure Agreements + description: Agency temporary workers, independent contractors, and third-party + entities consent to a non-disclosure clause. + annotation: 1. Ensure that a process is defined and documented for all agency + temporary workers and independent contractors to sign a non-disclosure clauses + before accessing the organization's network. + typical_evidence: E-TPM-11 - Sample Agreements for temporary workers + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:1 + text: 1. Obtain listings of agency temporary workers and independent contractors + from the Contingent Workforce team + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:2 + text: 2. For a sample of agency temporary workers, independent contractors, + inspect Agreement to determine that non-disclosure clause is acknowledged. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-07 + name: Cardholder Data Security Agreement + description: Organization managed service providers that manage, store, or transmit + cardholder data on behalf of the customer must provide written acknowledgement + to customers of their responsibility to protect cardholder data and the cardholder + data environment. + annotation: 1. Ensure that a process is defined and documented for all the managed + service providers that manage, store, or transmit cardholder data on behalf + of the customer to provide a written acknowledgement to customers of their + responsibility to protect cardholder data and the cardholder data environment. + typical_evidence: E-TPM-12 - Evidence to Acknowledgement to Customers for Card + Holder Data responsibilities + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07:question:1 + text: 1. Validate for a sample Managed Service Provider that they have provided + acknowledgement to customers of their responsibility to protect cardholder + data and the cardholder data environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-08 + name: HIPAA Business Associate Agreement + description: "Organization Business Associate Agreements must contain provisions\ + \ for the following:\n\u2022 permitted uses and disclosures of Protected Health\ + \ Information (PHI)\n\u2022 PHI safeguards to prevent unauthorized use or\ + \ disclosure\n\u2022 communications regarding the unauthorized use or disclosure\ + \ of PHI\n\u2022 PHI availability\n\u2022 contract termination and disposition\ + \ of PHI" + annotation: "1. Ensure there is a documented business associate agreement which\ + \ includes clauses but not limited to :\n\u2022 permitted uses and disclosures\ + \ of Protected Health Information (PHI)\n\u2022 PHI safeguards to prevent\ + \ unauthorized use or disclosure\n\u2022 communications regarding the unauthorized\ + \ use or disclosure of PHI\n\u2022 PHI availability\n\u2022 contract termination\ + \ and disposition of PHI\n2. Ensure that a process is defined for all business\ + \ associates to sign and acknowledge to this agreement" + typical_evidence: 'E-TPM-13 - Business Associate Agreement ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:1 + text: '1. Inspect Organization''s Business Associate Agreements and validate + that it includes the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:2 + text: "\u2022 permitted uses and disclosures of Protected Health Information\ + \ (PHI)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:3 + text: "\u2022 PHI safeguards to prevent unauthorized use or disclosure" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:4 + text: "\u2022 communications regarding the unauthorized use or disclosure\ + \ of PHI" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:5 + text: "\u2022 PHI availability" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:6 + text: "\u2022 contract termination and disposition of PHI" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:7 + text: 2. For a sample business associate validate that they have signed + the said agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-09 + name: HIPAA Business Associate Subcontractor Agreement + description: Organization requires a Business Associate Subcontractor Agreement + with Business Associates from which it receives or transmits protected health + information (PHI); Business Associates under contract are required to provide + assurance that they adhere to Organization's security standards, which includes + the security of PHI and reporting security events that potentially expose + PHI. + annotation: '1. Ensure there is a documented business associate subcontractor + agreement which includes, but not limited to: security of PHI and reporting + of security events that potentially exposes PHI. + + 2. Ensure that all business associates are under this agreement and provide + assurance that they adhere to Organization''s security standards.' + typical_evidence: E-TPM-14 - Business Associate Subcontractor Agreement document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:1 + text: 1. Inspect Organization's Business Associate Subcontractor Agreement + document. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:2 + text: 2. Inspect an executed agreement for Organization's Business Associate, + for evidence that Business Associates provide Assurance that they comply + with Organization's security standards, which includes the security of + PHI and reporting security events that potentially expose PHI. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-10 + name: Network Service Level Agreements (SLA) + description: Vendors providing networking services to Organization are contractually + bound to provide secure and available services as documented in SLAs. + annotation: '1. Ensure that a process is defined and documented for ensuring + SLA in case of network services. + + 2. Ensure appropriate contracts are created with network service providers + to ensure availability of network services. + + 3. Ensure appropriate monitoring is enabled to identify any network downtime + and SLA breaches.' + typical_evidence: "E-TPM-15 - Vendor SLA document \nE-TPM-16 - Results of Network\ + \ Configuration Monitoring" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:1 + text: 1. Inspect and a validate that a process is defined and documented + for ensuring SLA in case of network services. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:2 + text: 2. Validate for a sample vendor that contracts are created to ensure + availability of network services. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:3 + text: 3.Validate monitoring configuration to confirm that it is enabled + to identify any network downtime and SLA breaches. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-11 + name: Personal Information Processing and Transfer Agreement + description: Appropriate data processing and transfer agreements are established + for the collection, processing, transfer, or storage of personal information + by, or on behalf of, Organization. + annotation: '1. Ensure that a process is defined and documented for establishing + data processing and transfer agreements for the collection, processing, transfer, + or storage of personal information by, or on behalf of, the Organization. + + 2. Ensure these agreements are signed and retained appropriately as per organization''s + policy.' + typical_evidence: E-TPM-17 - Data Processing and Transfer Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:1 + text: 1. Inspect and validate that a process is defined and documented for + establishing data processing and transfer agreements for the collection, + processing, transfer, or storage of personal information by, or on behalf + of, the Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:2 + text: 2. Validate for a sample agreement that it is signed and retained + appropriately as per organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-12 + name: Approved Service Provider Listing + description: Organization maintains a list of approved managed service providers + and the services they provide to Organization. + annotation: "1. Ensure there is a documented process for vendor onboarding and\ + \ termination. \n2. Ensure that activities for vendor onboarding and offboarding\ + \ are logged and maintained appropriately.\n3. Ensure that the list of active\ + \ vendors is reviewed and updated periodically." + typical_evidence: E-TPM-18 - Vendor onboarding/ termination document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:1 + text: '1. Inspect and validate that there is a documented process for vendor + onboarding and termination. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:2 + text: 2. Validate that activities for vendor onboarding and offboarding + are logged and maintained appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:3 + text: 3. Validate the list of active vendors and verify that it is reviewed + and updated periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-13 + name: Vendor Information Security Standard + description: Organization has documented a Vendor Information Security Standard + that defines the responsibilities and governance requirements regarding vendor + information security engagements. Contractual agreements are entered into + with vendors who process or store Organization data that define information + Security terms and service level agreements. + annotation: '1. Ensure there is documented vendor information security standard + which is available on intranet for employees. + + 2. Ensure vendor information security standard defines the responsibilities + and governance requirements regarding vendor information security engagements. + + 3. Ensure appropriate agreements are established with vendors who process + or store Organization data. ' + typical_evidence: "E-TPM-07 - Vendor information security standard\nE-TPM-19\ + \ - \n\nSample Vendor Agreement" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:1 + text: 1. Inspect and validate that there is a documented vendor information + security standard which is available on intranet for employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:2 + text: 2. Validate vendor information security standard defines the responsibilities + and governance requirements regarding vendor information security engagements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:3 + text: 3. For a sample vendor validate that agreements are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + assessable: false + depth: 1 + name: Vulnerability Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-01 + name: Vulnerability Scans + description: Organization conducts vulnerability scans against the production + environment; scan tools are updated prior to running scans. + annotation: '1. Ensure that the requirements for periodic vulnerability scans + are defined and documented. + + 2. Ensure a process is established for updating the scanning tool version + prior to running the scan.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-02 - Scan Tool version evidence + + E-VM-03 - Scanning evidence for a sample hosts/accounts' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:1 + text: 1. Review Vulnerability Management policy and/or standard to validate + that they define requirements for periodic vulnerability scans. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:2 + text: 2. Inspect scanning tool version information to ensure they are up + to date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:3 + text: 3. Validate evidence for a sample of service production hosts/accounts + to ensure that vulnerability scans are conducted and tickets are created + as appropriate. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-02 + name: 'Vulnerability Scans: Cardholder Data Environment' + description: Vulnerability scans are conducted against cardholder environments + at least quarterly or after significant change; critical vulnerability resolution + is confirmed via a rescan. + annotation: '1. Ensure that the requirements for quarterly vulnerability scans + against cardholder data environement are defined and documented. + + 2. Ensure a process is established to initiate a scan after every significant + change. + + 3. Ensure all critical vulnerabilities are tracked to resolution and confirmed + via a rescan' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-04 - Resolution and rescan evidence for a sample vulnerability' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:1 + text: 1. Inspect and validate whether the requirements for quarterly vulnerability + scans against cardholder data environement are defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:2 + text: 2. Validate that a process is established to initiate a scan after + every significant change. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:3 + text: 3. Validate for a sample critical vulnerability whether it was tracked + to resolution and confirmed via a rescan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-03 + name: 'Vulnerability Scans: Audit Log Review' + description: When vulnerabilities are identified, Organization analyzes audit + logs to see if it has been previously exploited. Identified exploitations + are resolved through incident management. + annotation: '1. Ensure that a process is defined and documented to verify the + exploitability of a vulnerability via audit logs. + + 2. Ensure all identified exploitations are resolved through the incident management + process.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-05 - Sample exploited vulnerability resolution evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:1 + text: 1. Inspect and validate that a process is defined and documented to + verify the exploitability of a vulnerability via audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:2 + text: 2. Validate for a sample exploitation that it was resolved through + the incident management process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-04 + name: 'Vulnerability Scans: Trend Analysis' + description: Organization reviews vulnerability trends over time to include + in risk assessments; high and moderate risk vulnerabilities are remediated + in 30 and 90 days, respectively. + annotation: '1. Ensure that a process has been defined and documented for reviewing + vulnerability trends. + + 2. Ensure that appropriate SLAs are defined to remediate high and moderate + vulnerabilities in 30 and 90 days. + + 3. Ensure the results of these reviews are included in risk assessments.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-06 - Sample vulnerability remediation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:1 + text: 1. Inspect and validate that a process has been defined and documented + for reviewing vulnerability trends. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:2 + text: 2. Validate that appropriate SLAs are defined to remediate high and + moderate risk vulnerabilities in 30 and 90 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:3 + text: 3. For a sample of vulnerabilities, validate whether medium and high + risk vulnerabilities were remediated within the SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-05 + name: Approved Scanning Vendor + description: At least quarterly, Organization engages an Approved Scanning Vendor + (ASV) to conduct external vulnerability scans. + annotation: '1. Ensure a process has been defined and documented to conduct + ASV scans for PCI envrionments every 90 days. + + 2. Ensure all findings are remediated and re-scanning is done to maintain + compliance. ' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-07 - Approved Scanning Vendor (ASV) Scan evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to conduct ASV scans for PCI envrionments every 90 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:2 + text: '2. Validate for a sample quarter that, if applicable, all findings + were remediated and re-scan was done to maintain compliance. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-06 + name: Application Penetration Testing + description: Organization conducts penetration tests periodically. + annotation: '1. Ensure that a process has been defined and documented for conducting + penetration tests. + + 2. Ensure the results of the penetration tests are appropriately documented + and tracked till remediation.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-08 - Penetration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for conducting penetration tests. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:2 + text: 2. Validate the results of last penetration test and verify whether + the findings were tracked till remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-07 + name: 'Application Penetration Testing: Cardholder Data Environment' + description: "Organization conducts penetration tests against cardholder data\ + \ environments (CDE) and includes the following requirements:\n\u2022 testing\ + \ covers the entire CDE perimeter and critical data systems\n\u2022 testing\ + \ verifies that CDE perimeter segmentation is operational\n\u2022 testing\ + \ is performed from both inside and outside the CDE network\n\u2022 testing\ + \ validates segmentation and scope-reduction controls (e.g., tokenization\ + \ processes)\n\u2022 network layer penetration tests include components that\ + \ support network functions as well as operating systems \n\u2022 at the application\ + \ level, testing provides coverage, at a minimum, against the security testing\ + \ requirements defined in VM-05-01 (01)\n\u2022 testing is performed with\ + \ consideration of threats verified in the last 12 months from external alerts,\ + \ directives, and advisories defined in VM-06-02\n\u2022 testing is performed\ + \ with consideration of vulnerabilities reported through Organization's PSIRT\ + \ process within the last 12 months\n\u2022 risk ratings are assigned to discovered\ + \ vulnerabilities, which are tracked through remediation" + annotation: "1. Ensure that a process has been defined and documented for conducting\ + \ penetration tests for the Card Holder Data Environments.\n2. Ensure that\ + \ the testing covers the following requirements:\n\u2022 testing covers the\ + \ entire CDE perimeter and critical data systems\n\u2022 testing verifies\ + \ that CDE perimeter segmentation is operational\n\u2022 testing is performed\ + \ from both inside and outside the CDE network\n\u2022 testing validates segmentation\ + \ and scope-reduction controls (e.g., tokenization processes)\n\u2022 network\ + \ layer penetration tests include components that support network functions\ + \ as well as operating systems \n\u2022 at the application level, testing\ + \ provides coverage, at a minimum, against the security testing requirements\ + \ defined in VM-05-01 (01)\n\u2022 testing is performed with consideration\ + \ of threats verified in the last 12 months from external alerts, directives,\ + \ and advisories defined in VM-06-02\n\u2022 testing is performed with consideration\ + \ of vulnerabilities reported through Organization's PSIRT process within\ + \ the last 12 months\n\u2022 risk ratings are assigned to discovered vulnerabilities,\ + \ which are tracked through remediation" + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-08 - Penetration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:1 + text: 1. For PCI in-scope services, obtain and inspect evidence to show + that external pen test, internal pen test, and segmentation tests were + performed appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:2 + text: '2. Validate the pen test reports documented the below mentioned requirements: ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:3 + text: "\u2022 testing covers the entire CDE perimeter and critical data\ + \ systems" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:4 + text: "\u2022 testing verifies that CDE perimeter segmentation is operational" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:5 + text: "\u2022 testing is performed from both inside and outside the CDE\ + \ network" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:6 + text: "\u2022 testing validates segmentation and scope-reduction controls\ + \ (e.g., tokenization processes)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:7 + text: "\u2022 network layer penetration tests include components that support\ + \ network functions as well as operating systems " + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:8 + text: "\u2022 at the application level, testing provides coverage, at a\ + \ minimum, against the security testing requirements defined in VM-05-01\ + \ (01)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:9 + text: "\u2022 testing is performed with consideration of threats verified\ + \ in the last 12 months from external alerts, directives, and advisories\ + \ defined in VM-06-02" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:10 + text: "\u2022 testing is performed with consideration of vulnerabilities\ + \ reported through Organization's PSIRT process within the last 12 months" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:11 + text: "\u2022 risk ratings are assigned to discovered vulnerabilities, which\ + \ are tracked through remediation" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-08 + name: Infrastructure Patch Management + description: Organization installs security-relevant patches, including software + or firmware updates; identified end-of-life software must have a documented + decommission plan in place. + annotation: "1. Ensure that a process for patch management and end-of-life requirements\ + \ is defined and documented.\n2. Ensure that patch updates are implemented\ + \ for all compute resources. \n3. Ensure all end-of-life software are decommissioned\ + \ with a documented plan." + typical_evidence: 'E-VM-09 - Infrastructure Management Policy + + E-VM-10 - Patch Implementation Evidence + + E-VM-11 - End of Life software decomission plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:1 + text: 1. Inspect and validate that a process for patch management and end-of-life + requirements is defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:2 + text: 2. For a sample of servers/virtual machine validate that patch updates + are implemented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:3 + text: 3. For a sample of end-of-life software validate that it was decommissioned + with a documented plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-09 + name: Enterprise Antivirus + description: Organization has managed enterprise antivirus deployments to detect + and respond to malicious activities. + annotation: '1. Ensure a process has been defined and documented for deploying + antivirus to detect and respond to malicious activities. + + 2. Ensure that antivirus is deployed on all applicable systems.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-12 - Antivirus Deployment Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for deploying antivirus to detect and respond to malicious activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:2 + text: 2. For a sample system validate that antivirus is deployed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-10 + name: Enterprise Antivirus Tampering + description: Antivirus mechanisms cannot be disabled or altered by users unless + specifically authorized by management. + annotation: 1. Ensure that appropriate policies are configured to prevent users + from disabling or altering antivirus mechanisms. + typical_evidence: E-VM-13 - Antivirus Configuration Policies + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10:question:1 + text: 1. Validate whether appropriate policies are configured to prevent + users from disabling or altering antivirus mechanisms. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-11 + name: Enterprise Antivirus Scope + description: Vulnerability scans are periodically performed on systems that + do not require anti-virus; management determines if anti-virus should be required + on the system based on scan results and associated risk. + annotation: '1. Ensure a process is defined and documented to perform vulnerability + scans on all systems. + + 2. Ensure the process identifies systems on which antivirus should be deployed.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:1 + text: 1. Inspect and validate a process is defined and documented to perform + vulnerability scans on all systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:2 + text: 2. Validate whether the scan identifies systems on which antivirus + should be deployed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-12 + name: 'Maintenance Tools: Inspect Media' + description: Organization checks media containing diagnostic and test programs + for malicious code before the media are used in production systems. + annotation: '1. Ensure a process has been defined and documented to check media + with diagnostic and test programs before using in production. + + 2. Ensure that only media without any malicious code are used in production.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-14 - Media usage logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to check media with diagnostic and test programs before using in production. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:2 + text: 2. Validate using logs and scan results that only media without any + malicious code were used in production. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-13 + name: Code Security Check + description: Organization conducts periodic source code checks for vulnerabilities. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:2 + text: 2. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-14 + name: 'Code Security Check: Cardholder Data Environment' + description: "Where applicable, security testing performed prior to releasing\ + \ code into production includes the following:\n\u2022 code injection\n\u2022\ + \ buffer overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure\ + \ communications\n\u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\ + \u2022 cross-site scripting\n\u2022 improper access control\n\u2022 cross-site\ + \ request forgery\n\u2022 broken authentication session management" + annotation: "1. Ensure a process has been defined and documented for performing\ + \ source code check for vulnerabilities.\n2. Ensure the following aspects\ + \ are covered as part of the testing:\n\u2022 code injection\n\u2022 buffer\ + \ overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure communications\n\ + \u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\u2022 cross-site\ + \ scripting\n\u2022 improper access control\n\u2022 cross-site request forgery\n\ + \u2022 broken authentication session management\n3. Ensure all vulnerabilities\ + \ are tracked and resolved as per organization's SLA." + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:2 + text: '2. Validate for a sample scan whether the following aspects were + covered as part of the testing:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:3 + text: "\u2022 code injection" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:4 + text: "\u2022 buffer overflows" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:5 + text: "\u2022 insecure cryptographic storage" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:6 + text: "\u2022 insecure communications" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:7 + text: "\u2022 improper error handling" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:8 + text: "\u2022 high-risk vulnerabilities" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:9 + text: "\u2022 cross-site scripting" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:10 + text: "\u2022 improper access control" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:11 + text: "\u2022 cross-site request forgery" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:12 + text: "\u2022 broken authentication session management" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:13 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-15 + name: Third-Party Library Check + description: Organization scans third-party libraries for vulnerabilities according + to the service risk rating assignment. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure that third-party libraries are scanned for vulnerabilities as per + service risk rating assignment. + + 3. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:2 + text: 2. Validate for a sample scan whether third-party libraries are scanned + for vulnerabilities as per service risk rating assignment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:3 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-16 + name: Non-disclosure of Error Detail + description: Information systems are designed to ensure error messages generated + provide adequate information for taking corrective action without revealing + sensitive information. + annotation: 1. Ensure that a process is defined to design Information systems + in such a way that error messages generated provide adequate information for + taking corrective action without revealing sensitive information. + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-VM-16 - Sample Error Messages' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:1 + text: 1. Inspect the type of error messages configured in a sample of applications. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:2 + text: 2. Ensure no sensitive data or user information is provided via error + messages. Additionally, ensure appropriate corrective actions are highlighted + in the error message. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-17 + name: Embedded Authenticators + description: Quality Engineering checks to ensure that static passwords are + not embedded within application source code or access scripts, prior to deployment + on the Organization network. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure that static passwords are not embedded within application source + code or access scripts, prior to deployment on the Organization network. + + 3. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:2 + text: 2. Validate for a sample scan whether a check was done so that static + passwords are not embedded within application source code or access scripts, + prior to deployment on the Organization network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:3 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-18 + name: External Information Security Inquiries + description: Organization reviews information-security-related inquiries, complaints, + and disputes. + annotation: '1. Ensure a process has been defined and documented to receive + information related inquiries, complaints, and disputes. + + 2. Ensure all of the received inquiries, disputes, and compliants are reviewed + and resolved as applicable.' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-VM-17 - Sample Disputes, inquiries and complaints' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to receive information related inquiries, complaints, and disputes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:2 + text: 2. Validate for a sample query that it was reviewed and resolved as + applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-19 + name: External Alerts and Advisories + description: Organization reviews alerts and advisories from management approved + security forums and communicates verified threats to authorized personnel. + annotation: '1. Ensure that a process has been defined and documented to review + alerts and advisories from approved security forums. + + 2. Ensure that management reviews the list of approved security forums and + updates accordingly. + + 3. Ensure all verified threats are communicated to authorized personnel and + tracked to resolution' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-VM-18 - Management Review Evidence + + E-VM-19 - Verified Threats resolution evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to review alerts and advisories from approved security forums. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:2 + text: 2. Validate whether the management reviews the list of approved security + forums and updates accordingly using last update evidence. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:3 + text: 3. Validate communication and resolution evidence for a sample of + verified threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-20 + name: Third-Party Security Assessment + description: Organization engages qualified managed service providers to perform + independent information security assessments. + annotation: '1. Ensure a process has been defined and documented to engage qualified + managed service providers for performing independent information security + assessments. + + 2. Ensure these assessments are performed in accordance with organization + requirements.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-VM-20 - Sample Independent Information Security Assessment Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:1 + text: 1. Inspect and valudate whether a process has been defined and documented + to engage qualified managed service providers for performing independent + information security assessments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:2 + text: 2. Validate whether these assessments were performed in accordance + with organization requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-21 + name: Security Testing Window + description: Security administrators notify relevant parties prior to executing + technical security assessments; assessment details and results are documented + in a ticket. + annotation: '1. Ensure a process has been defined and documented to notify relevant + parties before executing technical security assessments. + + 2. Ensure all assessment details and results are appropriately documented.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-21 - Sample Assessment Ticket and notification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to notify relevant parties before executing technical security assessments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:2 + text: 2. Validate for a sample assessment whether details and results were + appropriately documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:3 + text: 3. Also validate whether appropriate notification was sent to all + relevant parties prior to executing the assessment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-22 + name: Vulnerability Remediation + description: Organization assigns a risk rating to identified vulnerabilities + and prioritizes remediation of legitimate vulnerabilities according to the + assigned risk. + annotation: '1. Ensure a process has been defined and documented for assigning + risk rating to all identified vulnerabilities. + + 2. Ensure vulnerabilities are remediated and prioritized as per the risk rating.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-20 - Sample Independent Information Security Assessment Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for assigning risk rating to all identified vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:2 + text: 2. Validate for a sample of vulnerabilities whether they were remediated + as per their risk rating. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-23 + name: Backlog Prioritization + description: Organization documents identified bugs, prioritize bug fixes according + to risk, and tracks resolution as part of the product release cycle. + annotation: '1. Ensure a process has been defined and documented for creating + documentation for identified bugs. + + 2. Ensure all identified bugs are fixed according to risk and are tracked + till resolution' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-22 - Sample Identified Bugs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:1 + text: 1. Inspect and validate that a process has been defined and documented + for creating documentation for identified bugs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:2 + text: 2. Validate for a sample of all identified bugs whether they were + fixed according to risk and were tracked till resolution diff --git a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte index b896c16e1..1b9ae9dbb 100644 --- a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte @@ -14,6 +14,7 @@ const threats = data.requirement.threats; const reference_controls = data.requirement.reference_controls; const annotation = data.requirement.annotation; + const typical_evidence = data.requirement.typical_evidence; const has_threats = threats && threats.length > 0; const has_reference_controls = reference_controls && reference_controls.length > 0; @@ -173,6 +174,17 @@

{/if} + {#if typical_evidence} +
+

+ + {m.typicalEvidence()} +

+

+ {typical_evidence} +

+
+ {/if} {#if mappingInference.result}

diff --git a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte index 926160ef4..59e6834a6 100644 --- a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte +++ b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte @@ -7,6 +7,7 @@ const threats = data.requirement.threats; const reference_controls = data.requirement.reference_controls; const annotation = data.requirement.annotation; + const typical_evidence = data.requirement.typical_evidence; const has_threats = threats && threats.length > 0; const has_reference_controls = reference_controls && reference_controls.length > 0; @@ -269,6 +270,17 @@

{/if} + {#if typical_evidence} +
+

+ + {m.typicalEvidence()} +

+

+ {typical_evidence} +

+
+ {/if} {#if mappingInference.result}

diff --git a/tools/ccf/Open_Source_CCF.xlsx b/tools/ccf/Open_Source_CCF.xlsx new file mode 100644 index 000000000..92e0608dc Binary files /dev/null and b/tools/ccf/Open_Source_CCF.xlsx differ diff --git a/tools/ccf/ccf-v5.xlsx b/tools/ccf/ccf-v5.xlsx new file mode 100644 index 000000000..4576a4167 Binary files /dev/null and b/tools/ccf/ccf-v5.xlsx differ diff --git a/tools/ccf/convert_ccf.py b/tools/ccf/convert_ccf.py new file mode 100644 index 000000000..c505a1ddd --- /dev/null +++ b/tools/ccf/convert_ccf.py @@ -0,0 +1,143 @@ +""" +Simple script to convert Adobe CCF Security Controls v5 Excel in a CISO Assistant Excel file +Source: https://www.adobe.com/content/dam/cc/en/trust/pdfs/Open_Source_CCF.xls +""" + +import openpyxl +import sys +import re +import argparse +from openpyxl.styles import numbers + +parser = argparse.ArgumentParser( + prog="convert_ccf", + description="convert Adobe CCF Security Controls v5 Excel file to CISO Assistant Excel file", +) + +parser.add_argument("filename", help="name of Adobe CCF Excel file") +args = parser.parse_args() +input_file_name = args.filename +output_file_name = "ccf-v5.xlsx" + +library_copyright = """Creative Commons""" +packager = "intuitem" + +library_description = """Adobe Common Controls Framework (CCF) version 5 +https://www.adobe.com/trust/compliance/adobe-ccf.html +""" + +print("parsing", input_file_name) + +# Define variable to load the dataframe +dataframe = openpyxl.load_workbook(input_file_name) +controls = {} +evidences = {} +output_table = [] +current_domain = "" + +for tab in dataframe: + print("parsing tab", tab.title) + title = tab.title + if title in ("CCF Control Guidance"): + first = True + for row in tab: + if not first: + ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) = (r.value for r in row[0:10]) + artifacts = [v for v in artifacts.splitlines() if v != ""] + implementation = [v for v in implementation.splitlines() if v != ""] + testing = [v for v in testing.splitlines() if v != ""] + controls[id] = ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) + first = False + if title in ("Evidence Request List (ERL)"): + for row in tab: + (evidence_id, domain, title) = (r.value for r in row[0:3]) + evidences[evidence_id] = title + +print("generating", output_file_name) +wb_output = openpyxl.Workbook() +ws = wb_output.active +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:adobe-ccf-v5"]) +ws.append(["library_version", 1]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "adobe-ccf-v5"]) +ws.append(["library_name", "Adobe CCF v5"]) +ws.append(["library_description", library_description]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "Adobe"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:adobe-ccf-v5"]) +ws.append(["framework_ref_id", "adobe-ccf-v5"]) +ws.append(["framework_name", "Adobe CCF v5"]) +ws.append(["framework_description", library_description]) +ws.append(["tab", "requirements", "requirements"]) +ws.append(["tab", "answers", "answers"]) + +ws1 = wb_output.create_sheet("requirements") +ws1.append( + [ + "assessable", + "depth", + "ref_id", + "name", + "description", + "questions", + "answer", + "typical_evidence", + "annotation", + ] +) +for id in controls: + ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) = controls[id] + if domain != current_domain: + output_table.append(("", 1, "", domain, "", "")) + current_domain = domain + annotation = "\n".join(implementation) + typical_evidence = "\n".join([v + " - " + evidences.get(v, "") for v in artifacts]) + questions = "\n".join(testing) + answer = "YNNA" + output_table.append( + ("x", 2, id, name, description, questions, answer, typical_evidence, annotation) + ) +for row in output_table: + ws1.append(row) + +ws2 = wb_output.create_sheet("answers") +ws2.append(["id", "question_type", "question_choices"]) +ws2.append(["YNNA", "unique_choice", "Yes\nNo\nN/A"]) + +print("generate ", output_file_name) +wb_output.save(output_file_name)