diff --git a/backend/core/migrations/0010_rename_score_definition_framework_scores_definition_and_more.py b/backend/core/migrations/0010_rename_score_definition_framework_scores_definition_and_more.py new file mode 100644 index 000000000..c7a0605d7 --- /dev/null +++ b/backend/core/migrations/0010_rename_score_definition_framework_scores_definition_and_more.py @@ -0,0 +1,100 @@ +# Generated by Django 5.0.4 on 2024-04-28 15:34 +# well-known scores added manually + +from django.db import migrations, models + + +WELL_KNOWN_SCORES = { + "urn:intuitem:risk:framework:tisax-v6.0.2": (0, 5), + "urn:intuitem:risk:framework:ccb-cff-2023-03-01": (1, 5), + "urn:intuitem:risk:framework:nist-csf-2.0": (1, 4), +} + + +def fix_well_known_scores(apps, schema_editor): + Framework = apps.get_model("core", "Framework") + ComplianceAssessment = apps.get_model("core", "ComplianceAssessment") + for framework in Framework.objects.all(): + if framework.urn in WELL_KNOWN_SCORES: + (framework.min_score, framework.max_score) = WELL_KNOWN_SCORES[ + framework.urn + ] + framework.save() + print("custom migration for", framework.urn) + for assessment in ComplianceAssessment.objects.all(): + if assessment.framework.urn in WELL_KNOWN_SCORES: + (assessment.min_score, assessment.max_score) = WELL_KNOWN_SCORES[ + assessment.framework.urn + ] + print("custom migration for", assessment.framework.urn) + else: + # no default value, so fix it now + (assessment.min_score, assessment.max_score) = (0, 100) + assessment.save() + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0009_framework_max_score_framework_min_score_and_more"), + ] + + operations = [ + migrations.RenameField( + model_name="framework", + old_name="score_definition", + new_name="scores_definition", + ), + migrations.RemoveField( + model_name="requirementnode", + name="level", + ), + migrations.RemoveField( + model_name="requirementnode", + name="maturity", + ), + migrations.AddField( + model_name="complianceassessment", + name="max_score", + field=models.IntegerField(null=True, verbose_name="Maximum score"), + ), + migrations.AddField( + model_name="complianceassessment", + name="min_score", + field=models.IntegerField(null=True, verbose_name="Minimum score"), + ), + migrations.AddField( + model_name="complianceassessment", + name="scores_definition", + field=models.JSONField( + blank=True, null=True, verbose_name="Score definition" + ), + ), + migrations.AddField( + model_name="complianceassessment", + name="selected_implementation_groups", + field=models.JSONField( + blank=True, null=True, verbose_name="Selected implementation groups" + ), + ), + migrations.AddField( + model_name="framework", + name="implementation_groups_definition", + field=models.JSONField( + blank=True, null=True, verbose_name="Implementation groups definition" + ), + ), + migrations.AddField( + model_name="requirementassessment", + name="selected", + field=models.BooleanField(default=True, verbose_name="Selected"), + ), + migrations.AddField( + model_name="requirementnode", + name="implementation_groups", + field=models.JSONField(null=True, verbose_name="Implementation groups"), + ), + migrations.DeleteModel( + name="RequirementLevel", + ), + migrations.RunPython(fix_well_known_scores), + ] diff --git a/backend/core/models.py b/backend/core/models.py index c8d8c8f2f..19ab2c514 100644 --- a/backend/core/models.py +++ b/backend/core/models.py @@ -329,9 +329,12 @@ def __str__(self) -> str: class Framework(ReferentialObjectMixin): min_score = models.IntegerField(default=0, verbose_name=_("Minimum score")) max_score = models.IntegerField(default=100, verbose_name=_("Maximum score")) - score_definition = models.JSONField( + scores_definition = models.JSONField( blank=True, null=True, verbose_name=_("Score definition") ) + implementation_groups_definition = models.JSONField( + blank=True, null=True, verbose_name=_("Implementation groups definition") + ) library = models.ForeignKey( Library, on_delete=models.CASCADE, @@ -411,7 +414,9 @@ class RequirementNode(ReferentialObjectMixin): max_length=100, null=True, blank=True, verbose_name=_("Parent URN") ) order_id = models.IntegerField(null=True, verbose_name=_("Order ID")) - maturity = models.IntegerField(null=True, verbose_name=_("Maturity")) + implementation_groups = models.JSONField( + null=True, verbose_name=_("Implementation groups") + ) assessable = models.BooleanField(null=False, verbose_name=_("Assessable")) class Meta: @@ -1257,11 +1262,27 @@ class Result(models.TextChoices): choices=Result.choices, verbose_name=_("Result"), ) + selected_implementation_groups = models.JSONField( + blank=True, null=True, verbose_name=_("Selected implementation groups") + ) + # score system is suggested by the framework, but can be changed at the start of the assessment + min_score = models.IntegerField(null=True, verbose_name=_("Minimum score")) + max_score = models.IntegerField(null=True, verbose_name=_("Maximum score")) + scores_definition = models.JSONField( + blank=True, null=True, verbose_name=_("Score definition") + ) class Meta: verbose_name = _("Compliance assessment") verbose_name_plural = _("Compliance assessments") + def save(self, *args, **kwargs) -> None: + if self.min_score is None: + self.min_score = self.framework.min_score + self.max_score = self.framework.max_score + self.scores_definition = self.framework.scores_definition + super().save(*args, **kwargs) + def get_global_score(self): requirement_assessments_scored = ( RequirementAssessment.objects.filter(compliance_assessment=self) @@ -1495,6 +1516,10 @@ class Status(models.TextChoices): verbose_name=_("Applied controls"), related_name="requirement_assessments", ) + selected = models.BooleanField( + default=True, + verbose_name=_("Selected"), + ) def __str__(self) -> str: return self.requirement.display_short diff --git a/backend/core/serializers.py b/backend/core/serializers.py index 1737a4114..4ece34249 100644 --- a/backend/core/serializers.py +++ b/backend/core/serializers.py @@ -489,20 +489,23 @@ class Meta: class RequirementAssessmentWriteSerializer(BaseModelSerializer): def validate_score(self, value): - framework = self.get_framework() + compliance_assessment = self.get_compliance_assessment() if value is not None: - if value < framework.min_score or value > framework.max_score: + if ( + value < compliance_assessment.min_score + or value > compliance_assessment.max_score + ): raise serializers.ValidationError( { - "score": f"Score must be between {framework.min_score} and {framework.max_score}" + "score": f"Score must be between {compliance_assessment.min_score} and {compliance_assessment.max_score}" } ) return value - def get_framework(self): + def get_compliance_assessment(self): if hasattr(self, "instance") and self.instance: - return self.instance.compliance_assessment.framework + return self.instance.compliance_assessment try: compliance_assessment_id = self.context.get("request", {}).data.get( "compliance_assessment", {} @@ -510,9 +513,11 @@ def get_framework(self): compliance_assessment = ComplianceAssessment.objects.get( id=compliance_assessment_id ) - return compliance_assessment.framework - except Framework.DoesNotExist: - raise serializers.ValidationError("The specified framework does not exist.") + return compliance_assessment + except ComplianceAssessment.DoesNotExist: + raise serializers.ValidationError( + "The specified Compliance Assessment does not exist." + ) class Meta: model = RequirementAssessment diff --git a/backend/core/views.py b/backend/core/views.py index 8a814e50b..a0b90c680 100644 --- a/backend/core/views.py +++ b/backend/core/views.py @@ -1217,9 +1217,9 @@ def global_score(self, request, pk): return Response( { "score": self.get_object().get_global_score(), - "max_score": self.get_object().framework.max_score, - "min_score": self.get_object().framework.min_score, - "score_definition": self.get_object().framework.score_definition, + "max_score": self.get_object().max_score, + "min_score": self.get_object().min_score, + "scores_definition": self.get_object().scores_definition, } ) diff --git a/backend/library/libraries/aircyber-v1.5.2.yaml b/backend/library/libraries/aircyber-v1.5.2.yaml index 887a0d4d7..7e4688efd 100644 --- a/backend/library/libraries/aircyber-v1.5.2.yaml +++ b/backend/library/libraries/aircyber-v1.5.2.yaml @@ -2,20 +2,26 @@ urn: urn:intuitem:risk:library:aircyber-v1.5.2 locale: en ref_id: AirCyber-v1.5.2 name: Public AirCyber Maturity Level Matrix -description: "AirCyber is the AeroSpace and Defense official standard for Cybersecurity\ - \ maturity evaluation and increase built by Airbus, Dassault Aviation, Safran and\ - \ Thales to help the AeroSpace SupplyChain to be more resilient. \nTheir joint venture\ - \ BoostAeroSpace is offering this extract of the AirCyber maturity level matrix\ - \ to provide further details on this standard, the questions and the AirCyber maturity\ - \ levels they are associated to. \nAirCyber program uses this maturity level matrix\ - \ as the base of the cyber maturity evaluation as is the evaluation activity is\ - \ the very starting point for any cyber maturity progression. Being aware of the\ - \ problems is the mandatory very first knowledge a company shall know to decide\ - \ to launch a cybersecurity company program.\nSource: https://boostaerospace.com/aircyber/\n" +description: 'AirCyber is the AeroSpace and Defense official standard for Cybersecurity + maturity evaluation and increase built by Airbus, Dassault Aviation, Safran and + Thales to help the AeroSpace SupplyChain to be more resilient. + + Their joint venture BoostAeroSpace is offering this extract of the AirCyber maturity + level matrix to provide further details on this standard, the questions and the + AirCyber maturity levels they are associated to. + + AirCyber program uses this maturity level matrix as the base of the cyber maturity + evaluation as is the evaluation activity is the very starting point for any cyber + maturity progression. Being aware of the problems is the mandatory very first knowledge + a company shall know to decide to launch a cybersecurity company program. + + Source: https://boostaerospace.com/aircyber/ + + ' copyright: "\xA9 Boost Aerospace\nThis work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike\ \ 4.0 International License. Any commercial use of this work must be contracted\ \ with BoostAeroSpace.\nPermission given to include AirCyber in CISO Assistant.\n" -version: 1 +version: 2 provider: Boost Aerospace packager: intuitem objects: @@ -23,17 +29,33 @@ objects: urn: urn:intuitem:risk:framework:aircyber-v1.5.2 ref_id: AirCyber-v1.5.2 name: Public AirCyber Maturity Level Matrix - description: "AirCyber is the AeroSpace and Defense official standard for Cybersecurity\ - \ maturity evaluation and increase built by Airbus, Dassault Aviation, Safran\ - \ and Thales to help the AeroSpace SupplyChain to be more resilient. \nTheir\ - \ joint venture BoostAeroSpace is offering this extract of the AirCyber maturity\ - \ level matrix to provide further details on this standard, the questions and\ - \ the AirCyber maturity levels they are associated to. \nAirCyber program uses\ - \ this maturity level matrix as the base of the cyber maturity evaluation as\ - \ is the evaluation activity is the very starting point for any cyber maturity\ - \ progression. Being aware of the problems is the mandatory very first knowledge\ - \ a company shall know to decide to launch a cybersecurity company program.\n\ - Source: https://boostaerospace.com/aircyber/\n" + description: 'AirCyber is the AeroSpace and Defense official standard for Cybersecurity + maturity evaluation and increase built by Airbus, Dassault Aviation, Safran + and Thales to help the AeroSpace SupplyChain to be more resilient. + + Their joint venture BoostAeroSpace is offering this extract of the AirCyber + maturity level matrix to provide further details on this standard, the questions + and the AirCyber maturity levels they are associated to. + + AirCyber program uses this maturity level matrix as the base of the cyber maturity + evaluation as is the evaluation activity is the very starting point for any + cyber maturity progression. Being aware of the problems is the mandatory very + first knowledge a company shall know to decide to launch a cybersecurity company + program. + + Source: https://boostaerospace.com/aircyber/ + + ' + implementation_groups_definition: + - ref_id: Bronze + name: null + description: null + - ref_id: Silver + name: null + description: null + - ref_id: Gold + name: null + description: null requirement_nodes: - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.1 assessable: true @@ -43,6 +65,8 @@ objects: description: Are access to your buildings, offices and IT facilities controlled and limited (e. g. through the use of locked doors, magnetic card readers, prevention, detection and intervention devices in the event of theft, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.2 assessable: true depth: 1 @@ -51,6 +75,8 @@ objects: description: Is the enclosure of buildings hosting your server rooms and technical rooms secured by a fence, an entrance barrier, video surveillance, and an alarm? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.3 assessable: true depth: 1 @@ -58,12 +84,16 @@ objects: name: Secure access to building (servers & technical room) description: Is the enclosure of your premises secured by guards with night surveillance, an entrance barrier, video surveillance and an alarm? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.4 assessable: true depth: 1 ref_id: '1.4' name: 'Visitor escorting ' description: Are visitors permanently accompanied on your premises? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.5 assessable: true depth: 1 @@ -71,6 +101,8 @@ objects: name: Redundancy of the power supply description: Do you use inverters or back-up batteries (to ensure the power supply in case of loss of power)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.6 assessable: true depth: 1 @@ -78,6 +110,8 @@ objects: name: Clean office policy description: Do you have a clean desktop policy (physical and screen lock) for sensitive papers and removable storage media? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:1.7 assessable: true depth: 1 @@ -85,6 +119,8 @@ objects: name: Verify compliance of entities, subsites description: If you have several geographical IT sites, do you visit them to check physical and IT security regularly (min. once every 2 years) ? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.1 assessable: true depth: 1 @@ -95,12 +131,16 @@ objects: Do you have an accurate and up-to-date inventory of the assets (workstation, servers, ...) used for your customers production?' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.1.1 assessable: true depth: 1 ref_id: 2.1.1 name: Map of the company network description: Do you have a complete network diagram of your company? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.1.2 assessable: true depth: 1 @@ -108,6 +148,8 @@ objects: name: Live / automatic update of the company network map description: Is your network diagram automatically updated with network information and service protocols? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.1.3 assessable: true depth: 1 @@ -116,6 +158,8 @@ objects: description: "Have you implemented a detection and monitoring solution (NAC,\ \ DHCP moni-toring) for the connection of new devices (PC, server, printer,\ \ routers, Internet modems\u2026) on your internal network?" + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.2 assessable: true depth: 1 @@ -124,6 +168,8 @@ objects: description: 'Is the list of your computer devices regularly updated? (servers, desktop PCs, laptops, printers, network device, smartphones, etc.)' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.3 assessable: true depth: 1 @@ -132,6 +178,8 @@ objects: \ with respect to the number of IT users / devices / employees\_" description: Is there a person or department assigned to the management the computer systems? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.4 assessable: true depth: 1 @@ -139,6 +187,8 @@ objects: name: Specify governance with clear roles and responsibilities description: Do you have an information systems security focal point (RSSI or equivalent)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.4.1 assessable: true depth: 1 @@ -147,6 +197,8 @@ objects: description: Has your organization implemented an Information Security Policy and associated controls? Do you communicate them to all users and project managers? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.5 assessable: true depth: 1 @@ -155,6 +207,8 @@ objects: description: Do you use a tool to ensure that all your workstations (servers, laptops, desk-top PCs) are secure in a consistent way (identical security policies between workstations, gap management, etc.) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.5.1 assessable: true depth: 1 @@ -163,6 +217,8 @@ objects: description: Do you use a tool to ensure that all your smartphones are secure in a con-sistent way (identical security policies between them, gap management, etc.) + implementation_groups: + - SIlver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.6 assessable: true depth: 1 @@ -170,6 +226,8 @@ objects: name: Malware protection based on signature list detection description: Do you implement an automatic malware detection tool across the entire IT infrastructure (workstations, servers)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.7 assessable: true depth: 1 @@ -177,6 +235,8 @@ objects: name: Malware protection detecting abnormal behaviour based on system events description: Have you implemented an automatic malware removal or quarantine tool (anti-malware) on the entire IT device? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.8 assessable: true depth: 1 @@ -185,12 +245,16 @@ objects: on open systems like Android' description: 'Are enterprise smartphones managed by your IT team (for example: password and anti-virus policy configuration)?' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.8.1 assessable: true depth: 1 ref_id: 2.8.1 name: 'Light smartphones security policy ' description: Do enterprise smartphones have a dedicated security policy? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.8.2 assessable: true depth: 1 @@ -199,6 +263,8 @@ objects: deployed by users. description: Are enterprise smartphones managed centrally with a tool to control their configuration, security status? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9 assessable: true depth: 1 @@ -208,6 +274,8 @@ objects: description: Do you use a centralized solution to activate, keep for at least a year and configure the logs of the most important components like firewalls or internet access? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9.1 assessable: true depth: 1 @@ -216,6 +284,8 @@ objects: description: Do you perform log analysis (e.g. real time analysis, SOC, etc.) of the most important components (servers, workstations, laptops, printers, network equipment, smartphones, etc.)? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9.2 assessable: true depth: 1 @@ -223,6 +293,8 @@ objects: name: logs check for admin accounts usage description: Do you activate, keep for at least a year and configure the administrator au-thentication logs on network, the server and computer device? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9.3 assessable: true depth: 1 @@ -230,6 +302,8 @@ objects: name: inventory log sources on ICT sensitive systems description: Do you use a procedure to implement log backup of the most important com-ponents such as firewalls, internet access? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9.4 assessable: true depth: 1 @@ -243,6 +317,8 @@ objects: Directory service (read-only AD, validation of policies, security rules of work-stations managed via the AD, restriction and security of passwords of privileged accounts...) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.9.5 assessable: true depth: 1 @@ -253,6 +329,8 @@ objects: \ of undeployed measures) and have you configured the generation of detailed\ \ alerts in the event of a security incident (configuration of detailed logs,\ \ active \u2013 with alerts \u2013 monitoring of the logs)?" + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.10 assessable: true depth: 1 @@ -260,6 +338,8 @@ objects: name: Automatic and managed back-up / restore process & test description: Do you define and apply an automatic backup policy for critical components with a tested recovery procedure? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:2.11 assessable: true depth: 1 @@ -269,6 +349,8 @@ objects: the de-vices they could connect to their computers (prohibit to connect a USB flash drive found by chance, do an antivirus scan of the partners' usb keys, do not connect any strange device on their computers...) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.1 assessable: true depth: 1 @@ -276,6 +358,8 @@ objects: name: 'Individual identification to all users ' description: Does each employee have a nominative identifier on IT production environments? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.1.1 assessable: true depth: 1 @@ -285,6 +369,8 @@ objects: clearance requirements, do you check the background and profile suitability of new hired (e.g. criminal record/nationality) depending on the role they apply to (e.g. senior, IT staff, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.1.2 assessable: true depth: 1 @@ -294,6 +380,8 @@ objects: description: When security constraints have been identified, such as national clearance requirements, do you check the background and profile suitability of new hires (criminal record/nationality)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.2 assessable: true depth: 1 @@ -305,6 +393,8 @@ objects: devices and access all files on the computer)? ' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.3 assessable: true depth: 1 @@ -312,6 +402,8 @@ objects: name: Up to date inventory of admin accounts description: Do you have a complete inventory of privileged (administrative) accounts and do you keep it up to date? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.31 assessable: true depth: 1 @@ -320,6 +412,8 @@ objects: description: If you use administrator accounts on machines, do you have a solution in place to control their security (password security, account blocking, remote change, etc.)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.4 assessable: true depth: 1 @@ -329,6 +423,8 @@ objects: description: Do you train operational teams (network administrators, security and systems administrators, project managers, developers, CISOs) in information systems security? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.5 assessable: true depth: 1 @@ -342,6 +438,8 @@ objects: the rules and cybersecurity instructions that they must respect, or a legally enforceable equivalent (such as an annex to the internal company regulations, employment contract)?' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.5.1 assessable: true depth: 1 @@ -351,6 +449,8 @@ objects: description: Do you set up systematic cybersecurity training for all employees and contractors, adapted or customized according to their role in the company, and do you follow up attendance to this training? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:3.6 assessable: true depth: 1 @@ -358,6 +458,8 @@ objects: name: Secure laptops against data spying description: Do users have access to IT security resources related to travel on their laptops? (Screen filter, security cable, VPN, encryption, monitoring,...) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.1 assessable: true depth: 1 @@ -366,6 +468,8 @@ objects: description: "Is there an entry and exit procedure for users and administrators?\ \ \n(Creation of a specific identifier, signature of a user charter, account\ \ deactivation)?\n" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.2 assessable: true depth: 1 @@ -373,6 +477,8 @@ objects: name: Administrative rights needed to install software description: Do users need administrative rights that require different authentication with an admin account or computer support to install software on their computers? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.21 assessable: true depth: 1 @@ -382,12 +488,16 @@ objects: description: 'Do you have a centralized and secure management of user accounts capable of detecting abnormal behavior (theft of identifiers, use on non-standard servers, attempt to discover the password...)? ' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.3 assessable: true depth: 1 ref_id: '4.3' name: Encrypt passwords description: Do you protect passwords stored on systems (encryption)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.4 assessable: true depth: 1 @@ -396,6 +506,8 @@ objects: description: Is there a password management policy (regular change, minimum security constraints, special characters, number of characters, adapted policy for administrators, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.4.1 assessable: true depth: 1 @@ -403,6 +515,8 @@ objects: name: Change default ID and password for devices and services description: Do you change the default passwords and identifiers of the devices of your in-formation system? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.5 assessable: true depth: 1 @@ -410,12 +524,16 @@ objects: name: 'Rules to update frequently SW and systems. ' description: Do you regularly update components (servers, desktop PCs, laptops, printers, network device, smartphones, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.6 assessable: true depth: 1 ref_id: '4.6' name: Track frequently system not up to date description: Do you anticipate the end of software and system maintenance? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.6.1 assessable: true depth: 1 @@ -424,12 +542,16 @@ objects: description: In order to avoid potential vulnerabilities (unknown software, not updated...) do you verify the versions of the software installed on your computer park? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.6.2 assessable: true depth: 1 ref_id: 4.6.2 name: inventory of allowed and forbidden software description: Do you have a list of authorized and prohibited software? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.7 assessable: true depth: 1 @@ -441,6 +563,8 @@ objects: and software editors? ' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8 assessable: true depth: 1 @@ -448,6 +572,8 @@ objects: name: attacks or malicious activities detection (e.g. SOC) description: Is there a Security Operation Center (SOC) for detecting issues and monitoring the cybersecurity of the information system? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.1 assessable: true depth: 1 @@ -455,6 +581,8 @@ objects: name: centralize logs interpretation in SIEM description: Do you centralize security incidents and events through events collection tools (SIEM (Security Information Event Management))? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.2 assessable: true depth: 1 @@ -462,6 +590,8 @@ objects: name: Monitor and alert on user device activity description: Do you monitor users' devices such as fixed PC, laptop, smartphone, USB key, etc...? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.3 assessable: true depth: 1 @@ -469,6 +599,8 @@ objects: name: tool to alert and perform semi-automatic isolation or shut down of systems description: Is there an alert tool to automatically shut down or isolate some elements of the computer system in the event of a major incident? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.4 assessable: true depth: 1 @@ -476,12 +608,16 @@ objects: name: Central Network cyber incidents monitoring description: Is there a Network Operations Center (NOC) or similar solution for detecting network security incidents? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.5 assessable: true depth: 1 ref_id: 4.8.5 name: Detect / block unauthorized connection to network description: Do you block unauthorized connections to your network? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.8.6 assessable: true depth: 1 @@ -489,12 +625,16 @@ objects: name: Network traffic abnormal behaviour monitoring description: Have you deployed and monitor network probes to detect malicious or abnormal activities? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.9 assessable: true depth: 1 ref_id: '4.9' name: Process for cyber incidents management & escalation description: Are there escalation and alert processes for security incidents? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.9.1 assessable: true depth: 1 @@ -503,6 +643,8 @@ objects: or system activities for malicious activities or policy violation. description: Have you implemented solutions on PCs and Servers to detect, block or alert abnormal behaviors (IDS/IPS)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.10 assessable: true depth: 1 @@ -511,6 +653,8 @@ objects: description: Have you subscribed to a news feed informing you of new cyber security vulner-abilities and cyber security alerts such as those proposed by government CERTs (ANSSI FR, NIST US), international security monitoring sites? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:4.11 assessable: true depth: 1 @@ -520,12 +664,16 @@ objects: description: Have you set up or contracted professional and customized security alert services for your company, its sector of activity, the IT devices you have deployed, etc. (professional or sectoral "CERT")? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.1 assessable: true depth: 1 ref_id: '5.1' name: "Identify the company's most sensitive servers\_" description: Do you know the most sensitive servers in your information system? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.2 assessable: true depth: 1 @@ -533,6 +681,8 @@ objects: name: internal firewalls, physical network segmentation to segregate network description: Do you use security device to protect and partition your internal network? (Firewall, proxy, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.2.1 assessable: true depth: 1 @@ -540,6 +690,8 @@ objects: name: Firewall on laptop and desktop description: Do you use a firewall on client workstations? (laptop, desktop PC)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.2.2 assessable: true depth: 1 @@ -547,6 +699,8 @@ objects: name: Yearly Firewall Control description: Do you check the configuration of the firewalls at least once a year? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.3 assessable: true depth: 1 @@ -558,6 +712,8 @@ objects: only and forbidding non-secure protocols (e.g.: configure network and desktop/server firewall to forbid telnet-23 protocols in the local network, forbidding usage of Windows Samba v1 file-sharing protocol or NTLMv1 authentication, etc.)?' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.4 assessable: true depth: 1 @@ -566,6 +722,8 @@ objects: description: Do you use secure authentication for connecting to your company emails from the Internet (double authentication with phone and/or blocking accounts against password attempts, regular password change, complex password)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.5 assessable: true depth: 1 @@ -574,6 +732,8 @@ objects: description: 'Do you use strong authentication and monitor (alerts in case of failure) the connection to sensitive devices such as: IT device administration, cloud ser-vices administration and websites? ' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.5.1 assessable: true depth: 1 @@ -581,6 +741,8 @@ objects: name: 'Offer SSO for netw application or E-SSO password manager ' description: Do you use SSO (single sign on) features for http or applications with an auto-mated password manager and auto fill? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.6 assessable: true depth: 1 @@ -591,6 +753,8 @@ objects: etc.) for the administration of the information system? ' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.6.1 assessable: true depth: 1 @@ -600,6 +764,8 @@ objects: opening unsecured Internet networks by connecting for example a modem / 3G USB flash drive, smartphone and at the same time having these same computers connected to the company network? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.7 assessable: true depth: 1 @@ -609,6 +775,8 @@ objects: description: Do you protect yourselves from threats related to the use of removable media (specific security tool, antivirus configuration for USB, hardening computer)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.7.1 assessable: true depth: 1 @@ -616,6 +784,8 @@ objects: name: Encrypt data on mobile devices (USB drives, smartphones) description: Do you encrypt sensitive data on removable media without any user interac-tion (transparent automatic encryption)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.8 assessable: true depth: 1 @@ -624,6 +794,8 @@ objects: description: Have all devices (computer, tablet pc, smartphone) connected to the compa-ny's information system been subject to a formal and prior approval proce-dure? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.8.1 assessable: true depth: 1 @@ -633,12 +805,16 @@ objects: description: "Do you have complete control over the professional usage of enterprise\ \ appli-cations / data on mobile devices? \n(good separation of personal\ \ and professional environments)\n" + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.9 assessable: true depth: 1 ref_id: '5.9' name: Internet access filtered (blacklist / categorized) description: 'Are Internet accesses filtered by a proxy server? ' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.9.1 assessable: true depth: 1 @@ -646,6 +822,8 @@ objects: name: Web-application firewall for internally internet facing application description: Do you protect your web servers accessible from outside the company's net-work with WAF (web access filtering) device? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.10 assessable: true depth: 1 @@ -653,6 +831,8 @@ objects: name: 'Internet traffic level NW monitoring with alerting ' description: Is there Internet traffic monitoring with alerts but also indicators (KPIs) on the use of company data on the Internet? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.10.1 assessable: true depth: 1 @@ -660,6 +840,8 @@ objects: name: 'Encryption for internet links between different sites ' description: Do you encrypt your connections between your various sites of your company and your partners? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.10.2 assessable: true depth: 1 @@ -668,6 +850,8 @@ objects: description: If you have allowed browsing to non-professional websites, have you deployed a secure browsing solution for these sites that isolates it from the standard computer network? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.11 assessable: true depth: 1 @@ -675,6 +859,8 @@ objects: name: 'Manage WI-Fi Guest access segregated ' description: Do you have a "visitor" Wifi isolated from the rest of the Company's network? (Specific connection, dedicated Wifi?) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.12 assessable: true depth: 1 @@ -684,6 +870,8 @@ objects: Manage Wi-Fi access segregated' description: Do you have a secure Wifi access with a separation of uses? (staff, industrial, professional, visitor, etc.) + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.13 assessable: true depth: 1 @@ -692,6 +880,8 @@ objects: (.exe for example) or content ' description: Is there a system for filtering valid e-mails against malicious ones? (Anti-spam, removal of suspicious attached files, etc...) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.13.1 assessable: true depth: 1 @@ -699,6 +889,8 @@ objects: name: 'Encrypt email content easily ' description: Do you offer users the possibility to easily encrypt the content of e-mails? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.14 assessable: true depth: 1 @@ -706,6 +898,8 @@ objects: name: Security access to supplier and subcontractor to information system description: Do you secure network interconnections with your subcontractors and suppli-ers? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.14.1 assessable: true depth: 1 @@ -714,6 +908,8 @@ objects: exchange sensitive data' description: Do you offer a secure exchange platform for your subcontractors and suppli-ers? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.14.2 assessable: true depth: 1 @@ -723,6 +919,8 @@ objects: description: If your website is hosted within the company, do you separate your website and Internet-accessible services from the rest of the company's network (via a segregated network zone, e.g. "DMZ")? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.15 assessable: true depth: 1 @@ -730,6 +928,8 @@ objects: name: ' Detect any new device connected to the network.' description: Do you allow connection to the network only to devices identified and man-aged by the information system? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:5.17 assessable: true depth: 1 @@ -739,12 +939,16 @@ objects: users, remote sites) do you systematically implement a security solution that ensures strong identification and authentication of the user (MFA, login / password, certificates, ...) ? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.1 assessable: true depth: 1 ref_id: '6.1' name: Define and apply a backup policy for sensitive data description: Is the important data saved regularly? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.2 assessable: true depth: 1 @@ -753,6 +957,8 @@ objects: ' description: Are your backups protected in a secure room? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.3 assessable: true depth: 1 @@ -760,6 +966,8 @@ objects: name: "Setup secure backup storage on cloud system \n" description: Do you use a centrally managed data storage and backup system, such as a cloud (AWS, O365 Sharepoint, OneDrive, google drive,...)? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.4 assessable: true depth: 1 @@ -767,6 +975,8 @@ objects: name: 'Hard Disk encryption on desktops ' description: Do you encrypt computer, smartphones hard disks without any user interaction (transparent automatic encryption)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.5 assessable: true depth: 1 @@ -775,6 +985,8 @@ objects: solutions ' description: Do you implement enterprise data protection management solutions (leak de-tection of confidential data, roles and responsibilities, etc.)? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.6 assessable: true depth: 1 @@ -782,18 +994,24 @@ objects: name: 'Proceed to regular controls of the SI and set corrective solution ' description: Do you carry out regular security audits (application, network, process), then apply the associated corrective actions? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.6.1 assessable: true depth: 1 ref_id: 6.6.1 name: Verify compliance of entities description: Do you check the compliance of your company's subsidiaries? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.6.2 assessable: true depth: 1 ref_id: 6.6.2 name: 'Optimize firewall rules management with regular audits ' description: Do you regularly check the rules of your Firewalls? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.7 assessable: true depth: 1 @@ -802,6 +1020,8 @@ objects: penetration testing, technical studies description: Do you carry out regular pentest on your IS and your subsidiaries, then apply the associated corrective actions? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.7.1 assessable: true depth: 1 @@ -809,6 +1029,8 @@ objects: name: PENTEST of company website. Deploy corrective solutions description: Do you perform pentest on your company's websites and then apply the associ-ated corrective actions? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.7.2 assessable: true depth: 1 @@ -817,6 +1039,8 @@ objects: description: Do you regularly check and update your cyberattack detection capabilities? (for example, updating security supervision rules following the pentest performed on your systems, or security project management to update your detection systems) + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.8 assessable: true depth: 1 @@ -825,6 +1049,8 @@ objects: \ exchanges\u2026)" description: Have you deployed means and tools allowing users to encrypt sensitive data sent outside of the company? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.9 assessable: true depth: 1 @@ -833,6 +1059,8 @@ objects: description: Did you defined a data classification policy according to its use (public, confi-dential company, confidential...) and the protection rules to be applied to this data? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.9.1 assessable: true depth: 1 @@ -841,6 +1069,8 @@ objects: description: Have you implemented a solution to automatically classify your company's data, or to help users making a decision to protect data that would be classified as sensitive? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.9.2 assessable: true depth: 1 @@ -850,6 +1080,8 @@ objects: description: Do you have a solution to prevent the sending of unprotected confidential data or to systematically encrypt it before it is saved or sent outside your infor-mation system? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:6.10 assessable: true depth: 1 @@ -858,6 +1090,8 @@ objects: description: Have you defined that your company's data should be associated with identified managers and their responsibilities (HR data, design office data, etc.) + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.0 assessable: true depth: 1 @@ -866,6 +1100,8 @@ objects: description: Do you implement segregation between the production environment and other environments (qualification, preproduction, company information system, etc.)? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.1.1 assessable: true depth: 1 @@ -873,6 +1109,8 @@ objects: name: 'ICS : Identify most critical device on the industrial network' description: Have you performed an inventory of your industrial control system devices, identifying the most critical components? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.1.2 assessable: true depth: 1 @@ -880,6 +1118,8 @@ objects: name: 'ICS : specific backup for critical device of industrial control systems' description: Do you perform backup of your most sensitive industrial control systems (con-figuration, source code and data)? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.1.3 assessable: true depth: 1 @@ -887,6 +1127,8 @@ objects: name: 'ICS : Setup distinct physical sites for backup storage' description: Do you regularly verify that the backup of your industrial control systems can be restored without problems? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.2 assessable: true depth: 1 @@ -894,6 +1136,8 @@ objects: name: 'ICS : mapping of the company network' description: Are the documentation, nomenclature and diagrams of ICS devices kept up to date? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.3 assessable: true depth: 1 @@ -903,6 +1147,8 @@ objects: ' description: Is there a documented crisis management process? (such as, for example, disas-ter recovery after a system crash) + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.4 assessable: true depth: 1 @@ -910,6 +1156,8 @@ objects: name: 'ICS : documentation for design, components and operation' description: Is the documentation relating to the design, components and operation of ICS stored with an appropriate level of security? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.5 assessable: true depth: 1 @@ -917,6 +1165,8 @@ objects: name: 'ICS : Set IT specific standard & governance' description: Is there a qualified person or department dedicated to the design, operation, and monitoring of ICS device? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.6 assessable: true depth: 1 @@ -925,6 +1175,8 @@ objects: employees and sub-contractors ' description: Is there an ICS security awareness or training program for employees and contractors? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.7 assessable: true depth: 1 @@ -932,12 +1184,16 @@ objects: name: "Industrial IT : \_Make users sign a charter of good conduct" description: Do users, operators and administrators of Industrial Automation and Control Systems (IACS) signed cybersecurity best practices and charter? + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.8 assessable: true depth: 1 ref_id: '7.8' name: 'ICS : specific patch management' description: Are there procedures in place to manage the life cycle of ICS ? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.9 assessable: true depth: 1 @@ -945,18 +1201,24 @@ objects: name: 'ICS : dedicated and compartmentalized network for the administration ' description: Do you use a dedicated and partitioned network for the administration of ICS? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.10 assessable: true depth: 1 ref_id: '7.10' name: 'ICS : Secure industrial network & devices access from company network' description: Is there a specifically defined architecture and management rules? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.11 assessable: true depth: 1 ref_id: '7.11' name: 'Industrial IT : Audit the change processes, and dedicated IACS solutions ' description: Are ICS change processes and dedicated solutions audited annually? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.12 assessable: true depth: 1 @@ -964,6 +1226,8 @@ objects: name: 'ICS : process for monitoring threats and vulnerabilities ' description: Are ICS components subject to a threat and vulnerability monitoring process? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.13 assessable: true depth: 1 @@ -973,6 +1237,8 @@ objects: Centre), backup status...) of your network allowing detection of security incidents, back up issues and/or active monitoring of Industrial Information System (ICS)? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:7.14 assessable: true depth: 1 @@ -982,6 +1248,8 @@ objects: ' description: When an incident occurs in the production, do you investigate whether it could be caused by a malicious element? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:9.7.1 assessable: true depth: 1 @@ -990,12 +1258,16 @@ objects: description: Have you implemented, documented and tested, at least once a year, a security problem management procedure to ensure that you can react quickly and in-volve the right internal or external people? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:9.8 assessable: true depth: 1 ref_id: '9.8' name: Setup a risk analysis description: 'Have you ever done a cyber-risk analysis on your company? ' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:9.81 assessable: true depth: 1 @@ -1003,6 +1275,8 @@ objects: name: Risk management process (reviewed yearly) description: Do you annually review your company's cyber risk level by reviewing your com-pany's risk analyses? + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:9.82 assessable: true depth: 1 @@ -1012,6 +1286,8 @@ objects: description: Do you have a computer-based risk management solution that allows you to raise the level of cyber risk and process it in a more or less automated way ? + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext1 assessable: true depth: 1 @@ -1021,6 +1297,8 @@ objects: they are generated) to ensure their integrity? [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext2 assessable: true depth: 1 @@ -1029,6 +1307,8 @@ objects: description: 'Do you activate security log recording on your equipment? [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext3 assessable: true depth: 1 @@ -1038,6 +1318,8 @@ objects: with your customers? [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext4 assessable: true depth: 1 @@ -1046,6 +1328,8 @@ objects: description: 'Do you only use the internet access defined within the company? [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext5 assessable: true depth: 1 @@ -1056,6 +1340,8 @@ objects: network equipments, laptops and desktops? [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext6 assessable: true depth: 1 @@ -1065,6 +1351,8 @@ objects: designed to take into account your providers/suppliers? [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext7 assessable: true depth: 1 @@ -1074,6 +1362,8 @@ objects: \ procedural instructions or processes based on a security standard framework\ \ (ISO27001, NIST,\u2026.)?\nIf yes, which framework do you use? \n[Corporate\ \ IT]" + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext8 assessable: true depth: 1 @@ -1082,6 +1372,8 @@ objects: description: 'Is the business continuity plan (BCP) reviewed and tested regularly? [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext9 assessable: true depth: 1 @@ -1101,6 +1393,8 @@ objects: - other types of data (please detail) [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext10 assessable: true depth: 1 @@ -1122,6 +1416,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext11 assessable: true depth: 1 @@ -1134,6 +1430,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext12 assessable: true depth: 1 @@ -1145,6 +1443,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext13 assessable: true depth: 1 @@ -1156,6 +1456,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext14 assessable: true depth: 1 @@ -1167,6 +1469,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext15 assessable: true depth: 1 @@ -1175,6 +1479,8 @@ objects: description: "Do you have a policy for antivirus signatures and engine update,\ \ on a weekly basis minimum for all standard devices, with exception management\ \ for specific devices? \n[Industrial IT]\n[Corporate IT]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext16 assessable: true depth: 1 @@ -1186,6 +1492,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext17 assessable: true depth: 1 @@ -1193,6 +1501,8 @@ objects: name: Antivirus testing description: "Do you test the effectiveness of malware protection programs?\ \ \n[Industrial IT]\n[Corporate IT]" + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext18 assessable: true depth: 1 @@ -1204,6 +1514,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext19 assessable: true depth: 1 @@ -1215,6 +1527,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext20 assessable: true depth: 1 @@ -1228,6 +1542,8 @@ objects: [Corporate IT] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext21 assessable: true depth: 1 @@ -1239,6 +1555,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext22 assessable: true depth: 1 @@ -1252,6 +1570,8 @@ objects: [Corporate IT] [Development Environment]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext23 assessable: true depth: 1 @@ -1266,6 +1586,8 @@ objects: [Corporate IT] [Development Environment]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext24 assessable: true depth: 1 @@ -1277,6 +1599,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext25 assessable: true depth: 1 @@ -1288,6 +1612,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext26 assessable: true depth: 1 @@ -1301,6 +1627,8 @@ objects: [Corporate IT] [Development Environment]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext27 assessable: true depth: 1 @@ -1311,6 +1639,8 @@ objects: [Industrial IT] [Corporate IT]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext28 assessable: true depth: 1 @@ -1319,6 +1649,8 @@ objects: description: "Do you have an insurance contract covering the consequences of\ \ an incident such as: \n- physical damages\n- IT damages\n- cyber damages\n\ - business loss\n[Industrial IT]\n[Corporate IT]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext29 assessable: true depth: 1 @@ -1332,6 +1664,8 @@ objects: [Corporate IT] [Development Environment]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext30 assessable: true depth: 1 @@ -1345,6 +1679,8 @@ objects: media? [Industrial IT]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext31 assessable: true depth: 1 @@ -1354,6 +1690,8 @@ objects: of the information exchanged with your customers? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext32 assessable: true depth: 1 @@ -1369,6 +1707,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext33 assessable: true depth: 1 @@ -1381,6 +1721,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext34 assessable: true depth: 1 @@ -1394,6 +1736,8 @@ objects: If the answer is yes, please provide explanations/details on the locations. [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext35 assessable: true depth: 1 @@ -1404,6 +1748,8 @@ objects: of Information directive? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext36 assessable: true depth: 1 @@ -1416,6 +1762,8 @@ objects: (production, backup...)? [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext37 assessable: true depth: 1 @@ -1425,6 +1773,8 @@ objects: of your production in relation to your customers contracts? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext38 assessable: true depth: 1 @@ -1436,6 +1786,8 @@ objects: equipment)? [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext39 assessable: true depth: 1 @@ -1443,6 +1795,8 @@ objects: name: Products logs description: "Do you have a default logging policy for products delivered to\ \ customers that records key product actions? \n[Product]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext40 assessable: true depth: 1 @@ -1455,6 +1809,8 @@ objects: your customers and you (IP mapping, servers, and addressing)? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext41 assessable: true depth: 1 @@ -1469,6 +1825,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext42 assessable: true depth: 1 @@ -1478,6 +1836,8 @@ objects: means? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext43 assessable: true depth: 1 @@ -1487,6 +1847,8 @@ objects: and trained the appropriate employees? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext44 assessable: true depth: 1 @@ -1495,6 +1857,8 @@ objects: description: 'Are production workstations regularly updated? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext45 assessable: true depth: 1 @@ -1504,6 +1868,8 @@ objects: re-entry into service? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext46 assessable: true depth: 1 @@ -1514,6 +1880,8 @@ objects: between shift planning and accounts used)? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext47 assessable: true depth: 1 @@ -1521,6 +1889,8 @@ objects: name: logs for ICS systems & antivirus description: "Are systems and antivirus logs enabled on production environments?\ \ \n[Industrial IT]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext48 assessable: true depth: 1 @@ -1533,6 +1903,8 @@ objects: If yes, please detail. [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext49 assessable: true depth: 1 @@ -1544,6 +1916,8 @@ objects: and/or transparent screen lock software solutions)? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext50 assessable: true depth: 1 @@ -1552,6 +1926,8 @@ objects: description: 'Do you perform production equipment updates at least twice a year? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext51 assessable: true depth: 1 @@ -1561,6 +1937,8 @@ objects: production environments? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext52 assessable: true depth: 1 @@ -1571,6 +1949,8 @@ objects: them if necessary? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext53 assessable: true depth: 1 @@ -1580,6 +1960,8 @@ objects: wifi networks? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext54 assessable: true depth: 1 @@ -1589,6 +1971,8 @@ objects: production benches) by default ? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext55 assessable: true depth: 1 @@ -1598,6 +1982,8 @@ objects: of removable media used for your customers production? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext56 assessable: true depth: 1 @@ -1607,6 +1993,8 @@ objects: of removable devices in production environments? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext57 assessable: true depth: 1 @@ -1616,6 +2004,8 @@ objects: used on the workstations? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext58 assessable: true depth: 1 @@ -1626,6 +2016,8 @@ objects: anti-malware protection...)? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext59 assessable: true depth: 1 @@ -1636,6 +2028,8 @@ objects: your customer Security Manager) [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext60 assessable: true depth: 1 @@ -1647,6 +2041,8 @@ objects: Do you archive these documents? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext61 assessable: true depth: 1 @@ -1656,6 +2052,8 @@ objects: systems? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext62 assessable: true depth: 1 @@ -1665,6 +2063,8 @@ objects: production information systems? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext63 assessable: true depth: 1 @@ -1674,6 +2074,8 @@ objects: in the company''s BCP risk? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext64 assessable: true depth: 1 @@ -1683,6 +2085,8 @@ objects: (where applicable)? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext65 assessable: true depth: 1 @@ -1692,6 +2096,8 @@ objects: including machines and production benches? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext66 assessable: true depth: 1 @@ -1701,6 +2107,8 @@ objects: access control (keys, badges...)? [Industrial IT]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext67 assessable: true depth: 1 @@ -1710,6 +2118,8 @@ objects: provided to your customers? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext68 assessable: true depth: 1 @@ -1719,6 +2129,8 @@ objects: customers'' service delivery? [Industrial IT]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext69 assessable: true depth: 1 @@ -1732,6 +2144,8 @@ objects: [Industrial IT] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext70 assessable: true depth: 1 @@ -1740,6 +2154,8 @@ objects: description: "Do you perform regular audits (compliance and/or technical) on\ \ your supply chain connected to your information system or when regular equipment/material\ \ exchange occur? \nIf yes, please precise the frequency.\n[Industrial IT]" + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext71 assessable: true depth: 1 @@ -1752,6 +2168,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext72 assessable: true depth: 1 @@ -1761,6 +2179,8 @@ objects: the environments in case of a security incident? [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext73 assessable: true depth: 1 @@ -1772,6 +2192,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext74 assessable: true depth: 1 @@ -1783,6 +2205,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext75 assessable: true depth: 1 @@ -1796,6 +2220,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext76 assessable: true depth: 1 @@ -1805,6 +2231,8 @@ objects: \ assessment process in order to control the development environments and\ \ ensure the lack of known vulnerabilities in the framework (operating system,\ \ libraries, \u2026) ?\n[Development Environment]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext77 assessable: true depth: 1 @@ -1818,6 +2246,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext78 assessable: true depth: 1 @@ -1826,6 +2256,8 @@ objects: description: 'Do you include hardening principles to reduce the attack surface? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext79 assessable: true depth: 1 @@ -1836,6 +2268,8 @@ objects: unnecessary unused components, ports, protocols or functions? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext80 assessable: true depth: 1 @@ -1848,6 +2282,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext81 assessable: true depth: 1 @@ -1861,6 +2297,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext82 assessable: true depth: 1 @@ -1871,6 +2309,8 @@ objects: the product development cycle? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext83 assessable: true depth: 1 @@ -1882,6 +2322,8 @@ objects: [Product] [Development Environment]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext84 assessable: true depth: 1 @@ -1891,6 +2333,8 @@ objects: them to your customers? [Product]' + implementation_groups: + - Silver - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext85 assessable: true depth: 1 @@ -1902,6 +2346,8 @@ objects: to control them and do you inform your customers of this before delivery? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext86 assessable: true depth: 1 @@ -1911,6 +2357,8 @@ objects: (initial or update)? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext87 assessable: true depth: 1 @@ -1921,6 +2369,8 @@ objects: with? [Product]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext88 assessable: true depth: 1 @@ -1930,6 +2380,8 @@ objects: in order to ensure the lack of malicious code? [Development Environment]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext89 assessable: true depth: 1 @@ -1940,6 +2392,8 @@ objects: in the developped solution? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext90 assessable: true depth: 1 @@ -1949,6 +2403,8 @@ objects: \ media and materials before their use, to ensure that they are free of malicious\ \ code? \nOnce inspection is carried out, do you store storage media / materials\ \ in a secure area ?\n[Product]" + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext91 assessable: true depth: 1 @@ -1959,6 +2415,8 @@ objects: Plan? [Product]' + implementation_groups: + - Bronze - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext92 assessable: true depth: 1 @@ -1974,6 +2432,8 @@ objects: - Monitoring means (NOC, SOC)? [Development Environment]' + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext93 assessable: true depth: 1 @@ -1983,6 +2443,8 @@ objects: \ to achieve product cyber certification when it is necessary? \nPlease detail\ \ corresponding cyber certifications which can be achieved through your process.\n\ [Product]\n[Development Environment]" + implementation_groups: + - Gold - urn: urn:intuitem:risk:req_node:aircyber-v1.5.2:ext94 assessable: true depth: 1 @@ -1993,3 +2455,5 @@ objects: data retention, mechanisms ensuring access/modification/deletion to data)? [Product]' + implementation_groups: + - Bronze diff --git a/backend/library/libraries/ccb-cff-2023-03-01.yaml b/backend/library/libraries/ccb-cff-2023-03-01.yaml index dbb930645..907369d2f 100644 --- a/backend/library/libraries/ccb-cff-2023-03-01.yaml +++ b/backend/library/libraries/ccb-cff-2023-03-01.yaml @@ -2,11 +2,12 @@ urn: urn:intuitem:risk:library:ccb-cff-2023-03-01 locale: en ref_id: CCB-CFF-2023-03-01 name: CCB CyberFundamentals Framework -description: Centre For Cybersecurity Belgium - CyberFundamentals Framework - https://ccb.belgium.be +description: 'Centre For Cybersecurity Belgium - CyberFundamentals Framework + + https://ccb.belgium.be' copyright: All texts, layouts, designs and other elements of any nature in this document are subject to copyright law. -version: 1 +version: 2 provider: CCB packager: intuitem objects: @@ -15,6 +16,57 @@ objects: ref_id: CCB-CFF-2023-03-01 name: CCB CyberFundamentals Framework description: Centre For Cybersecurity Belgium - CyberFundamentals Framework + scores_definition: + - score: 1 + name: Initial + description: 'No Process documentation or not formally approved by management. + + Standard process does not exist.' + - score: 2 + name: Repeatable + description: 'Formally approved Process documentation exists but not reviewed + in the previous 2 years. + + Ad-hoc process exists and is done informally.' + - score: 3 + name: Defined + description: 'Formally approved Process documentation exists, and exceptions + are documented and approved. Documented & approved exceptions < 5% of the + time. + + Formal process exists and is implemented. Evidence available for most activities. + Less than 10% process exceptions.' + - score: 4 + name: Managed + description: 'Formally approved Process documentation exists, and exceptions + are documented and approved. Documented & approved exceptions < 3% of the + time. + + Formal process exists and is implemented. Evidence available for all activities. + Detailed metrics of the process are captured and reported. + + Minimal target for metrics has been established. Less than 5% of process exceptions.' + - score: 5 + name: Optimizing + description: 'Formally approved Process documentation exists, and exceptions + are documented and approved. Documented & approved exceptions < 0,5% of the + time. + + Formal process exists and is implemented. Evidence available for all activities. + Detailed metrics of the process are captured and reported. + + Minimal target for metrics has been established and continually improving. + Less than 1% of process exceptions.' + implementation_groups_definition: + - ref_id: B + name: basic + description: null + - ref_id: I + name: important + description: null + - ref_id: E + name: essential + description: null requirement_nodes: - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id assessable: false @@ -51,6 +103,10 @@ objects: \ and other networked components or devices. \n\u2022\tThis inventory must\ \ include all assets, whether or not they are connected to the organization's\ \ network.\n\u2022\tThe use of an IT asset management tool could be considered." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2 assessable: true depth: 4 @@ -65,6 +121,9 @@ objects: \ justify, and take responsibility for one's actions, it implies answerability\ \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\ \ of material." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3 assessable: true depth: 4 @@ -76,6 +135,9 @@ objects: annotation: "\u2022\tAny unsupported hardware without an exception documentation,\ \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\ \ during inventory, requests for support by the user or other means." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4 assessable: true depth: 4 @@ -88,6 +150,8 @@ objects: \ basis; The organization may choose to remove the asset from the network,\ \ deny the asset from connecting remotely to the network, or quarantine the\ \ asset." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2 assessable: false depth: 3 @@ -110,6 +174,10 @@ objects: \ version, number of users, data processed, etc.\n\u2022\tA distinction should\ \ be made between unsupported software and unauthorized software.\n\u2022\t\ The use of an IT asset management tool could be considered." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2 assessable: true depth: 4 @@ -123,6 +191,9 @@ objects: the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3 assessable: true depth: 4 @@ -131,6 +202,9 @@ objects: description: Individuals who are responsible and who are accountable for administering software platforms and applications within the organization shall be identified. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4 assessable: true depth: 4 @@ -142,6 +216,9 @@ objects: annotation: "\u2022\tAny unsupported software without an exception documentation,\ \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\ \ during inventory, requests for support by the user or other means." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5 assessable: true depth: 4 @@ -153,6 +230,8 @@ objects: \u2022\tThere should be a process to regularly address unauthorised assets;\ \ The organization may choose to remove the asset from the network, deny the\ \ asset from connecting remotely to the network, or quarantine the asset." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3 assessable: false depth: 3 @@ -175,6 +254,10 @@ objects: \ mapping this information with the associated assets identified in the inventories\ \ of physical devices, systems, software platforms and applications used within\ \ the organization (see ID.AM-1 & ID.AM-2)." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2 assessable: true depth: 4 @@ -190,6 +273,9 @@ objects: \ documentation should not be stored only on the network it represents.\n\u2022\ \tConsider keeping a copy of this documentation in a safe offline environment\ \ (e.g. offline hard disk, paper hardcopy, \u2026)" + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3 assessable: true depth: 4 @@ -205,6 +291,8 @@ objects: \ whenever there is an indication of increased risk to organization's critical\ \ operations and assets.\no\tProtecting the system from information leakage\ \ due to electromagnetic signals emanations." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4 assessable: false depth: 3 @@ -229,6 +317,9 @@ objects: \ made to them and authorizing them in advance avoids wasting unnecessary\ \ resources investigating a supposedly non-authenticated connection to external\ \ systems." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2 assessable: true depth: 4 @@ -239,6 +330,8 @@ objects: annotation: Consider requiring external service providers to identify and document the functions, ports, protocols, and services necessary for the connection services. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5 assessable: false depth: 3 @@ -274,6 +367,10 @@ objects: \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\ \ through enterprise assets, including those located onsite or at a remote\ \ service provider." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6 assessable: false depth: 3 @@ -298,6 +395,9 @@ objects: \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\ \ partners) with physical or logical access to the organization\u2019s ICT/OT\ \ environment." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2 assessable: true depth: 4 @@ -307,6 +407,8 @@ objects: annotation: The information security officer should be responsible for monitoring the implementation of the organization's information/cyber security strategy and safeguards. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be assessable: false depth: 2 @@ -336,6 +438,9 @@ objects: The organisation should communicate its position to its upstream and downstream\ \ so that it is understood where they sit in terms of critical importance\ \ to the organisation's operations." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2 assessable: true depth: 4 @@ -345,6 +450,8 @@ objects: chain threats by applying security safeguards as part of a documented comprehensive security strategy. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2 assessable: false depth: 3 @@ -362,6 +469,9 @@ objects: annotation: The organisation covered by NIS legislation has a responsibility to know the other organisations in the same sector in order to work with them to achieve the objectives set by NIS for that particular sector. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3 assessable: false depth: 3 @@ -378,6 +488,9 @@ objects: are established and communicated. annotation: Information protection needs should be determined, and the related processes revised as necessary. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4 assessable: false depth: 3 @@ -395,6 +508,9 @@ objects: to their criticality as part of the risk assessment process. annotation: Dependencies and business critical functions should include support services. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5 assessable: false depth: 3 @@ -416,6 +532,9 @@ objects: \ hot swap).\n\u2022\tConsider aspects of business continuity management in\ \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\ \ Continuity Plan (BCP)." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2 assessable: true depth: 4 @@ -431,6 +550,8 @@ objects: \ from power outages and other failures due to utility interruptions (e.g.\ \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\ \ redundant power cabling, 2 different power service providers...)." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3 assessable: true depth: 4 @@ -443,6 +564,8 @@ objects: \ locations and one copy should be stored at an off-site location).\n\u2022\ \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\ \ to increase resilience." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv assessable: false depth: 2 @@ -477,6 +600,10 @@ objects: \u2022\tPolicies and procedures should be reviewed and updated at least annually\ \ and every time there are changes in the organization or technology. Whenever\ \ the policies are changed, employees should be made aware of the changes." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2 assessable: true depth: 4 @@ -496,6 +623,9 @@ objects: \ information, access control, media protection, vulnerability management,\ \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\ \ the ICT/OT systems." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3 assessable: false depth: 3 @@ -511,6 +641,10 @@ objects: description: Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be understood and implemented. annotation: There are no additional guidelines. + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2 assessable: true depth: 4 @@ -522,6 +656,9 @@ objects: \ compliance with legal and regulatory requirements regarding information/cybersecurity,\ \ including privacy obligations.\n\u2022\tThis requirement also applies to\ \ contractors and service providers." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4 assessable: false depth: 3 @@ -539,6 +676,10 @@ objects: and updated when changes occur. annotation: This strategy should include determining and allocating the required resources to protect the organisation's business-critical assets. + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2 assessable: true depth: 4 @@ -547,6 +688,9 @@ objects: description: "Information security and cybersecurity risks shall be documented,\ \ formally approved, and updated when changes occur.\t" annotation: Consider using Risk Management tools. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra assessable: false depth: 2 @@ -574,6 +718,10 @@ objects: \ an organization to threats.\n\u2022\tA threat is a malicious or negative\ \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\ \ potential for loss and damage when the threat does occur." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2 assessable: true depth: 4 @@ -585,6 +733,9 @@ objects: annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\ \ should be considered.\n\u2022\tThe organization should establish and maintain\ \ a testing program appropriate to its size, complexity, and maturity." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3 assessable: true depth: 4 @@ -594,6 +745,8 @@ objects: \ by the testing process, performance/load testing and penetration testing\ \ on the organization\u2019s systems shall be conducted with care." annotation: Consider validating security measures after each penetration test. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2 assessable: false depth: 3 @@ -616,6 +769,9 @@ objects: include the sharing of information about potential vulnerabilities and incidents. This sharing capability should have an unclassified and classified information sharing capability. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2 assessable: true depth: 4 @@ -625,6 +781,8 @@ objects: to make security alert and advisory information available to relevant organization stakeholders. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5 assessable: false depth: 3 @@ -643,6 +801,10 @@ objects: annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\ \tIdentify the consequences that losses of confidentiality, integrity and\ \ availability may have on the assets and related business processes." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2 assessable: true depth: 4 @@ -655,6 +817,9 @@ objects: \ external parties.\n\u2022\tQualitative and/or quantitative risk analysis\ \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\ \ software tooling." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3 assessable: true depth: 4 @@ -662,6 +827,8 @@ objects: ref_id: ID.RA-5.3 description: Risk assessment results shall be disseminated to relevant stakeholders. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6 assessable: false depth: 3 @@ -681,6 +848,9 @@ objects: \ assets are, and how they are protected.\n\u2022\tIt should be clear what\ \ impact will be if these assets are compromised.\n\u2022\tIt should be established\ \ how the implementation of adequate mitigation measures will be organized." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm assessable: false depth: 2 @@ -707,6 +877,9 @@ objects: occur. annotation: 'External stakeholders include customers, investors and shareholders, suppliers, government agencies and the wider community. ' + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2 assessable: false depth: 3 @@ -723,6 +896,9 @@ objects: be in line with the policies on information security and cybersecurity, to facilitate demonstration of coherence between policies, risk tolerance and measures. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3 assessable: false depth: 3 @@ -738,6 +914,9 @@ objects: description: "The organization\u2019s role in critical infrastructure and its\ \ sector shall determine the organization\u2019s risk appetite." annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc assessable: false depth: 2 @@ -766,6 +945,8 @@ objects: the distributed and interconnected nature of ICT/OT product and service supply chains. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2 assessable: false depth: 3 @@ -787,6 +968,9 @@ objects: annotation: This assessment should identify and prioritize potential negative impacts to the organization from the risks associated with the distributed and interconnected nature of ICT/OT product and service supply chains. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2 assessable: true depth: 4 @@ -798,6 +982,8 @@ objects: annotation: This list should include suppliers, vendors and partners contact information and the services they provide, so they can be contacted for assistance in the event of an outage or service degradation. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3 assessable: false depth: 3 @@ -820,6 +1006,9 @@ objects: \ in mind that GDPR requirements need to be fulfilled when business information\ \ contains personal data (applicable on all levels), i.e. security measures\ \ need to be addressed in the contractual framework." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2 assessable: true depth: 4 @@ -840,6 +1029,8 @@ objects: \ monitoring, incident response activities, or information system error handling\ \ are also addressed expeditiously. Flaw remediation should be incorporated\ \ into configuration management as an emergency change." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3 assessable: true depth: 4 @@ -849,6 +1040,8 @@ objects: \ the organization to review the \u2018information security and cybersecurity\u2019\ \ programs implemented by suppliers and third-party partners." annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4 assessable: false depth: 3 @@ -867,6 +1060,9 @@ objects: \ reviewing audits, test results, and other evaluations." annotation: Entities not subject to the NIS legislation could limit themselves to business critical suppliers and third-party partners only. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2 assessable: true depth: 4 @@ -877,6 +1073,8 @@ objects: \ reviewing third-party independent audits, test results, and other evaluations." annotation: The depth of the review should depend on the criticality of delivered products and services. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5 assessable: false depth: 3 @@ -894,6 +1092,9 @@ objects: and recovery planning activities. annotation: Entities not subject to the NIS legislation could limit themselves to business critical suppliers and third-party partners only. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2 assessable: true depth: 4 @@ -903,6 +1104,8 @@ objects: suppliers and third-party partners to include them as stakeholders in testing and execution of the response and recovery plans. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr assessable: false depth: 1 @@ -930,8 +1133,8 @@ objects: depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1 ref_id: BASIC_PR.AC-1.1 - description: 'Identities and credentials for authorized devices and users shall - be managed.' + description: Identities and credentials for authorized devices and users shall + be managed. annotation: "Identities and credentials for authorized devices and users could\ \ be managed through a password policy. A password policy is a set of rules\ \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\ @@ -944,6 +1147,10 @@ objects: \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\ \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\ \ are managed by user groups." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2 assessable: true depth: 4 @@ -959,6 +1166,9 @@ objects: \ or inherence (something the user is) that are independent, in that the breach\ \ of one does not compromise the reliability of the others, and is designed\ \ in such a way to protect the confidentiality of the authentication data." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3 assessable: true depth: 4 @@ -970,6 +1180,8 @@ objects: annotation: "\u2022\tTo guarantee the safe operation, service accounts should\ \ be used for running processes and services.\n\u2022\tConsider the use of\ \ a formal access procedure for external parties." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4 assessable: true depth: 4 @@ -981,6 +1193,8 @@ objects: \ for system-to-system communications" annotation: Consider the use of SSO (Single Sign On) in combination with MFA for the organization's internal and external critical systems. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5 assessable: true depth: 4 @@ -992,6 +1206,8 @@ objects: annotation: "\u2022\tConsider limiting the number of failed login attempts by\ \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\ \ accessible until it has been reset or the account lockout duration elapses." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2 assessable: false depth: 3 @@ -1013,6 +1229,10 @@ objects: \ to trace these accesses and restrict them technically to given time slots.\n\ \u2022\tConsider to not leaving internal network access outlets accessible\ \ in public areas. These public places can be waiting rooms, corridors..." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2 assessable: true depth: 4 @@ -1028,6 +1248,9 @@ objects: \ servers and network components to authorized personnel.\no\tLog all access\ \ to servers and network components.\n\u2022\tVisitor access records should\ \ be maintained, reviewed and acted upon as required." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3 assessable: true depth: 4 @@ -1037,6 +1260,8 @@ objects: to the physical access to the facility. annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\ \ (server rooms\u2026)" + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4 assessable: true depth: 4 @@ -1047,6 +1272,8 @@ objects: \ cabling, and network access interfaces from accidental damage, disruption,\ \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\ \ separated power systems for organization\u2019s critical operations." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3 assessable: false depth: 3 @@ -1070,6 +1297,10 @@ objects: \ be avoided, and if unavoidable done through an encrypted virtual private\ \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\ \ mobile) according to the organization's security policies." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2 assessable: true depth: 4 @@ -1079,6 +1310,10 @@ objects: including through multi-factor authentication (MFA). annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs). + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3 assessable: true depth: 4 @@ -1095,6 +1330,9 @@ objects: \ organizational assets should be approved, logged, and performed in a manner\ \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\ \ of any remote connection to its device by a visual indication." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4 assessable: true depth: 4 @@ -1105,6 +1343,8 @@ objects: \ necessary." annotation: This should include that only authorized use of privileged functions from remote access is allowed. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5 assessable: true depth: 4 @@ -1113,6 +1353,8 @@ objects: description: The security for connections with external systems shall be verified and framed by documented agreements. annotation: Access from pre-defined IP addresses could be considered. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 assessable: false depth: 3 @@ -1141,6 +1383,10 @@ objects: \ for your business needs.\n\u2022\tPermission management should be documented\ \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\ \ (SSO) when appropriate." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2 assessable: true depth: 4 @@ -1150,14 +1396,18 @@ objects: business's critical information and technology and the means to get access. annotation: 'Means to get access may include: a key, password, code, or administrative privilege.' + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.3 - description: 'Employee access to data and information shall be limited to the + description: Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle - of Least Privilege).' + of Least Privilege). annotation: "The principle of Least Privilege should be understood as the principle\ \ that a security architecture should be designed so that each employee is\ \ granted the minimum system resources and authorizations that the employee\ @@ -1168,17 +1418,25 @@ objects: \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\ \ business, all access to the business\u2019s information or systems is blocked\ \ instantly." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4 ref_id: BASIC_PR.AC-4.4 - description: 'Nobody shall have administrator privileges for daily tasks.' + description: Nobody shall have administrator privileges for daily tasks. annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\ \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\ \ administration tasks.\n\u2022\tCreate unique local administrator passwords\ \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\ \ from administrative accounts." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5 assessable: true depth: 4 @@ -1190,6 +1448,9 @@ objects: annotation: Consider separately identifying each person with access to the organization's critical systems with a username to remove generic and anonymous accounts and access. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6 assessable: true depth: 4 @@ -1203,6 +1464,9 @@ objects: not allow a single individual to both initiate and approve a transaction (financial\ \ or otherwise).\n\u2022\tensuring that security personnel administering access\ \ control functions do not also administer audit functions." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7 assessable: true depth: 4 @@ -1210,6 +1474,9 @@ objects: ref_id: IMPORTANT_PR.AC-4.7 description: Priviliged users shall be managed and monitored. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8 assessable: true depth: 4 @@ -1220,6 +1487,8 @@ objects: applied accordingly. annotation: Specific restrictions can include, for example, restricting usage to certain days of the week, time of day, or specific durations of time. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9 assessable: true depth: 4 @@ -1227,6 +1496,8 @@ objects: ref_id: PR.AC-4.9 description: Priviliged users shall be managed, monitored and audited. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5 assessable: false depth: 3 @@ -1255,6 +1526,10 @@ objects: \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\ \ Detection / Prevention System (IDPS). These devices analyze network traffic\ \ at a more detailed level and can provide a greater level of protection." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2 assessable: true depth: 4 @@ -1267,6 +1542,10 @@ objects: \ control mechanisms) and control/monitor the traffic between these zones.\n\ \u2022\tWhen the network is \"flat\", the compromise of a vital network component\ \ can lead to the compromise of the entire network." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3 assessable: true depth: 4 @@ -1274,11 +1553,16 @@ objects: ref_id: IMPORTANT_PR.AC-5.3 description: 'Where appropriate, network integrity of the organization''s critical systems shall be protected by + (1) Identifying, documenting, and controlling connections between system components. + (2) Limiting external connections to the organization''s critical systems.' annotation: Boundary protection mechanisms include, for example, routers, gateways, unidirectional gateways, data diodes, and firewalls separating system components into logically separate networks or subnetworks. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4 assessable: true depth: 4 @@ -1296,6 +1580,9 @@ objects: \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\ \ security gateways (deny all policy: only allow/open connections that have\ \ been explicitly pre-authorized)." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5 assessable: true depth: 4 @@ -1305,6 +1592,8 @@ objects: proxy servers for defined communications traffic between the organization's critical systems and external networks. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6 assessable: true depth: 4 @@ -1313,6 +1602,8 @@ objects: description: The organization shall ensure that the organization's critical systems fail safely when a border protection device fails operationally. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6 assessable: false depth: 3 @@ -1329,6 +1620,9 @@ objects: the identity of individuals before issuing credentials that provide access to organization's systems. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2 assessable: true depth: 4 @@ -1339,6 +1633,8 @@ objects: critical systems; make sure that they are authenticated, and that the unique identifiers are captured when performing system interactions. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7 assessable: false depth: 3 @@ -1359,6 +1655,9 @@ objects: \ and other organizational risks)." annotation: Consider a security-by-design approach for new systems; For existing systems a separate risk assessment should be used. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at assessable: false depth: 2 @@ -1387,6 +1686,10 @@ objects: \ they will be expected to do to protect company\u2019s business information\ \ and technology.\n\u2022\tTraining should be continually updated and reinforced\ \ by awareness campaigns." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2 assessable: true depth: 4 @@ -1411,6 +1714,9 @@ objects: \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\ \ of a scenario to test your knowledge. Consider performing the exercise for\ \ example at least once a year." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3 assessable: true depth: 4 @@ -1419,6 +1725,8 @@ objects: description: The organization shall implement an evaluation method to measure the effectiveness of the awareness trainings. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2 assessable: false depth: 3 @@ -1434,6 +1742,9 @@ objects: and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3 assessable: false depth: 3 @@ -1451,6 +1762,9 @@ objects: annotation: "Enforcement should include that \u2018third party stakeholder\u2019\ -users (e.g. suppliers, customers, partners) can demonstrate the understanding\ \ of their roles and responsibilities." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2 assessable: true depth: 4 @@ -1462,6 +1776,9 @@ objects: annotation: Third-party providers include, for example, service providers, contractors, and other organizations providing system development, technology services, outsourced applications, or network and security management. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3 assessable: true depth: 4 @@ -1470,6 +1787,9 @@ objects: description: The organization shall monitor business critical service providers and users for security compliance. annotation: Third party audit results can be used as audit evidence. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4 assessable: true depth: 4 @@ -1478,6 +1798,8 @@ objects: description: The organization shall audit business-critical external service providers for security compliance. annotation: Third party audit results can be used as audit evidence. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4 assessable: false depth: 3 @@ -1495,6 +1817,9 @@ objects: tasks, skills, knowledge, competences is available in the "European Cybersecurity Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles ) + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5 assessable: false depth: 3 @@ -1512,6 +1837,9 @@ objects: facilities are qualified through training before privileges are granted, and that they understand their responsibilities. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds assessable: false depth: 2 @@ -1545,6 +1873,8 @@ objects: \ of system data and audit records (e.g. restricted access rights, daily backups,\ \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\ \ media, stored files, configuration files and data stored in the cloud." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2 assessable: false depth: 3 @@ -1563,6 +1893,8 @@ objects: supported, and authorized software tools. If you send sensitive documents or emails, you may want to consider encrypting those documents and/or emails with appropriate, supported, and authorized software tools. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3 assessable: false depth: 3 @@ -1584,6 +1916,10 @@ objects: sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\ \u2022\tConsider installing a remote-wiping application on company laptops,\ \ tablets, cell phones, and other mobile devices." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2 assessable: true depth: 4 @@ -1595,6 +1931,9 @@ objects: annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\ \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\ \ documentation related to the movements of business-critical assets." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3 assessable: true depth: 4 @@ -1606,6 +1945,9 @@ objects: \ technical & organizational means (encryption, Access Control (AC), Mobile\ \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\ \ agreement, guidelines & manuals, backups, inventory update \u2026)." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4 assessable: true depth: 4 @@ -1614,6 +1956,8 @@ objects: description: The organization shall ensure that disposal actions are approved, tracked, documented, and verified. annotation: Disposal actions include media sanitization actions (See PR.IP-6) + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4 assessable: false depth: 3 @@ -1629,6 +1973,9 @@ objects: critical system information processing, networking, telecommunications, and data storage. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2 assessable: true depth: 4 @@ -1638,6 +1985,9 @@ objects: to an alternative system. annotation: Be aware that log services can become a bottleneck and hinder the correct functioning of the source systems. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3 assessable: true depth: 4 @@ -1647,6 +1997,8 @@ objects: \ denial-of-service attacks or at least the effect of such attacks will be\ \ limited." annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5 assessable: false depth: 3 @@ -1667,6 +2019,9 @@ objects: \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\ \ configuration of the central directory (Active Directory in Windows environment),\ \ with specific focus on the access to data of key persons in the company." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6 assessable: false depth: 3 @@ -1686,6 +2041,9 @@ objects: checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2 assessable: true depth: 4 @@ -1694,6 +2052,8 @@ objects: description: The organization shall implement automated tools where feasible to provide notification upon discovering discrepancies during integrity verification. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3 assessable: true depth: 4 @@ -1702,6 +2062,8 @@ objects: description: The organization shall implement automatic response capability with pre-defined security safeguards when integrity violations are discovered. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7 assessable: false depth: 3 @@ -1730,6 +2092,8 @@ objects: \ can be made without disrupting operational activities.\n\u2022\tConsider\ \ adding and testing cybersecurity features as early as during development\ \ (secure development lifecycle principles)." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8 assessable: false depth: 3 @@ -1747,6 +2111,8 @@ objects: checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2 assessable: true depth: 4 @@ -1756,16 +2122,18 @@ objects: tampering to its critical system's hardware into the organization incident response capability. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip assessable: false depth: 2 parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr ref_id: PR.IP name: Information Protection Processes and Procedures - description: 'Security policies (that address purpose, scope, roles, responsibilities, + description: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information - systems and assets.' + systems and assets. - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1 assessable: false depth: 3 @@ -1789,6 +2157,9 @@ objects: \ system architecture.\n\u2022\tNetwork topology should include the nerve\ \ points of the IT/OT environment (external connections, servers hosting data\ \ and/or sensitive functions, DNS services security, etc.)." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2 assessable: true depth: 4 @@ -1801,6 +2172,8 @@ objects: \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\ .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\ \ services." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2 assessable: false depth: 3 @@ -1821,6 +2194,9 @@ objects: \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\ \ internet facing applications the implementation of a web application firewall\ \ (WAF) should be considered." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2 assessable: true depth: 4 @@ -1834,6 +2210,8 @@ objects: \ specification , design, development, implementation.\n\u2022\tConfiguration\ \ management for planned and unplanned changes and change control during the\ \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3 assessable: false depth: 3 @@ -1848,6 +2226,9 @@ objects: description: Changes shall be tested and validated before being implemented into operational systems. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2 assessable: true depth: 4 @@ -1857,6 +2238,8 @@ objects: impact analysis shall be performed in a separate test environment before implementation in an operational environment. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4 assessable: false depth: 3 @@ -1880,6 +2263,10 @@ objects: \ backup on the same network as the system on which the original data resides\ \ and provide an offline copy. Among other things, this prevents file encryption\ \ by hackers (risk of ransomware)." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2 assessable: true depth: 4 @@ -1888,6 +2275,9 @@ objects: description: The reliability and integrity of backups shall be verified and tested on regular basis. annotation: This should include regularly testing of the backup restore procedures. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3 assessable: true depth: 4 @@ -1899,6 +2289,9 @@ objects: annotation: An offline backup of your data is ideally stored in a separate physical location from the original data source and where feasible offsite for extra protection and security. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4 assessable: true depth: 4 @@ -1911,6 +2304,8 @@ objects: \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\ \u2022\tRestoration of backup data during contingency plan testing should\ \ be provided." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5 assessable: true depth: 4 @@ -1920,6 +2315,8 @@ objects: backup. annotation: Seperation of critical system backup from critical information backup should lead to a shorter recovery time. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5 assessable: false depth: 3 @@ -1940,6 +2337,9 @@ objects: \ suppression mechanisms should take the organization's critical system environment\ \ into account (e.g., water sprinkler systems could be hazardous in specific\ \ environments)." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2 assessable: true depth: 4 @@ -1948,6 +2348,8 @@ objects: description: The organization shall implement fire detection devices that activate and notify key personnel automatically in the event of a fire. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6 assessable: false depth: 3 @@ -1967,6 +2369,9 @@ objects: \ or soft copy media (the bits and bytes contained in hard drives, random\ \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\ \ mobile computing devices, networking equipment\u2026)" + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2 assessable: true depth: 4 @@ -1977,6 +2382,8 @@ objects: \u2022\tConsider applying non-destructive sanitization techniques to portable\ \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\ \ confidentiality requirements." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7 assessable: false depth: 3 @@ -1992,6 +2399,9 @@ objects: monitoring, measurements, assessments, and lessons learned into protection process updates (continuous improvement). annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2 assessable: true depth: 4 @@ -2006,6 +2416,8 @@ objects: conflicts of interest regarding the development, operation, or management of the organization''s critical system under assessment or to the determination of security control effectiveness.' + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3 assessable: true depth: 4 @@ -2015,6 +2427,8 @@ objects: systems facilitates the review, testing, and continual improvement of the security protection processes. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8 assessable: false depth: 3 @@ -2030,6 +2444,9 @@ objects: its critical system's related security incidents and mitigation measures with designated partners. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2 assessable: true depth: 4 @@ -2038,6 +2455,9 @@ objects: description: Communication of effectiveness of protection technologies shall be shared with appropriate parties. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3 assessable: true depth: 4 @@ -2046,6 +2466,9 @@ objects: description: The organization shall implement, where feasible, automated mechanisms to assist in information collaboration. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9 assessable: false depth: 3 @@ -2072,6 +2495,9 @@ objects: s systems, should be addressed.\n\u2022\tConsider defining incident types,\ \ resources and management support needed to effectively maintain and mature\ \ the incident response and contingency capabilities." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2 assessable: true depth: 4 @@ -2084,6 +2510,8 @@ objects: Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber incident response plans, and Occupant Emergency Plans. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11 assessable: false depth: 3 @@ -2103,6 +2531,10 @@ objects: \tBackground verification checks should take into consideration applicable\ \ laws, regulations, and ethics in proportion to the business requirements,\ \ the classification of the information to be accessed and the perceived risks." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2 assessable: true depth: 4 @@ -2114,6 +2546,9 @@ objects: annotation: "The human resource information/cyber security process should include\ \ access to critical information or technology; background verification checks;\ \ code of conduct; roles, authorities, and responsibilities\u2026" + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12 assessable: false depth: 3 @@ -2132,6 +2567,9 @@ objects: \ in the identified components and distribute updates (software publisher\ \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\ \ identify where its critical system's vulnerabilities may be exposed to adversaries." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma assessable: false depth: 2 @@ -2164,6 +2602,10 @@ objects: \ If you use one of these products, make sure it checks for updates for every\ \ application you use.\n\u2022\tInstall patches and security updates in a\ \ timely manner." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2 assessable: true depth: 4 @@ -2173,10 +2615,16 @@ objects: and repairs on its critical system components according to approved processes and tools. annotation: 'Consider the below measures: + (1) Perform security updates on all software in a timely manner. + (2) Automate the update process and audit its effectiveness. + (3) Introduce an internal patching culture on desktops, mobile devices, servers, network components, etc. to ensure updates are tracked.' + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3 assessable: true depth: 4 @@ -2186,6 +2634,9 @@ objects: and monitoring of maintenance tools for use on the its critical systems. annotation: Maintenance tools can include, for example, hardware/software diagnostic test equipment, hardware/software packet sniffers and laptops. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4 assessable: true depth: 4 @@ -2194,6 +2645,9 @@ objects: description: The organization shall verify security controls following hardware maintenance or repairs, and take action as appropriate. annotation: No additional guidance on this topic + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5 assessable: true depth: 4 @@ -2202,6 +2656,8 @@ objects: description: The organization shall prevent the unauthorized removal of maintenance equipment containing organization's critical system information. annotation: This requirement maily focuses mainly on OT/ICS environments. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6 assessable: true depth: 4 @@ -2210,8 +2666,10 @@ objects: description: 'Maintenance tools and portable storage devices shall be inspected when brought into the facility and shall be protected by anti-malware solutions so that they are scanned for malicious code before they are used on organization''s - systems.' + systems. ' annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7 assessable: true depth: 4 @@ -2220,6 +2678,8 @@ objects: description: The organization shall verify security controls following hardware and software maintenance or repairs/patching and take action as appropriate. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2 assessable: false depth: 3 @@ -2236,6 +2696,9 @@ objects: to avoid unauthorised access, and approval of the outcome of the maintenance activities as described in approved processes or procedures. annotation: No additional guidance on this topic + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2 assessable: true depth: 4 @@ -2244,6 +2707,9 @@ objects: description: The organization shall make sure that strong authenticators, record keeping, and session termination for remote maintenance is implemented. annotation: No additional guidance on this topic + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3 assessable: true depth: 4 @@ -2254,6 +2720,8 @@ objects: capability comparable to the capability implemented on the equivalent organization's critical system. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt assessable: false depth: 2 @@ -2283,6 +2751,10 @@ objects: \ a large use of social media websites or an unusual number of viruses consistently\ \ found on a particular computer. These trends may indicate a more serious\ \ problem or signal the need for stronger protections in a particular area." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2 assessable: true depth: 4 @@ -2293,6 +2765,9 @@ objects: synchronized to an authoritative time source. ' annotation: Authoritative time sources include for example, an internal Network Time Protocol (NTP) server, radio clock, atomic clock, GPS time source. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3 assessable: true depth: 4 @@ -2301,6 +2776,8 @@ objects: description: "The organization shall ensure that audit processing failures on\ \ the organization's systems generate alerts and trigger defined responses.\t" annotation: The use of System Logging Protocol (Syslog) servers can be considered. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4 assessable: true depth: 4 @@ -2309,6 +2786,8 @@ objects: description: The organization shall enable authorized individuals to extend audit capabilities when required by events. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2 assessable: false depth: 3 @@ -2324,6 +2803,9 @@ objects: description: The usage restriction of portable storage devices shall be ensured through an appropriate documented policy and supporting safeguards. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2 assessable: true depth: 4 @@ -2333,6 +2815,9 @@ objects: removable media unless strictly necessary; in other instances, the execution of autoruns from such media should be disabled. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3 assessable: true depth: 4 @@ -2343,6 +2828,8 @@ objects: annotation: Protection and control should include the scanning of all portable storage devices for malicious code before they are used on organization's systems. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3 assessable: false depth: 3 @@ -2359,6 +2846,9 @@ objects: to provide only essential capabilities. annotation: Consider applying the principle of least functionality to access systems and assets (see also PR.AC-4). + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2 assessable: true depth: 4 @@ -2367,6 +2857,8 @@ objects: description: The organization shall disable defined functions, ports, protocols, and services within its critical systems that it deems unnecessary. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3 assessable: true depth: 4 @@ -2376,6 +2868,8 @@ objects: a deny-all, permit-by-exception policy to only allow the execution of authorized software programs. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4 assessable: false depth: 3 @@ -2393,6 +2887,10 @@ objects: \ of the specified types are automatically processed (e.g. deleted).\n\u2022\ \tWeb-filters should notify the user if a website may contain malware and\ \ potentially preventing users from accessing that website." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2 assessable: true depth: 4 @@ -2410,6 +2908,8 @@ objects: \ methods are typically static. Label or attribute policy mechanisms may be\ \ implemented in hardware, firmware, and software that controls or has device\ \ access, such as device drivers and communications controllers." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3 assessable: true depth: 4 @@ -2420,6 +2920,8 @@ objects: and integrity of the information being transmitted; This includes the review and documenting of each exception to the traffic flow policy. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de assessable: false depth: 1 @@ -2455,6 +2957,8 @@ objects: \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\ \ deploying a Security Information and Event Management tool (SIEM) that will\ \ facilitate the correlation and analysis of your data." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2 assessable: false depth: 3 @@ -2469,6 +2973,9 @@ objects: description: The organization shall review and analyze detected events to understand attack targets and methods. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2 assessable: true depth: 4 @@ -2478,6 +2985,8 @@ objects: to review and analyze detected events. ' annotation: Consider to review your logs regularly to identify anomalies or abnormal events. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3 assessable: false depth: 3 @@ -2499,6 +3008,10 @@ objects: \ consistently found on a particular computer. These trends may indicate a\ \ more serious problem or signal the need for stronger protections in a particular\ \ area." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2 assessable: true depth: 4 @@ -2509,6 +3022,9 @@ objects: monitoring, network monitoring, physical access monitoring, and user/administrator reports. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3 assessable: true depth: 4 @@ -2519,6 +3035,8 @@ objects: its critical system's monitoring, and facility monitoring to further enhance the ability to identify inappropriate or unusual activity. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4 assessable: false depth: 3 @@ -2534,6 +3052,8 @@ objects: \ individuals resulting from detected events shall be determined and correlated\ \ with risk assessment outcomes." annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5 assessable: false depth: 3 @@ -2549,6 +3069,9 @@ objects: generated alerts to support event detection and to assist in the identification of security alert thresholds. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2 assessable: true depth: 4 @@ -2556,6 +3079,9 @@ objects: ref_id: IMPORTANT_DE.AE-5.2 description: The organization shall define incident alert thresholds. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm assessable: false depth: 2 @@ -2581,6 +3107,10 @@ objects: \tConsider, where feasible, including smart phones and other networked devices\ \ when installing and operating firewalls.\n\u2022\tConsider limiting the\ \ number of interconnection gateways to the Internet." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2 assessable: true depth: 4 @@ -2594,6 +3124,9 @@ objects: \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\ \ facing applications the implementation of a web application firewall (WAF)\ \ should be considered." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3 assessable: true depth: 4 @@ -2609,6 +3142,8 @@ objects: \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\ \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\ \ personnel, and service provider." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2 assessable: false depth: 3 @@ -2624,6 +3159,9 @@ objects: description: The physical environment of the facility shall be monitored for potential information/cybersecurity events. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2 assessable: true depth: 4 @@ -2634,6 +3172,8 @@ objects: through physical intrusion alarms, surveillance equipment, independent surveillance teams. annotation: It is recommended to log all visitors. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3 assessable: false depth: 3 @@ -2649,6 +3189,10 @@ objects: description: End point and network protection tools to monitor end-user behavior for dangerous activity shall be implemented. annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS). + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2 assessable: true depth: 4 @@ -2661,6 +3205,9 @@ objects: generated because of suspicious activities and take the appropriate actions to remediate the threat, e.g. through the deployment of a security operations centre (SOC). + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3 assessable: true depth: 4 @@ -2670,6 +3217,9 @@ objects: annotation: Only authorized software should be used and user access rights should be limited to the specific data, resources and applications needed to complete a required task (least privilege principle). + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4 assessable: false depth: 3 @@ -2692,6 +3242,10 @@ objects: It should be considered to provide the same malicious code protection mechanisms\ \ for home computers (e.g. teleworking) or personal devices that are used\ \ for professional work (BYOD)." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2 assessable: true depth: 4 @@ -2700,6 +3254,8 @@ objects: description: The organisation shall set up a system to detect false positives while detecting and eradicating malicious code. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5 assessable: false depth: 3 @@ -2722,6 +3278,9 @@ objects: \ be based on the potential for the code to cause damage to the systems if\ \ used maliciously. Usage restrictions and implementation guidance should\ \ apply to the selection and use of mobile code installed." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6 assessable: false depth: 3 @@ -2739,6 +3298,9 @@ objects: permissible actions occur during the connection. annotation: This monitoring includes unauthorized personnel access, connections, devices, and software. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2 assessable: true depth: 4 @@ -2748,6 +3310,9 @@ objects: policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7 assessable: false depth: 3 @@ -2767,6 +3332,9 @@ objects: \ service providers.\n\u2022\tSystem inventory discrepancies should be included\ \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\ \ critical systems should be included in the monitoring." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2 assessable: true depth: 4 @@ -2775,6 +3343,8 @@ objects: description: Unauthorized configuration changes to organization's systems shall be monitored and addressed with the appropriate mitigation actions. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8 assessable: false depth: 3 @@ -2791,6 +3361,9 @@ objects: are not adversely impacted by the scanning process. annotation: Consider the implementation of a continuous vulnerability scanning program; Including reporting and mitigation plans. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2 assessable: true depth: 4 @@ -2799,6 +3372,9 @@ objects: description: The vulnerability scanning process shall include analysis, remediation, and information sharing. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp assessable: false depth: 2 @@ -2822,6 +3398,9 @@ objects: with applicable federal and regional laws, industry regulations and standards, policies, and other applicable requirements. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3 assessable: false depth: 3 @@ -2837,6 +3416,9 @@ objects: are operating as intended. annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\ \ be demonstrable." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4 assessable: false depth: 3 @@ -2857,6 +3439,9 @@ objects: and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, use of Voice over Internet Protocol (VoIP), and malware disclosure. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5 assessable: false depth: 3 @@ -2874,6 +3459,9 @@ objects: annotation: "\u2022\tThis results in a continuous improvement of the detection\ \ processes.\n\u2022\tThe use of independent teams to assess the detection\ \ process could be considered." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2 assessable: true depth: 4 @@ -2884,6 +3472,8 @@ objects: threat assessment, performance/load testing, and verification and validation testing on the organization's critical systems. annotation: These activities can be outsourced, preferably to accredited organizations. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs assessable: false depth: 1 @@ -2924,6 +3514,10 @@ objects: \ The effectiveness of any corrective action taken should be reviewed. Corrective\ \ actions should be appropriate to the effects of the information/cybersecurity\ \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9" + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co assessable: false depth: 2 @@ -2950,6 +3544,9 @@ objects: annotation: Consider the use the CCB Incident Management Guide to guide you through this exercise and consider bringing in outside experts if needed. Test your plan regularly and adjust it after each incident. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2 assessable: false depth: 3 @@ -2966,6 +3563,9 @@ objects: organization-defined personnel or roles. annotation: All users should have a single point of contact to report any incident and be encouraged to do so. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2 assessable: true depth: 4 @@ -2973,6 +3573,8 @@ objects: ref_id: RS.CO-2.2 description: Events shall be reported consistent with established criteria. annotation: Criteria to report should be included in the incident response plan. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3 assessable: false depth: 3 @@ -2988,6 +3590,10 @@ objects: \ and shared with the organization\u2019s employees in a format that they\ \ can understand." annotation: No additional guidance on this topic. + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2 assessable: true depth: 4 @@ -2997,6 +3603,9 @@ objects: information with relevant stakeholders as foreseen in the incident response plan. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4 assessable: false depth: 3 @@ -3017,6 +3626,9 @@ objects: \ legal departments, operations personnel, and procurement offices.\n\u2022\ \tCoordination with stakeholders occurs consistent with incident response\ \ plans." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5 assessable: false depth: 3 @@ -3033,6 +3645,9 @@ objects: \ voluntarily, as appropriate, with external stakeholders, industry security\ \ groups,\u2026 to achieve broader information/cybersecurity situational awareness." annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an assessable: false depth: 2 @@ -3055,6 +3670,9 @@ objects: description: The organization shall investigate information/cybersecurity-related notifications generated from detection systems. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2 assessable: true depth: 4 @@ -3063,6 +3681,8 @@ objects: description: The organization shall implement automated mechanisms to assist in the investigation and analysis of information/cybersecurity-related notifications. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2 assessable: false depth: 3 @@ -3081,6 +3701,9 @@ objects: \ of risk assessments. In this way, insight is gained into the impact of the\ \ event across the organization.\n\u2022\tConsider including detection of\ \ unauthorized changes to its critical systems in its incident response capabilities." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2 assessable: true depth: 4 @@ -3090,6 +3713,8 @@ objects: incident impact analysis. annotation: Implementation could vary from a ticketing system to a Security Information and Event Management (SIEM). + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3 assessable: false depth: 3 @@ -3105,6 +3730,8 @@ objects: and reporting for after-the-fact investigations of information/cybersecurity incidents. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2 assessable: true depth: 4 @@ -3115,6 +3742,8 @@ objects: annotation: Consider to determine the root cause of an incident. If necessary, use forensics analysis on collected information/cybersecurity event information to achieve this. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4 assessable: false depth: 3 @@ -3134,6 +3763,9 @@ objects: \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\ \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\ \ to the effects of the information/cybersecurity incident encountered." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5 assessable: false depth: 3 @@ -3152,6 +3784,9 @@ objects: from internal and external sources. ' annotation: Internal and external sources could be e.g. internal testing, security bulletins, or security researchers. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2 assessable: true depth: 4 @@ -3161,6 +3796,8 @@ objects: and track remediation efforts for vulnerability information, captured from internal and external sources, to key stakeholders. annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi assessable: false depth: 2 @@ -3188,6 +3825,9 @@ objects: assesses as not dangerous to the organisation's business critical systems and where the risk owner formally accepts the risk (related with the risk appetite of the organization) + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im assessable: false depth: 2 @@ -3214,6 +3854,10 @@ objects: reflect together on ways to improve what happened, how it happened, how we reacted, how it could have gone better, what should be done to prevent it from happening again, etc. + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2 assessable: true depth: 4 @@ -3223,6 +3867,9 @@ objects: updated or new incident handling procedures that shall be tested, approved and trained. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2 assessable: false depth: 3 @@ -3240,6 +3887,9 @@ objects: \ its critical systems, attack vectors, new threats, improved technology,\ \ environment of operation, problems encountered during plan implementation/execution/testing\ \ and lessons learned." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc assessable: false depth: 1 @@ -3275,6 +3925,10 @@ objects: \ and information systems in case of an incident. This includes shutting down\ \ or locking computers, moving to a backup site, physically removing important\ \ documents, etc.\n\u2022\tWho to call in case of an incident." + implementation_groups: + - B + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2 assessable: true depth: 4 @@ -3284,6 +3938,8 @@ objects: \ be continued with little or no loss of operational continuity and continuity\ \ shall be sustained until full system restoration." annotation: No additional guidance on this topic. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im assessable: false depth: 2 @@ -3307,6 +3963,9 @@ objects: recovery activities into updated or new system recovery procedures and, after testing, frame this with appropriate training. annotation: No additional guidance on this topic. + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co assessable: false depth: 2 @@ -3335,6 +3994,9 @@ objects: \ media requests with appropriate and available internal experts who are ready\ \ to be interviewed, screening all of information provided to the media, ensuring\ \ personnel are familiar with public relations and privacy policies." + implementation_groups: + - I + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2 assessable: true depth: 4 @@ -3343,6 +4005,8 @@ objects: description: A Public Relations Officer shall be assigned. annotation: "The Public Relations Officer should consider the use of pre-define\ \ external contacts \n(e.g. press, regulators, interest groups)." + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2 assessable: false depth: 3 @@ -3360,6 +4024,8 @@ objects: annotation: Crisis response strategies include, for example, actions to shape attributions of the crisis, change perceptions of the organization in crisis, and reduce the negative effect generated by the crisis. + implementation_groups: + - E - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3 assessable: false depth: 3 @@ -3376,3 +4042,6 @@ objects: stakeholders, executive and management teams. annotation: Communication of recovery activities to all relevant stakeholders applies only to entities subject to the NIS legislation. + implementation_groups: + - I + - E diff --git a/backend/library/libraries/nist-csf-2.0.yaml b/backend/library/libraries/nist-csf-2.0.yaml index 6452a17c4..3d57b3aaf 100644 --- a/backend/library/libraries/nist-csf-2.0.yaml +++ b/backend/library/libraries/nist-csf-2.0.yaml @@ -14,6 +14,101 @@ objects: ref_id: NIST-CSF-2.0 name: NIST CSF v2.0 description: NIST Cybersecurity Framework + scores_definition: + - score: 2 + name: Partial + description: 'Application of the organizational cybersecurity risk strategy + is managed in an ad hoc manner. + + Prioritization is ad hoc and not formally based on objectives or threat environment. + + There is limited awareness of cybersecurity risks at the organizational level. + + The organization implements cybersecurity risk management on an irregular, + case-by-case basis. + + The organization may not have processes that enable cybersecurity information + to be shared within the organization. + + The organization is generally unaware of the cybersecurity risks associated + with its suppliers and the products and services it acquires and uses.' + - score: 2 + name: Risk informed + description: 'Risk management practices are approved by management but may not + be established as organization-wide policy. + + The prioritization of cybersecurity activities and protection needs is directly + informed by organizational risk objectives, the threat environment, or business/mission + requirements. + + There is an awareness of cybersecurity risks at the organizational level, + but an organization-wide approach to managing cybersecurity risks has not + been established. + + Consideration of cybersecurity in organizational objectives and programs may + occur at some but not all levels of the organization. Cyber risk assessment + of organizational and external assets occurs but is not typically repeatable + or reoccurring. + + Cybersecurity information is shared within the organization on an informal + basis. + + The organization is aware of the cybersecurity risks associated with its suppliers + and the products and services it acquires and uses, but it does not act consistently + or formally in response to those risks.' + - score: 3 + name: Repeatable + description: "The organization\u2019s risk management practices are formally\ + \ approved and expressed as policy. \nRisk-informed policies, processes, and\ + \ procedures are defined, implemented as intended, and reviewed.\nOrganizational\ + \ cybersecurity practices are regularly updated based on the application of\ + \ risk management processes to changes in business/mission requirements, threats,\ + \ and technological landscape.\nThere is an organization-wide approach to\ + \ managing cybersecurity risks. Cybersecurity information is routinely shared\ + \ throughout the organization.\nConsistent methods are in place to respond\ + \ effectively to changes in risk. Personnel possess the knowledge and skills\ + \ to perform their appointed roles and responsibilities.\nThe organization\ + \ consistently and accurately monitors the cybersecurity risks of assets.\ + \ Senior cybersecurity and non-cybersecurity executives communicate regularly\ + \ regarding cybersecurity risks. Executives ensure that cybersecurity is considered\ + \ through all lines of operation in the organization.\nThe organization risk\ + \ strategy is informed by the cybersecurity risks associated with its suppliers\ + \ and the products and services it acquires and uses. Personnel formally act\ + \ upon those risks through mechanisms such as written agreements to communicate\ + \ baseline requirements, governance structures (e.g., risk councils), and\ + \ policy implementation and monitoring. These actions are implemented consistently\ + \ and as intended and are continuously monitored and reviewed." + - score: 4 + name: Adaptive + description: 'There is an organization-wide approach to managing cybersecurity + risks that uses risk-informed policies, processes, and procedures to address + potential cybersecurity events. The relationship between cybersecurity risks + and organizational objectives is clearly understood and considered when making + decisions. Executives monitor cybersecurity risks in the same context as financial + and other organizational risks. The organizational budget is based on an understanding + of the current and predicted risk environment and risk tolerance. Business + units implement executive vision and analyze system-level risks in the context + of the organizational risk tolerances. + + Cybersecurity risk management is part of the organizational culture. It evolves + from an awareness of previous activities and continuous awareness of activities + on organizational systems and networks. The organization can quickly and efficiently + account for changes to business/mission objectives in how risk is approached + and communicated. + + The organization adapts its cybersecurity practices based on previous and + current cybersecurity activities, including lessons learned and predictive + indicators. Through a process of continuous improvement that incorporates + advanced cybersecurity technologies and practices, the organization actively + adapts to a changing technological landscape and responds in a timely and + effective manner to evolving, sophisticated threats. + + The organization uses real-time or near real-time information to understand + and consistently act upon the cybersecurity risks associated with its suppliers + and the products and services it acquires and uses. + + Cybersecurity information is constantly shared throughout the organization + and with authorized third parties.' requirement_nodes: - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv assessable: false diff --git a/backend/library/libraries/tisax-v6.0.2.yaml b/backend/library/libraries/tisax-v6.0.2.yaml index 7a82f43eb..7c2c6ccce 100644 --- a/backend/library/libraries/tisax-v6.0.2.yaml +++ b/backend/library/libraries/tisax-v6.0.2.yaml @@ -21,8 +21,8 @@ copyright: "\xA9 2023 ENX Association, an Association according to the French La \ Works 4.0 International Public License. In addition, You are granted the right\ \ to distribute derivatives under certain terms as detailed in section 9 which are\ \ not part of the Creative Commons license. The complete and valid text of the license\ - \ is to be found in line 17ff. \n" -version: '1' + \ is to be found in line 17ff.\n" +version: 2 provider: VDA packager: intuitem objects: @@ -37,25 +37,68 @@ objects: \ https://enx.com/tisax/)\nSource: https://portal.enx.com/isa6-en.xlsx\n" min_score: 0 max_score: 5 - score_definition: + scores_definition: - score: 0 - name: 'Incomplete' - description: 'A process does not exist, is not followed or not suitable to achieve the objective.' + name: Incomplete + description: A process is not available, not followed or not suitable for achieving + the objective. - score: 1 - name: 'Performed' - description: 'A process is followed which is not or insufficiently documented (“informal process”) and there is some evidence that it achieves its objective.' + name: Performed + description: An undocumented or incompletely documented process is followed + and indicators exist that it achieves its objective. - score: 2 - name: 'Managed' - description: 'A process achieving its objectives is followed. Process documentation and process implementation evidence are available.' + name: Managed + description: A process achieving its objectives is followed. Process documentation + and process implementation evidence are available. - score: 3 - name: 'Established' - description: 'A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.' + name: Established + description: A standard process integrated into the overall system is followed. + Dependencies on other processes are documented and suitable interfaces are + created. Evidence exists that the process has been used sustainably and actively + over an extended period. - score: 4 - name: 'Predictable' - description: 'An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators)' + name: Predictable + description: An established process is followed. The effectiveness of the process + is continually monitored by collecting key figures. Limit values are defined + at which the process is considered to be insufficiently effective and requires + adjustment. (Key Performance Indicators) - score: 5 - name: 'Optimizing' - description: 'A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by means of dedicated resources.' + name: Optimizing + description: A predictable process with continual improvement as a major objective + is followed. Improvement is actively advanced by dedicated resources. + implementation_groups_definition: + - ref_id: must + name: Requirements (must) + description: Strict requirements without any exemptions. + - ref_id: should + name: Requirements (should) + description: Must be implemented by the organization. In certain circumstances, + however, there may be a valid justification for non-compliance with these + requirements. In case of any deviation, its effects must be understood by + the organization and it must be plausibly justified. + - ref_id: high + name: In case of high protection needs + description: Must additionally be met if the tested subject has high protection + needs. + - ref_id: very_high + name: In case of very high protection needs + description: Must additionally be met if the tested subject has very high protection + needs. + - ref_id: SGA + name: For Simplified Group Assessments (SGA) + description: A simplified way to audit very large organizations with a high + maturity. An example is the TISAX Simplified Group Assessment mechanism that + is an option for TISAX Assessments of an assessment scope with a large number + of sites. + - ref_id: vehicle + name: For vehicles classified as requiring protection + description: Protects physical prototypes which are classified as requiring + protection. Prototypes include vehicles, components and parts. The owner of + the intellectual property for the prototype is considered the owner of the + prototype. The owner's commissioning department is responsible for classifying + the protection need of a prototype. For prototypes classified as requiring + high or very high protection, the minimum requirements for prototype protection + must be applied. requirement_nodes: - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1 assessable: false @@ -84,6 +127,8 @@ objects: s goals,\n - A policy is prepared and is released by the organization.\n\ + The policy includes objectives and the significance of information security\ \ within the organization." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node6 assessable: true depth: 4 @@ -96,6 +141,8 @@ objects: \ revision of the policies are established.\n+ The policies are made available\ \ to employees in a suitable form (e.g. intranet).\n+ Employees and external\ \ business partners are informed of any changes relevant to them." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node7 assessable: true depth: 4 @@ -103,6 +150,8 @@ objects: name: (for Simplified Group Assessments) description: + Policies are published and implemented in the entire assessment scope. + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node8 assessable: false depth: 4 @@ -168,6 +217,8 @@ objects: \ been determined (e.g. ISO\_27001 Statement of Applicability, completed ISA\ \ catalogue).\n+ The effectiveness of the ISMS is regularly reviewed by the\ \ management." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node12 assessable: true depth: 4 @@ -176,6 +227,8 @@ objects: description: + The management system is approved by an entity that has the necessary authority for the entire assessment scope (i.e., all locations within the scope). + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.2.2 assessable: false depth: 3 @@ -196,6 +249,8 @@ objects: + The contact persons are known within the organization and to relevant business partners.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node15 assessable: true depth: 4 @@ -204,6 +259,8 @@ objects: description: "+ There is a definition and documentation of an adequate information\ \ security structure within the organization.\n - Other relevant security\ \ roles are considered." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node16 assessable: true depth: 4 @@ -212,6 +269,8 @@ objects: description: + An appropriate organizational separation of responsibilities should be established in order to avoid conflict of interests (separation of duties). (C, I, A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node17 assessable: true depth: 4 @@ -219,6 +278,8 @@ objects: name: (for Simplified Group Assessments) description: + A named person with overall responsibility for the management system exists and is available. + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node18 assessable: false depth: 4 @@ -241,6 +302,8 @@ objects: name: (must) description: + Projects are classified while taking into account the information security requirements. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node21 assessable: true depth: 4 @@ -254,6 +317,8 @@ objects: + For identified information security risks, measures are derived and considered in the project.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node22 assessable: true depth: 4 @@ -261,6 +326,8 @@ objects: name: (for high protection needs) description: + The measures thus derived are reviewed regularly during the project and reassessed in case of changes to the assessment criteria. (C, I, A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.2.4 assessable: false depth: 3 @@ -283,6 +350,8 @@ objects: + Mechanisms for shared responsibilities are specified and implemented. + The responsible organization fulfils its respective responsibilities.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node25 assessable: true depth: 4 @@ -292,6 +361,8 @@ objects: and documented based on the necessary security requirements. + The responsible staff is adequately trained.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node26 assessable: true depth: 4 @@ -311,6 +382,8 @@ objects: + Integration into local protective measures (such as secure authentication mechanisms) is established and documented. (C, I, A)' + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.3 assessable: false depth: 2 @@ -333,6 +406,8 @@ objects: \ for these information assets is assigned.\n+ The supporting assets processing\ \ the information assets are identified and recorded:\n - A person responsible\ \ for these supporting assets is assigned." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node30 assessable: true depth: 4 @@ -341,6 +416,8 @@ objects: description: "+ A catalogue of the relevant information assets exists:\n -\ \ The corresponding supporting assets are assigned to each relevant information\ \ asset,\n - The catalogue is subject to regular review." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node31 assessable: false depth: 4 @@ -399,6 +476,8 @@ objects: \ for the handling of supporting assets (e.g. identification, correct handling,\ \ transport, storage, return, deletion/disposal) depending on the classification\ \ of information assets are in place and implemented." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node34 assessable: true depth: 4 @@ -406,6 +485,8 @@ objects: name: (should) description: + The protection goals of integrity and availability are taken into consideration. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node35 assessable: false depth: 4 @@ -447,6 +528,8 @@ objects: \ and contractual requirements are considered.\n+ The external IT services\ \ have been harmonized with the protection need of the processed information\ \ assets." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node38 assessable: true depth: 4 @@ -463,6 +546,8 @@ objects: are used. ' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.3.4 assessable: false depth: 3 @@ -480,6 +565,8 @@ objects: \ roles\n - Conformance to the information security requirements\n - Software\ \ use rights and licensing \n - Source / reputation of the software\n+ Software\ \ approval also applies to special purpose software such as maintenance tools" + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node41 assessable: true depth: 4 @@ -495,6 +582,8 @@ objects: + Approval of software is regularly reviewed + Software versions and patch levels are known' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node42 assessable: true depth: 4 @@ -502,6 +591,8 @@ objects: name: (for very high protection needs) description: + Additional requirements for software use (e.g., need for control or monitoring of usage) are determined (if any) (C, I, A) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node43 assessable: false depth: 4 @@ -598,6 +689,8 @@ objects: + A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node47 assessable: true depth: 4 @@ -611,6 +704,8 @@ objects: \ followed.\n+ In case of changes to the environment (e.g. organizational\ \ structure, location, changes to regulations), reassessment is carried out\ \ in a timely manner." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.5 assessable: false depth: 2 @@ -640,6 +735,8 @@ objects: is verified at regular intervals. + The results of the conducted reviews are recorded and retained.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node51 assessable: true depth: 4 @@ -647,6 +744,8 @@ objects: name: (should) description: + A plan for content and framework conditions (time schedule, scope, controls) of the reviews to be conducted is provided. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node52 assessable: true depth: 4 @@ -660,6 +759,8 @@ objects: \ following aspects are considered:\n - The entire assessment scope is covered\n\ \ - Internal audits are conducted regularly\n - Results of internal audits\ \ are tracked within the ISMS structures" + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.5.2 assessable: false depth: 3 @@ -675,6 +776,8 @@ objects: and competent body at regular intervals and in case of fundamental changes. + Measures for correcting potential deviations are initiated and pursued.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node55 assessable: true depth: 4 @@ -682,6 +785,8 @@ objects: name: (should) description: + The results of conducted reviews are documented and reported to the management of the organization. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node56 assessable: true depth: 4 @@ -692,6 +797,8 @@ objects: \ departments which are objective, competent and free from undue influence\ \ (independent)\n - Findings and implementation of corrective actions is\ \ tracked by the independent entity." + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.6 assessable: false depth: 2 @@ -723,6 +830,8 @@ objects: \ based on perceived risks to report security events are defined, implemented,\ \ and known to all relevant potential reporters\n+ Adequate channels for communication\ \ with event reporters exist." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node60 assessable: true depth: 4 @@ -738,6 +847,8 @@ objects: \ from external parties are defined\n+ Mechanism to - and information how\ \ to - report incidents is accessible by all relevant reporters.\n+ A feedback\ \ procedure to reporters is established." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node61 assessable: true depth: 4 @@ -745,6 +856,8 @@ objects: name: (for very high protection needs) description: + Tests and exercises of event and observation reporting are conducted regularly. (C, I, A) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.6.2 assessable: false depth: 3 @@ -765,6 +878,8 @@ objects: + Lessons learned are incorporated into continuous improvement. ' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node64 assessable: true depth: 4 @@ -782,6 +897,8 @@ objects: \ communication)\n - Absence-management\n+ A strategy for filing official\ \ reports and searching prosecution of potentially criminally relevant aspects\ \ of security incidents exists. (C, I, A)\n" + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node65 assessable: true depth: 4 @@ -806,6 +923,8 @@ objects: \ A)\n - Analysis of the impact on the own organization and invocation of\ \ appropriate internal mechanisms\n - The need for reporting according to\ \ own reporting procedures" + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node66 assessable: true depth: 4 @@ -814,6 +933,8 @@ objects: description: "+ Handling of events in different categories and priorities is\ \ regularly tested. (A)\n - Exercise or simulation of rarely occurring categories\ \ and priorities\n - Exercise or simulation include escalation mechanisms" + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node67 assessable: true depth: 4 @@ -821,6 +942,8 @@ objects: name: (for Simplified Group Assessments) description: + Standard mechanisms to report and track relevant security events are established. + implementation_groups: + - SGA - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:1.6.3 assessable: false depth: 3 @@ -839,6 +962,8 @@ objects: \ and authority for crisis management within the organization are defined,\ \ documented, and assigned.\n+ The responsible employees are defined and qualified\ \ for their task." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node70 assessable: true depth: 4 @@ -866,6 +991,8 @@ objects: \ decision making)\n - Exceptional functions, responsibilities, and authority\ \ (including reporting)\n - Exceptional tools \n+ Crisis planning is reviewed\ \ and updated regularly." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node71 assessable: true depth: 4 @@ -897,6 +1024,8 @@ objects: \ of the crisis planning is evaluated regularly. (A)\n+ Spot based testing\ \ of crisis planning is conducted ((e.g., simulation, table-top-exercises\ \ involving key personnel) (A)" + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node72 assessable: true depth: 4 @@ -904,6 +1033,8 @@ objects: name: (for very high protection needs) description: + Crisis exercises and simulations involving all relevant persons, decision makers are conducted regularly. (A) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:2 assessable: false depth: 1 @@ -928,6 +1059,8 @@ objects: + The identity of potential employees is verified (e.g. checking identity documents).' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node76 assessable: true depth: 3 @@ -940,6 +1073,8 @@ objects: and job is conducted. (e.g. assessment centre, psychological analysis, checking of references, certificates and diploma, checking of certificates of conduct, checking of professional and private background).' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:2.1.2 assessable: false depth: 2 @@ -955,6 +1090,8 @@ objects: description: '+ A non-disclosure obligation is in effect. + An obligation to comply with the information security policies is in effect.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node79 assessable: true depth: 3 @@ -967,6 +1104,8 @@ objects: of the staff. + A procedure for handling violations of said obligations is described.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:2.1.3 assessable: false depth: 2 @@ -980,6 +1119,8 @@ objects: parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:2.1.3 name: (must) description: + Employees are trained and made aware. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node82 assessable: true depth: 3 @@ -1000,6 +1141,8 @@ objects: \ out both at regular intervals and in response to events.\n+ Participation\ \ in training and awareness measures is documented. \n+ Contact persons for\ \ information security are known to employees." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:2.1.4 assessable: false depth: 2 @@ -1019,6 +1162,8 @@ objects: \ in private surroundings,\n - Behavior in public surroundings,\n - Measures\ \ for protection from theft (e.g. in public surroundings),\n+ The organization\u2019\ s network is accessed via a secured connection (e.g. VPN) and strong authentication." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node85 assessable: true depth: 3 @@ -1027,6 +1172,8 @@ objects: description: "+ The following aspects are considered:\n - Measures for travelling\ \ (e.g. viewing by authorities),\n - Measures for travelling to security-critical\ \ countries.\n+ Employee awareness." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node86 assessable: true depth: 3 @@ -1034,6 +1181,8 @@ objects: name: (for high protection needs) description: + Protective measures against overhearing and viewing are implemented. (C) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node87 assessable: false depth: 3 @@ -1062,6 +1211,8 @@ objects: \ are considered in the definition of security zones,\n - This also includes\ \ delivery and shipping areas.\n+ The defined protective measures are implemented.\n\ + The code of conduct for security zones is known to all persons involved." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node91 assessable: true depth: 3 @@ -1083,6 +1234,8 @@ objects: + External properties used for storing and processing information assets are considered in the security zone concept (e.g. storage rooms, garages, workshops, test tracks, data processing centres).' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node92 assessable: true depth: 3 @@ -1090,6 +1243,8 @@ objects: name: (for high protection needs) description: + Protective measures against simple overhearing and viewing are implemented. (C) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node93 assessable: false depth: 3 @@ -1173,6 +1328,8 @@ objects: depth: 3 parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:3.1.2 name: (must) + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:3.1.3 assessable: false depth: 2 @@ -1186,6 +1343,8 @@ objects: name: (must) description: '+ The requirements for the handling of supporting assets (e.g. transport, storage, repair, loss, return, disposal) are determined and fulfilled. ' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node98 assessable: true depth: 3 @@ -1194,6 +1353,8 @@ objects: description: "+ Supporting assets are protected. Disposal of supporting assets\ \ is conducted in accordance with one of the relevant standards (e.g. ISO\_\ 21964, at least Security Level 4). (C)" + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node99 assessable: false depth: 3 @@ -1232,6 +1393,8 @@ objects: \ devices are determined and fulfilled. The following aspects are considered:\ \ \n - Encryption,\n - Access protection (e.g. PIN, password),\n - Marking\ \ (also considering requirements for use in the presence of customers)." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node102 assessable: true depth: 3 @@ -1240,6 +1403,8 @@ objects: description: '+ Registration of the IT devices. + Users are informed of missing data protection on mobile devices.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node103 assessable: true depth: 3 @@ -1248,6 +1413,8 @@ objects: description: "+ General encryption of mobile data storage devices or the information\ \ assets stored thereon: (C, I)\n - Where this is technically not feasible,\ \ information is protected by similarly effective measures." + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:4 assessable: false depth: 1 @@ -1274,6 +1441,8 @@ objects: \ the entire lifecycle are determined and fulfilled. The following aspects\ \ are considered:\n - Creation, handover, return and destruction,\n - Validity\ \ periods,\n - Traceability,\n - Handling of loss." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node108 assessable: true depth: 4 @@ -1281,6 +1450,8 @@ objects: name: (should) description: + Identification means can be produced under controlled conditions only. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node109 assessable: true depth: 4 @@ -1291,6 +1462,8 @@ objects: + A strategy of blocking or invalidation of identification means in case of loss is prepared and implemented as far as possible. (C, I, A)' + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:4.1.2 assessable: false depth: 3 @@ -1307,6 +1480,8 @@ objects: direct accessibility via the internet). + State of the art procedures for user authentication are applied.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node112 assessable: true depth: 4 @@ -1318,6 +1493,8 @@ objects: \ state of the art.\n+ Superior procedures are used for the authentication\ \ of privileged user accounts (e.g. Privileged Access Management, two-factor\ \ authentication)." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node113 assessable: true depth: 4 @@ -1330,6 +1507,8 @@ objects: (C, I, A) ' + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node114 assessable: true depth: 4 @@ -1338,6 +1517,8 @@ objects: description: + Before gaining access to data of very high protection needs, users are authenticated by means of strong authentication (e.g. two-factor authentication) according to the state of the art. (C, I) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:4.1.3 assessable: false depth: 3 @@ -1368,6 +1549,8 @@ objects: \ information (e.g. length of password, types of characters to be used).\n\ + The login information (e.g. passwords) of a personalized user account must\ \ be known to the assigned user only. " + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node117 assessable: true depth: 4 @@ -1398,6 +1581,8 @@ objects: + Interactive login for service accounts (technical accounts) is technically prevented.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:4.2 assessable: false depth: 2 @@ -1422,6 +1607,8 @@ objects: \ rights are revoked when no longer needed\n+ The access rights granted for\ \ normal and privileged user accounts and technical accounts are reviewed\ \ at regular intervals also within IT systems of customers." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node121 assessable: true depth: 4 @@ -1433,6 +1620,8 @@ objects: \ accounts are not granted privileged access rights.\n+ The access rights\ \ of a user account are adapted after the user has changed (e.g. to another\ \ field of responsibility)." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node122 assessable: true depth: 4 @@ -1440,6 +1629,8 @@ objects: name: (for high protection needs) description: + The access rights are approved by the responsible internal Information Officer. (C, I, A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node123 assessable: true depth: 4 @@ -1451,6 +1642,8 @@ objects: \ information shall be protected by similarly effective measures. \n+ Existing\ \ access rights are regularly reviewed at shorter intervals (e.g. quarterly)\ \ (C)" + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node124 assessable: false depth: 4 @@ -1485,6 +1678,8 @@ objects: \ and hash algorithms, protocols) provide the security required by the respective\ \ application field according to the recognized industry standard,\n - to\ \ the extent legally feasible." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node129 assessable: true depth: 4 @@ -1497,6 +1692,8 @@ objects: \ - Procedures for the complete lifecycle of cryptographic keys, including\ \ generation, storage, archiving, retrieval, distribution, deactivation, renewal,\ \ and deletion.\n+ An emergency process for restoring key material is established." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node130 assessable: true depth: 4 @@ -1504,6 +1701,8 @@ objects: name: (for high protection needs) description: + Key sovereignty requirements (particularly in case of external processing) are determined and fulfilled. (C, I) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.1.2 assessable: false depth: 3 @@ -1520,6 +1719,8 @@ objects: \ requirements for the use of network services are defined and implemented.\n\ + Measures for the protection of transferred contents against unauthorized\ \ access are implemented." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node133 assessable: true depth: 4 @@ -1530,6 +1731,8 @@ objects: \ using content or transport encryption according to the respective classification.\ \ \n+ Remote access connections are verified to possess adequate security\ \ features (e.g., encryption, granting and termination of access) and capabilities." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node134 assessable: true depth: 4 @@ -1538,6 +1741,8 @@ objects: description: "+ Information is transported or transferred in encrypted form:\ \ (C)\n - Where encryption is not feasible, information must be protected\ \ by similarly effective measures." + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node135 assessable: true depth: 4 @@ -1545,6 +1750,8 @@ objects: name: (for very high protection needs) description: + Information is transported or transferred in content-encrypted form. (C) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2 assessable: false depth: 2 @@ -1564,6 +1771,8 @@ objects: name: (must) description: + Information security requirements for changes to the organization, business processes, IT systems are determined and applied. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node139 assessable: true depth: 4 @@ -1578,6 +1787,8 @@ objects: testing. + Procedures for fallback in fault cases are considered.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node140 assessable: true depth: 4 @@ -1585,6 +1796,8 @@ objects: name: (for high protection needs) description: + Compliance with the information security requirements is verified during and after the changes are applied. (C, I, A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.2 assessable: false depth: 3 @@ -1602,6 +1815,8 @@ objects: operational systems. + A segmentation is implemented based on the results of risk analysis.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node143 assessable: true depth: 4 @@ -1613,6 +1828,8 @@ objects: \ system tools on operational systems (except those required for operation),\n\ \ - Use of different user profiles for development, testing, and operational\ \ systems." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.3 assessable: false depth: 3 @@ -1628,6 +1845,8 @@ objects: + Technical and organizational measures for protection against malware are defined and implemented.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node146 assessable: true depth: 4 @@ -1647,6 +1866,8 @@ objects: + For IT systems operated without the use of malware protection software,\ \ alternative measures (e.g. special resilience measures, few services, no\ \ active users, network isolation) are implemented. " + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.4 assessable: false depth: 3 @@ -1671,6 +1892,8 @@ objects: + Event logs are checked regularly for rule violations and noticeable problems in compliance with the permissible legal and organizational provisions.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node149 assessable: true depth: 4 @@ -1685,6 +1908,8 @@ objects: + Adequate monitoring and recording of any actions on the network that are relevant to information security are established.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node150 assessable: true depth: 4 @@ -1696,6 +1921,8 @@ objects: + Cases of access during connection and disconnection of external networks (e.g. remote maintenance) are logged. (C, I, A)' + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node151 assessable: true depth: 4 @@ -1704,6 +1931,8 @@ objects: description: + Logging of any access to data of very high protection needs as far as technically feasible and as permissible according to legal and organizational provisions. (C, I) + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.5 assessable: false depth: 3 @@ -1721,6 +1950,8 @@ objects: + Potentially affected IT systems and software are identified, assessed and any vulnerabilities are addressed.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node154 assessable: true depth: 4 @@ -1732,6 +1963,8 @@ objects: + Risk minimizing measures are implemented, as necessary. + Successful installation of patches is verified in an appropriate manner.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node155 assessable: false depth: 4 @@ -1780,6 +2013,8 @@ objects: and reported to the relevant management. + Measures are derived from the results.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node158 assessable: true depth: 4 @@ -1792,6 +2027,8 @@ objects: \ audits (if applicable)\n - performed from the internet and the internal\ \ network\n+ Within a reasonable period following completion of the audit,\ \ a report is prepared." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node159 assessable: true depth: 4 @@ -1801,6 +2038,8 @@ objects: audit requirements have been identified and are fulfilled (e.g., service specific tests and tools and/or human penetration tests, risk-based time intervals) (A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node160 assessable: true depth: 4 @@ -1809,6 +2048,8 @@ objects: description: "+ IT systems and services are regularly scanned for vulnerabilities.\ \ (A)\n - Suitable protective measures must be implemented for systems\ \ and services that may not be scanned." + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.7 assessable: false depth: 3 @@ -1827,6 +2068,8 @@ objects: determined and fulfilled. + Requirements regarding network segmentation are determined and fulfilled.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node163 assessable: true depth: 4 @@ -1844,6 +2087,8 @@ objects: \ separation options when using external IT services,\n - Adequate separation\ \ between own networks and customer networks while considering customer requirements\n\ \ - Detection and prevention of data loss/leakage" + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node164 assessable: true depth: 4 @@ -1854,6 +2099,8 @@ objects: \ I, A)\n - Authentication of IT systems on the network,\n - Access to the\ \ management interfaces of IT systems is restricted.\n - Specific risks (e.g.\ \ wireless and remote access)" + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.8 assessable: false depth: 3 @@ -1870,6 +2117,8 @@ objects: + Requirements and responsibilities for continuity and recovery of those IT services are known to relevant stakeholders and fulfilled.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node167 assessable: true depth: 4 @@ -1886,6 +2135,8 @@ objects: \ storage strategies, in case primary storage means are not available\n -\ \ Alternative power and network\n+ Continuity planning is regularly reviewed\ \ and updated" + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node168 assessable: true depth: 4 @@ -1903,6 +2154,8 @@ objects: \ protected against unauthorized modification or deletion by malicious software.\ \ (I, A)\n - Backups are protected against unauthorized access by malicious\ \ software or operators (C, I)" + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node169 assessable: true depth: 4 @@ -1918,6 +2171,8 @@ objects: \ - Alternate storage and backup sites that provide controls equivalent to\ \ that of the primary site. (C, I, A)\n+ Continuity planning is tested regularly.\ \ Tests and any lessons learned are documented. (I, A)" + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.2.9 assessable: false depth: 3 @@ -1933,6 +2188,8 @@ objects: \ aspects are considered:\n - Appropriate protective measures to ensure confidentiality,\ \ integrity, and availability for data backups.\n+ Recovery concepts exist\ \ for relevant IT services." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node172 assessable: true depth: 4 @@ -1940,6 +2197,8 @@ objects: name: (should) description: "+ A backup and recovery concept exists for each relevant IT service.\n\ \ - Dependencies between IT services and the sequence for recovery are considered.\n" + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node173 assessable: true depth: 4 @@ -1954,6 +2213,8 @@ objects: \ overload scenarios during recovery.\n - Appropriate spatial redundancy\ \ (e.g., separate room, separate fire section, separate datacentre, separate\ \ site)." + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node174 assessable: true depth: 4 @@ -1967,6 +2228,8 @@ objects: + Geographical redundancy is considered in data backup and recovery concepts. (A)' + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.3 assessable: false depth: 2 @@ -1996,6 +2259,8 @@ objects: + System approval tests are carried out under consideration of the information security requirements.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node178 assessable: true depth: 4 @@ -2015,6 +2280,8 @@ objects: \ on the operational system,\n - Requirements for the lifecycle of test data\ \ (e.g. deletion, maximum lifetime on the IT system),\n - Case-related specifications\ \ for the generation of test data are defined." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node179 assessable: true depth: 4 @@ -2023,6 +2290,8 @@ objects: description: "+ The security of purpose built software or significantly customized\ \ software is tested (e.g. penetration testing) (C, I, A)\n - during commissioning\n\ \ - in case of significant changes\n - or at regular intervals" + implementation_groups: + - very_high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.3.2 assessable: false depth: 3 @@ -2036,6 +2305,8 @@ objects: name: (must) description: + Requirements regarding the information security of network services are determined and fulfilled. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node182 assessable: true depth: 4 @@ -2047,6 +2318,8 @@ objects: + The requirements are agreed in the form of SLAs. + Adequate redundancy solutions are implemented.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node183 assessable: true depth: 4 @@ -2055,6 +2328,8 @@ objects: description: + Procedures for monitoring the quality of network traffic (e.g. traffic flow analyses, availability measurements) are defined and carried out. (A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.3.3 assessable: false depth: 3 @@ -2069,6 +2344,8 @@ objects: name: (must) description: + A procedure for the return and secure removal of information assets from each external IT service is defined and implemented. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node186 assessable: true depth: 4 @@ -2076,6 +2353,8 @@ objects: name: (should) description: + A description of the termination process is given, adapted to any changes, and contractually regulated. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:5.3.4 assessable: false depth: 3 @@ -2089,6 +2368,8 @@ objects: name: (must) description: + Effective segregation (e.g. segregation of clients) prevents access to own information by unauthorized users of other organizations. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node189 assessable: true depth: 4 @@ -2099,6 +2380,8 @@ objects: \ data, functions, customer-specific software, operating system, storage system\ \ and network,\n - Risk assessment for the operation of external software\ \ within the shared environment." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:6 assessable: false depth: 1 @@ -2129,6 +2412,8 @@ objects: and cooperation partners. + Compliance with contractual agreements is verified.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node193 assessable: true depth: 3 @@ -2140,6 +2425,8 @@ objects: + Service reports and documents by contractors and cooperation partners are reviewed.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node194 assessable: true depth: 3 @@ -2148,6 +2435,8 @@ objects: description: + Proof is provided that the information security level of the supplier is adequate for the protection needs of the information (e.g. certificate, attestation, internal audit). (C, I, A) + implementation_groups: + - high - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node195 assessable: false depth: 3 @@ -2210,6 +2499,8 @@ objects: + The requirements and procedures for the use of non-disclosure agreements and the handling of information requiring protection are reviewed at regular intervals.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node198 assessable: true depth: 3 @@ -2226,6 +2517,8 @@ objects: \ or audit rights) are defined.\n+ A process for monitoring the validity period\ \ of temporary non-disclosure agreements and initiating their extension in\ \ due time is defined and implemented." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:7 assessable: false depth: 1 @@ -2248,6 +2541,8 @@ objects: + Policies regarding compliance with the provisions are defined, implemented, and communicated to the responsible persons.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node202 assessable: true depth: 3 @@ -2255,6 +2550,8 @@ objects: name: (should) description: + The integrity of records in accordance with the legal, regulatory, or contractual provisions and business requirements is considered. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node203 assessable: false depth: 3 @@ -2306,6 +2603,8 @@ objects: + Processes and procedures for the protection of personally identifiable data are considered in the information security management system.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8 assessable: false depth: 1 @@ -2333,12 +2632,16 @@ objects: \ is established: \n - stability of outer skin,\n - view and sight protection,\n\ \ - protection against unauthorized entry and access control,\n - intrusion\ \ monitoring,\n - documented visitor management,\n - client segregation." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node210 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.1 name: (should) description: + Perimeter security. + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.2 assessable: false depth: 3 @@ -2352,6 +2655,8 @@ objects: parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.2 name: (must) description: + Unauthorized access to properties is not possible. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node213 assessable: true depth: 4 @@ -2360,6 +2665,8 @@ objects: description: "+ Suitable barriers are in place such as:\n - artificial barriers\ \ (fence systems, walls),\n - technical barriers (detection),\n - natural\ \ barriers (growth, vegetation)." + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.3 assessable: false depth: 3 @@ -2374,6 +2681,8 @@ objects: parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.3 name: (must) description: + Unauthorized access to buildings/security areas is not possible. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node216 assessable: true depth: 4 @@ -2384,6 +2693,8 @@ objects: + Windows and doors in the outer skin are to be built in compliance with RC2 or better.' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.4 assessable: false depth: 3 @@ -2398,6 +2709,8 @@ objects: name: (must) description: + Unauthorized viewing of new developments needing high or very high protection is not possible. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node219 assessable: true depth: 4 @@ -2406,13 +2719,17 @@ objects: description: '+ Sight protection through relevant glass surfaces is ensured. + View into defined security areas through open doors/gates/windows is prevented. ' + implementation_groups: + - should - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node220 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.4 - name: (for high protection needs) + name: (for vehicles classified as requiring protection) description: + The spatial situation is also suitable for protecting vehicles classified as requiring protection against unauthorized view. + implementation_groups: + - vehicle - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.5 assessable: false depth: 3 @@ -2429,13 +2746,17 @@ objects: \ - mechanical locks with documented key assignment,\n - electronic access\ \ systems with documented authorization assignment,\n - personal access control\ \ including documentation." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node223 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.5 - name: (for high protection needs) + name: (for vehicles classified as requiring protection) description: + The spatial situation is also suitable for protecting vehicles classified as requiring protection against unauthorized access. + implementation_groups: + - vehicle - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.6 assessable: false depth: 3 @@ -2453,6 +2774,8 @@ objects: \ security service or control unit (e.g., according to DIN\_77200, VdS\_3138),\n\ \ - or 24/7 guarding by a certified security service.\n+ Alarm plans are\ \ available.\n+ Timely alarm processing is ensured." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.7 assessable: false depth: 3 @@ -2471,6 +2794,8 @@ objects: + Publication of security and visitor regulations. + Country-specific legal provisions regarding data protection are to be observed.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.8 assessable: false depth: 3 @@ -2486,13 +2811,17 @@ objects: \ in effect according to the following aspects:\n - customers, and/or\n \ \ - projects,\n - where segregation is not in effect, explicit approval by\ \ the customer is required." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:node230 assessable: true depth: 4 parent_urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.1.8 - name: (for high protection needs) + name: (for vehicles classified as requiring protection) description: + The spatial situation is also suitable for implementing client segregation for vehicles classified as requiring protection. + implementation_groups: + - vehicle - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2 assessable: false depth: 2 @@ -2514,6 +2843,8 @@ objects: description: "+ A non-disclosure agreement: \n - between contractor and customer\ \ (company level),\n - with all employees and project members (personal obligation).\n\ + Country-specific legal provisions regarding data protection are to be observed." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.2 assessable: false depth: 3 @@ -2533,6 +2864,8 @@ objects: \ actual customer (proof is obtained).\n+ Proof of the subcontractor\u2019\ s compliance with minimum requirements for prototype protection (e.g., certificate,\ \ attestation) is provided." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.3 assessable: false depth: 3 @@ -2555,6 +2888,8 @@ objects: + The completed measures are to be documented. \n+ The training concept for\ \ prototype protection is an integral part of the general training concept\ \ (see also control question 2.1.3 Information Security)." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.4 assessable: false depth: 3 @@ -2575,6 +2910,8 @@ objects: + The requirements are considered as a requirement regarding the information security of the project (see Controls 1.2.3 and 7.1.1 Information Security).' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.5 assessable: false depth: 3 @@ -2593,6 +2930,8 @@ objects: is in place. + Code of conduct in case of the loss/theft of access control means.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.6 assessable: false depth: 3 @@ -2615,6 +2954,8 @@ objects: + Secured transmission/shipping of image material to authorized recipients only.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.2.7 assessable: false depth: 3 @@ -2630,6 +2971,8 @@ objects: description: '+ Specification for carrying along (e.g., sealed/unsealed, etc.). + Specification for use (e.g., phone calls, photography, etc.).' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.3 assessable: false depth: 2 @@ -2654,6 +2997,8 @@ objects: \ customer are known and observed.\n+ The logistics/transport companies explicitly\ \ approved by the customer are commissioned.\n+ A process for reporting any\ \ security-relevant events to the customer is described and implemented." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.3.2 assessable: false depth: 3 @@ -2668,6 +3013,8 @@ objects: name: (must) description: + The customer-specific requirements for parking/storage are verifiably known and observed. + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.4 assessable: false depth: 2 @@ -2694,6 +3041,8 @@ objects: + A process for the immediate reporting of any damages to the camouflage is described and implemented.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.4.2 assessable: false depth: 3 @@ -2712,6 +3061,8 @@ objects: \ known to users of test and trial grounds: \n - a current list of customer-approved\ \ test and trial grounds\n - code of conduct for ensuring undisturbed trial\ \ operation \n - customer-defined protective measures These are implemented." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.4.3 assessable: false depth: 3 @@ -2732,6 +3083,8 @@ objects: + The code of conduct in case of special incidents (e.g., breakdown, accident, theft...) is known and observed.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.5 assessable: false depth: 2 @@ -2760,6 +3113,8 @@ objects: staff-related). + Code of conduct in case of special incidents.' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:8.5.2 assessable: false depth: 3 @@ -2784,6 +3139,8 @@ objects: staff-related). + Code of conduct in case of special incidents. ' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9 assessable: false depth: 1 @@ -2810,6 +3167,8 @@ objects: organization''s management. ' + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.2 assessable: false depth: 2 @@ -2841,6 +3200,8 @@ objects: \ the data protection officer by data protection coordinators in the companies\ \ organizational units, depending on the company size (e.g. marketing, sales,\ \ personnel, logistics, development, etc.)" + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.3 assessable: false depth: 2 @@ -2865,6 +3226,8 @@ objects: \ for processing as required by the information security questionnaire are\ \ adequatly implemented for the processing activities\n - There is a process\ \ description / sequence description with defined responsibilities." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.4 assessable: false depth: 2 @@ -2887,6 +3250,8 @@ objects: \ assessment are known.\n+ Data protection impact assessments are carried\ \ out.\n - Responsibilities/tasks and support possibilities in the context\ \ of data protection impact assessments are defined and known." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.5 assessable: false depth: 2 @@ -2909,6 +3274,8 @@ objects: \ GDPR, suitable transfer instruments like standard contractual clauses, transfer\ \ impact assessments, adequacy decisions)\n - Ensuring the consent or the\ \ right of objection of the person responsible for subcontracting" + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.5.2 assessable: false depth: 3 @@ -2925,6 +3292,8 @@ objects: \ to subcontractors and cooperation partners (sub processors).\n+ Compliance\ \ with contractual agreements is reviewed.\n - Contact details of the contact\ \ persons of the subcontractor are available and up to date." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.5.3 assessable: false depth: 3 @@ -2944,6 +3313,8 @@ objects: \ transfers.\n+ In the case of data transfers to third countries, it is determined\ \ whether the consent of the person responsible is to be obtained for each\ \ transfer to third countries." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.6 assessable: false depth: 2 @@ -2967,6 +3338,8 @@ objects: \ immediately contact the respective person responsible in the event of an\ \ incoming request from a data subject and coordinate the further procedure\ \ with this person." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.6.2 assessable: false depth: 3 @@ -2988,6 +3361,8 @@ objects: \ - Documentation of the incident handling activities\n - Training of employees\ \ on the defined measures/processes\n - Support of the respective controller\ \ in the processing of data protection incidents" + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.7 assessable: false depth: 2 @@ -3009,6 +3384,8 @@ objects: \ are obliged to maintain confidentiality (even beyond the duration of the\ \ employment relationship) and to comply with applicable data protection laws.\ \ \n - The obligation is documented" + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.7.2 assessable: false depth: 3 @@ -3025,6 +3402,8 @@ objects: \ of the data\n - Employees in critical areas (e.g. IT administrators) are\ \ instructed and trained specifically for their work (e.g. specific training\ \ courses or instructions, short videos, etc.)." + implementation_groups: + - must - urn: urn:intuitem:risk:req_node:tisax-v6.0.2:9.8 assessable: false depth: 2 @@ -3047,3 +3426,5 @@ objects: \ ensure that:\n - Received instructions are documented\n - Instructions can\ \ be implemented (e.g. procedures for correcting, deleting, ...)\n - Data\ \ is separated by client and specific order or project" + implementation_groups: + - must diff --git a/backend/library/utils.py b/backend/library/utils.py index 7174ed799..5ec9da18e 100644 --- a/backend/library/utils.py +++ b/backend/library/utils.py @@ -200,7 +200,7 @@ def import_requirement_node(self, framework_object: Framework): order_id=self.index, name=self.requirement_data.get("name"), description=self.requirement_data.get("description"), - maturity=self.requirement_data.get("maturity"), + implementation_groups=self.requirement_data.get("implementation_groups"), locale=framework_object.locale, default_locale=framework_object.default_locale, is_published=True, @@ -218,11 +218,10 @@ def import_requirement_node(self, framework_object: Framework): # The couple (URN, locale) is unique. ===> Check it in the future class FrameworkImporter: REQUIRED_FIELDS = {"ref_id", "urn"} - OBJECT_FIELDS = {"requirement_nodes", "requirements"} # "requirement_levels" + OBJECT_FIELDS = {"requirement_nodes", "requirements"} def __init__(self, framework_data: dict): self.framework_data = framework_data - # self._requirement_levels = [] self._requirement_nodes = [] def init_requirement_nodes(self, requirement_nodes: List[dict]) -> Union[str, None]: @@ -307,13 +306,20 @@ def import_framework(self, library_object: Library): description=self.framework_data.get("description"), min_score=min_score, max_score=max_score, - score_definition=self.framework_data.get("score_definition"), + scores_definition=self.framework_data.get("scores_definition"), + implementation_groups_definition=self.framework_data.get( + "implementation_groups_definition" + ), provider=library_object.provider, locale=library_object.locale, default_locale=library_object.default_locale, # Change this in the future ? is_published=True, ) - + print("framework_object1", self.framework_data.get("scores_definition")) + print( + "framework_object2", + self.framework_data.get("implementation_groups_definition"), + ) for requirement_node in self._requirement_nodes: requirement_node.import_requirement_node(framework_object) diff --git a/backend/requirements.txt b/backend/requirements.txt index 4ce43ef8a..f019233cc 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -7,10 +7,10 @@ pytest-html==4.1.1 django-filter==24.2 whitenoise==6.6.0 argon2-cffi==23.1.0 -typing-extensions==4.10.0 -djangorestframework==3.15.0 +typing-extensions==4.11.0 +djangorestframework==3.15.1 django-stubs==4.2.7 -coverage==7.4.4 +coverage==7.5.0 django-tailwind==3.8.0 pyyaml==6.0.1 django-structlog==8.0.0 diff --git a/documentation/architecture/data-model.md b/documentation/architecture/data-model.md index 7049865b0..d6e6787dc 100644 --- a/documentation/architecture/data-model.md +++ b/documentation/architecture/data-model.md @@ -108,9 +108,10 @@ erDiagram string description string annotation string provider + json implementation_groups_definition int min_score int max_score - json score_definition + json scores_definition } COMPLIANCE_ASSESSMENT { @@ -125,6 +126,10 @@ erDiagram principal[] author principal[] reviewer string[] tags + string[] selected_implementation_groups + int min_score + int max_score + json scores_definition } RISK_ASSESSMENT { @@ -164,7 +169,7 @@ erDiagram urn parent_urn int order_id - int maturity + json implementation_groups boolean assessable } @@ -202,6 +207,7 @@ erDiagram int score string result string mapping_inference + bool selected } EVIDENCE { @@ -497,7 +503,7 @@ namespace ReferentialObjects { +Framework framework +CharField parent_urn +IntegerField order_id - +IntegerField maturity + +json implementation_groups +BooleanField assessable } @@ -669,13 +675,21 @@ Assets are of category primary or support. A primary asset has no parent, a supp The fundamental object of CISO Assistant for compliance is the framework. It corresponds to a given standard, e.g. ISO27001:2013. It mainly contains requirements nodes. A requirement node can be assessable or not (e.g. title or informational elements are not assessable). Assessable requirement nodes can be simply called "requirements". The structure (tree) of requirements is defined by the requirement node objects. The *parent_urn* of a requirement node can either be the URN of another requirement node or null for top-level objects. This allows to simply define the structure of a framework. An assessable requirement node can be the child of another assessable requirement node, which is very convenient for frameworks that have lists of conditions attached to a requirement. -The maturity field describes the maturity level of the requirement node, when this is relevant (e.g. for CMMC or CIS). +The implementation_groups field contains a comma-separated list of implementation groups where the requirement node is found, when this is relevant (e.g. for CMMC or CIS). Implementation groups are identified by their ref_id string. Implementation groups are independent, a requirement can be member of any implementation group. Implementation groups are defined in the implementation_groups_definition json field (None by default), that contains a list of objects containing the following fields (example for CMMC): + +```json +{ + "ref_id": "1", + "name": "Foundational", + "description": "Practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 commonly referred to as the FAR Clause" +} +``` A requirement node can be covered by typical reference controls. A requirement node can cover typical threats. This information is provided in the form of optional links between requirement nodes and reference controls/threats. This is only informative, but is an important added value of CISO Assistant. The order_id variable allows to sort the requirements nodes, it starts at 0 and is incremented automatically in a given group at import. -A framework always has a numerical score scale from min_score to max_score. If not explicit, the default values are 0 and 100 (percentage). It is also possible to have a score_definition json, that contains a list of score levels objects. Each score level is an object containing the following fields (example from TISAX): +A framework always has a numerical score scale from min_score to max_score. If not explicit, the default values are 0 and 100 (percentage). It is also possible to have a scores_definition json, that contains a list of score levels objects. Each score level is an object containing the following fields (example from TISAX): ```json { @@ -685,7 +699,9 @@ A framework always has a numerical score scale from min_score to max_score. If n } ``` -When present, the score_definition allows to customize the score display as a drop-down list. +When present, the scores_definition allows to customize the score display as a drop-down list. + +Note: the score scale for a framework can be overridden when creating a compliance assessment. ## Threats @@ -743,12 +759,23 @@ Here are the specific fields for requirement assessments: - ETA (Estimated Time of Arrival) date - due date. This is for example useful to organize an audit plan. -The compliance assessment score is a read-only field which is calculated when at least one requirement assessment is scored. We calculate the average of scored requriement assessments (ignoring requirement assessments with an undefined score). +The compliance assessment score is a read-only field which is calculated when at least one requirement assessment is scored. We calculate the average of scored requriement assessments (ignoring requirement assessments with an undefined score or with status not-applicable). Requirement assessments can have attached evidences. An evidence contains a name, a description, an attached file, a url link. The auditor is free to use the result field (qualitative assessment), the score field (quantitative assessment), or both of them. +Compliance assessments have a selected_implementation_groups field that contains the selected implementation groups. The None default value consists in selecting all groups, which makes sense also for the case no implementation groups are defined. +For the sake of performance, when a change is done on the selected implementation groups, the "selected" field of corresponding requirement assessments is updated. When changing the selection, no data shall be lost, so auditors can easily test the effect of various selections. + +Note: the selection is persistent, and used in particular for reporting and analytics. The UX could provide dynamic capacity to show or hide implementation groups independently of the selection (e.g. a button "show unselected requirements"). + +Compliance assessments have a score scale (min_score, max_score, score definition) that is inherited from the corresponding framework. But it is possible during the creation of the assessment to specify another score scale. The following hardcoded score scales are proposed as an alternative: +- percentage (0-100%, no score definition) +- CMMI (1-5, Initial/Managed/Defined/Quantitatively Managed/Optimizing) +- 0-5 (0-5, no score definition) +- 0-10 (0-10, no score definition) + ### Mappings Mappings are referential objects that describe relations between requirements from a reference framework to a focal framework. The definition of mappings is based on NIST OLIR program (see https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8278r1.ipd.pdf). diff --git a/frontend/messages/en.json b/frontend/messages/en.json index ee0a1804e..a6fc37911 100644 --- a/frontend/messages/en.json +++ b/frontend/messages/en.json @@ -510,5 +510,5 @@ "setTemporaryPassword2": "Please use a strong one and make sure to inform the user to change it as soon as possible", "youCanSetNewPassword": "You can set a new password here", "userWillBeDisconnected": "The user will be disconnected and will need to log in again", - "scoreDefinition": "Score definition" + "scoresDefinition": "Scores definition" } diff --git a/frontend/messages/fr.json b/frontend/messages/fr.json index 02696cf73..a3c80d89e 100644 --- a/frontend/messages/fr.json +++ b/frontend/messages/fr.json @@ -510,5 +510,5 @@ "setTemporaryPassword2": "Veuillez en utiliser un solide et assurez-vous d'informer l'utilisateur de le modifier dès que possible.", "youCanSetNewPassword": "Vous pouvez définir un nouveau mot de passe ici", "userWillBeDisconnected": "L'utilisateur sera déconnecté et devra se reconnecter", - "scoreDefinition": "Définition du score" + "scoresDefinition": "Définition des scores" } diff --git a/frontend/package-lock.json b/frontend/package-lock.json index bcdb32e5c..6d8f6a1ef 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -69,15 +69,6 @@ "zod": "^3.22.2" } }, - "node_modules/@aashutoshrathi/word-wrap": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@aashutoshrathi/word-wrap/-/word-wrap-1.2.6.tgz", - "integrity": "sha512-1Yjs2SvM8TflER/OD3cOjhWWOZb58A2t7wpE2S9XfBYTiIl+XFhQG2bjy4Pu1I+EAlCNUzRDYDdFwFYUKvXcIA==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/@adobe/css-tools": { "version": "4.3.3", "resolved": "https://registry.npmjs.org/@adobe/css-tools/-/css-tools-4.3.3.tgz", @@ -268,9 +259,9 @@ } }, "node_modules/@babel/helper-define-polyfill-provider": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/@babel/helper-define-polyfill-provider/-/helper-define-polyfill-provider-0.6.1.tgz", - "integrity": "sha512-o7SDgTJuvx5vLKD6SFvkydkSMBvahDKGiNJzG22IZYXhiqoe9efY7zocICBgzHV4IRg5wdgl2nEL/tulKIEIbA==", + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/@babel/helper-define-polyfill-provider/-/helper-define-polyfill-provider-0.6.2.tgz", + "integrity": "sha512-LV76g+C502biUK6AyZ3LK10vDpDyCzZnhZFXkH1L75zHPj68+qc8Zfpx2th+gzwA2MzyK+1g/3EPl62yFnVttQ==", "dev": true, "dependencies": { "@babel/helper-compilation-targets": "^7.22.6", @@ -2624,29 +2615,29 @@ "dev": true }, "node_modules/@floating-ui/core": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.6.0.tgz", - "integrity": "sha512-PcF++MykgmTj3CIyOQbKA/hDzOAiqI3mhuoN44WRCopIs1sgoDoU4oty4Jtqaj/y3oDU6fnVSm4QG0a3t5i0+g==", + "version": "1.6.1", + "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.6.1.tgz", + "integrity": "sha512-42UH54oPZHPdRHdw6BgoBD6cg/eVTmVrFcgeRDM3jbO7uxSoipVcmcIGFcA5jmOHO5apcyvBhkSKES3fQJnu7A==", "dependencies": { - "@floating-ui/utils": "^0.2.1" + "@floating-ui/utils": "^0.2.0" } }, "node_modules/@floating-ui/dom": { - "version": "1.6.3", - "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.6.3.tgz", - "integrity": "sha512-RnDthu3mzPlQ31Ss/BTwQ1zjzIhr3lk1gZB1OC56h/1vEtaXkESrOqL5fQVMfXpwGtRwX+YsZBdyHtJMQnkArw==", + "version": "1.6.4", + "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.6.4.tgz", + "integrity": "sha512-0G8R+zOvQsAG1pg2Q99P21jiqxqGBW1iRe/iXHsBRBxnpXKFI8QwbB4x5KmYLggNO5m34IQgOIu9SCRfR/WWiQ==", "dependencies": { "@floating-ui/core": "^1.0.0", "@floating-ui/utils": "^0.2.0" } }, "node_modules/@floating-ui/react-dom": { - "version": "2.0.8", - "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.0.8.tgz", - "integrity": "sha512-HOdqOt3R3OGeTKidaLvJKcgg75S6tibQ3Tif4eyd91QnIJWr0NLvoXFpJA/j8HqkFSL68GDca9AuyWEHlhyClw==", + "version": "2.0.9", + "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.0.9.tgz", + "integrity": "sha512-q0umO0+LQK4+p6aGyvzASqKbKOJcAHJ7ycE9CuUvfx3s9zTHWmGJTPOIlM/hmSBfUfg/XfY5YhLBLR/LHwShQQ==", "dev": true, "dependencies": { - "@floating-ui/dom": "^1.6.1" + "@floating-ui/dom": "^1.0.0" }, "peerDependencies": { "react": ">=16.8.0", @@ -2654,9 +2645,9 @@ } }, "node_modules/@floating-ui/utils": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.1.tgz", - "integrity": "sha512-9TANp6GPoMtYzQdt54kfAyMmz1+osLlXdg2ENroU7zzrtflTLrrC/lgrIfaSe+Wu0b89GKccT7vxXA0MoAIO+Q==" + "version": "0.2.2", + "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.2.tgz", + "integrity": "sha512-J4yDIIthosAsRZ5CPYP/jQvUAQtlZTTD/4suA08/FEnlxqW3sKS9iAhgsa9VYLZ6vDHn/ixJgIqRQPotoBjxIw==" }, "node_modules/@formatjs/ecma402-abstract": { "version": "1.18.2", @@ -2844,20 +2835,20 @@ } }, "node_modules/@inlang/paraglide-js-adapter-unplugin": { - "version": "1.4.20", - "resolved": "https://registry.npmjs.org/@inlang/paraglide-js-adapter-unplugin/-/paraglide-js-adapter-unplugin-1.4.20.tgz", - "integrity": "sha512-s+/qX4SblEKfFv1vULSUsJh63PcDYfStzkEej5IZIhmYciUna8jNzVOC50WM2rW3a5Z6wqJSHffmCxGK08prlw==", + "version": "1.4.29", + "resolved": "https://registry.npmjs.org/@inlang/paraglide-js-adapter-unplugin/-/paraglide-js-adapter-unplugin-1.4.29.tgz", + "integrity": "sha512-CDhQ69M9Ej8wfY/8P2rdNzwq6ux69A4nlFJqPcWffEX21xMaWGlt8JNspjMjc158KpAYyBGB8bFgTZ5K6o1fwg==", "dependencies": { - "@inlang/paraglide-js": "1.3.7", - "@inlang/sdk": "0.28.3", - "@lix-js/client": "1.2.0", + "@inlang/paraglide-js": "1.7.0", + "@inlang/sdk": "0.33.0", + "@lix-js/client": "1.2.1", "unplugin": "1.5.1" } }, "node_modules/@inlang/paraglide-js-adapter-unplugin/node_modules/@inlang/paraglide-js": { - "version": "1.3.7", - "resolved": "https://registry.npmjs.org/@inlang/paraglide-js/-/paraglide-js-1.3.7.tgz", - "integrity": "sha512-IcaRoYs2yeIaVX2BjJZn1NcaJtC1VbjD4cjZg0+HkfHee+ouTRolE12ioZnh9Stl949MXQ51L8S8CEZ+IVTdMw==", + "version": "1.7.0", + "resolved": "https://registry.npmjs.org/@inlang/paraglide-js/-/paraglide-js-1.7.0.tgz", + "integrity": "sha512-FkyOqMAPd8iks66xZpIqzepzlnMPT/t7sHmZkwN9QzjFu6RUjdSbHSP6dZPdmD1puobhtDQcbbub6NA/OmpuzA==", "dependencies": { "@inlang/detect-json-formatting": "1.0.0", "commander": "11.1.0", @@ -2871,11 +2862,11 @@ } }, "node_modules/@inlang/paraglide-js-adapter-vite": { - "version": "1.2.31", - "resolved": "https://registry.npmjs.org/@inlang/paraglide-js-adapter-vite/-/paraglide-js-adapter-vite-1.2.31.tgz", - "integrity": "sha512-VFu5w76RG+OuG/5FLNFsTlGEevpcVhUsXgiCgxXd27WmP3wV8WFt+FcewqbWIQuzfM4t9ys/btAO1oyfE+XVng==", + "version": "1.2.40", + "resolved": "https://registry.npmjs.org/@inlang/paraglide-js-adapter-vite/-/paraglide-js-adapter-vite-1.2.40.tgz", + "integrity": "sha512-2+mAYI4hDMTr7AAei5CNzjqpjzOvsnlGrVvHrohtYs+Jn+tayokDaO7iL5o9k9SYrlXBZ7tUshAw88UQ1+f82Q==", "dependencies": { - "@inlang/paraglide-js-adapter-unplugin": "1.4.20" + "@inlang/paraglide-js-adapter-unplugin": "1.4.29" } }, "node_modules/@inlang/plugin": { @@ -2912,9 +2903,9 @@ "integrity": "sha512-zLGroi9EUiHuOjUOaglUVTFO7EWdo2OARMJLBO1Q5Ga/xJmSQb6XS1lhqEXBFAjgFarfEMX5YEJWWALogYV3wA==" }, "node_modules/@inlang/sdk": { - "version": "0.28.3", - "resolved": "https://registry.npmjs.org/@inlang/sdk/-/sdk-0.28.3.tgz", - "integrity": "sha512-9lcyAU67KHgSIwFhjlX9LDVMxc7R234Wegb/GdoSKyRYd1zbAADrQ2fkIEaYYdOT/h4ouD18OXwEzADk7o2MjA==", + "version": "0.33.0", + "resolved": "https://registry.npmjs.org/@inlang/sdk/-/sdk-0.33.0.tgz", + "integrity": "sha512-bwSGay4kg9RmqxqBVQuSxCl8ZFqOKDvvvxpb7oAQoMVbDL+dX0J5pc8Yh7AMzY9TYWXwt7yT2umeZtHz9UvfZw==", "dependencies": { "@inlang/json-types": "1.1.0", "@inlang/language-tag": "1.5.1", @@ -2925,7 +2916,7 @@ "@inlang/project-settings": "2.4.0", "@inlang/result": "1.1.0", "@inlang/translatable": "1.3.1", - "@lix-js/client": "1.2.0", + "@lix-js/client": "1.2.1", "@lix-js/fs": "1.0.0", "@sinclair/typebox": "^0.31.17", "debug": "^4.3.4", @@ -3188,9 +3179,9 @@ "dev": true }, "node_modules/@lix-js/client": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/@lix-js/client/-/client-1.2.0.tgz", - "integrity": "sha512-CfEk4GcH+ocD6gMKmlC3lDTK0BmgUmtM9ANGuIpJ3PFup0z6ff4Wz8dJYqjbh35TLCwsrPHW3q2pOth39q1i6w==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/@lix-js/client/-/client-1.2.1.tgz", + "integrity": "sha512-9EjzAWX2GAUk1LPdG8JZoAjQUYVSENQ7GesDMdvvkbE86cwpOfIf79aRcVCDF0zuBk5ferikGLSv5IJD/+i6Ig==", "dependencies": { "@lix-js/fs": "1.0.0", "@octokit/types": "12.4.0 ", @@ -3301,15 +3292,15 @@ } }, "node_modules/@octokit/auth-app": { - "version": "6.1.0", - "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.1.0.tgz", - "integrity": "sha512-UlCxZAlNM1FKkRdSJjGo/Ly2rGKGeuW49sLFuii++A+Yylv+Dxgl/eCEBP46Cjr1Xuqpc4wTH0IDFXCztaiFuA==", - "dependencies": { - "@octokit/auth-oauth-app": "^7.0.0", - "@octokit/auth-oauth-user": "^4.0.0", - "@octokit/request": "^8.0.2", - "@octokit/request-error": "^5.0.0", - "@octokit/types": "^12.0.0", + "version": "6.1.1", + "resolved": "https://registry.npmjs.org/@octokit/auth-app/-/auth-app-6.1.1.tgz", + "integrity": "sha512-VrTtzRpyuT5nYGUWeGWQqH//hqEZDV+/yb6+w5wmWpmmUA1Tx950XsAc2mBBfvusfcdF2E7w8jZ1r1WwvfZ9pA==", + "dependencies": { + "@octokit/auth-oauth-app": "^7.1.0", + "@octokit/auth-oauth-user": "^4.1.0", + "@octokit/request": "^8.3.1", + "@octokit/request-error": "^5.1.0", + "@octokit/types": "^13.1.0", "deprecation": "^2.3.1", "lru-cache": "^10.0.0", "universal-github-app-jwt": "^1.1.2", @@ -3319,23 +3310,36 @@ "node": ">= 18" } }, + "node_modules/@octokit/auth-app/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/auth-app/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/auth-app/node_modules/lru-cache": { - "version": "10.2.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.0.tgz", - "integrity": "sha512-2bIM8x+VAf6JT4bKAljS1qUWgMsqZRPGJS6FSahIMPVvctcNhyVp7AJu7quxOW9jwkryBReKZY5tY5JYv2n/7Q==", + "version": "10.2.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.1.tgz", + "integrity": "sha512-tS24spDe/zXhWbNPErCHs/AGOzbKGHT+ybSBqmdLm8WZ1xXLWvH8Qn71QPAlqVhd0qUTWjy+Kl9JmISgDdEjsA==", "engines": { "node": "14 || >=16.14" } }, "node_modules/@octokit/auth-oauth-app": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.0.1.tgz", - "integrity": "sha512-RE0KK0DCjCHXHlQBoubwlLijXEKfhMhKm9gO56xYvFmP1QTMb+vvwRPmQLLx0V+5AvV9N9I3lr1WyTzwL3rMDg==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-app/-/auth-oauth-app-7.1.0.tgz", + "integrity": "sha512-w+SyJN/b0l/HEb4EOPRudo7uUOSW51jcK1jwLa+4r7PA8FPFpoxEnHBHMITqCsc/3Vo2qqFjgQfz/xUUvsSQnA==", "dependencies": { - "@octokit/auth-oauth-device": "^6.0.0", - "@octokit/auth-oauth-user": "^4.0.0", - "@octokit/request": "^8.0.2", - "@octokit/types": "^12.0.0", + "@octokit/auth-oauth-device": "^6.1.0", + "@octokit/auth-oauth-user": "^4.1.0", + "@octokit/request": "^8.3.1", + "@octokit/types": "^13.0.0", "@types/btoa-lite": "^1.0.0", "btoa-lite": "^1.0.0", "universal-user-agent": "^6.0.0" @@ -3344,29 +3348,55 @@ "node": ">= 18" } }, + "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/auth-oauth-app/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/auth-oauth-device": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.0.1.tgz", - "integrity": "sha512-yxU0rkL65QkjbqQedgVx3gmW7YM5fF+r5uaSj9tM/cQGVqloXcqP2xK90eTyYvl29arFVCW8Vz4H/t47mL0ELw==", + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-device/-/auth-oauth-device-6.1.0.tgz", + "integrity": "sha512-FNQ7cb8kASufd6Ej4gnJ3f1QB5vJitkoV1O0/g6e6lUsQ7+VsSNRHRmFScN2tV4IgKA12frrr/cegUs0t+0/Lw==", "dependencies": { - "@octokit/oauth-methods": "^4.0.0", - "@octokit/request": "^8.0.0", - "@octokit/types": "^12.0.0", + "@octokit/oauth-methods": "^4.1.0", + "@octokit/request": "^8.3.1", + "@octokit/types": "^13.0.0", "universal-user-agent": "^6.0.0" }, "engines": { "node": ">= 18" } }, + "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/auth-oauth-device/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/auth-oauth-user": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.0.1.tgz", - "integrity": "sha512-N94wWW09d0hleCnrO5wt5MxekatqEJ4zf+1vSe8MKMrhZ7gAXKFOKrDEZW2INltvBWJCyDUELgGRv8gfErH1Iw==", + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/@octokit/auth-oauth-user/-/auth-oauth-user-4.1.0.tgz", + "integrity": "sha512-FrEp8mtFuS/BrJyjpur+4GARteUCrPeR/tZJzD8YourzoVhRics7u7we/aDcKv+yywRNwNi/P4fRi631rG/OyQ==", "dependencies": { - "@octokit/auth-oauth-device": "^6.0.0", - "@octokit/oauth-methods": "^4.0.0", - "@octokit/request": "^8.0.2", - "@octokit/types": "^12.0.0", + "@octokit/auth-oauth-device": "^6.1.0", + "@octokit/oauth-methods": "^4.1.0", + "@octokit/request": "^8.3.1", + "@octokit/types": "^13.0.0", "btoa-lite": "^1.0.0", "universal-user-agent": "^6.0.0" }, @@ -3374,6 +3404,19 @@ "node": ">= 18" } }, + "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/auth-oauth-user/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/auth-token": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz", @@ -3395,15 +3438,15 @@ } }, "node_modules/@octokit/core": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.1.0.tgz", - "integrity": "sha512-BDa2VAMLSh3otEiaMJ/3Y36GU4qf6GI+VivQ/P41NC6GHcdxpKlqV0ikSZ5gdQsmS3ojXeRx5vasgNTinF0Q4g==", + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.0.tgz", + "integrity": "sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==", "dependencies": { "@octokit/auth-token": "^4.0.0", - "@octokit/graphql": "^7.0.0", - "@octokit/request": "^8.0.2", - "@octokit/request-error": "^5.0.0", - "@octokit/types": "^12.0.0", + "@octokit/graphql": "^7.1.0", + "@octokit/request": "^8.3.1", + "@octokit/request-error": "^5.1.0", + "@octokit/types": "^13.0.0", "before-after-hook": "^2.2.0", "universal-user-agent": "^6.0.0" }, @@ -3411,31 +3454,70 @@ "node": ">= 18" } }, + "node_modules/@octokit/core/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/core/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/endpoint": { - "version": "9.0.4", - "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.4.tgz", - "integrity": "sha512-DWPLtr1Kz3tv8L0UvXTDP1fNwM0S+z6EJpRcvH66orY6Eld4XBMCSYsaWp4xIm61jTWxK68BrR7ibO+vSDnZqw==", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz", + "integrity": "sha512-ekqR4/+PCLkEBF6qgj8WqJfvDq65RH85OAgrtnVp1mSxaXF03u2xW/hUdweGS5654IlC0wkNYC18Z50tSYTAFw==", "dependencies": { - "@octokit/types": "^12.0.0", + "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, "engines": { "node": ">= 18" } }, + "node_modules/@octokit/endpoint/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/endpoint/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/graphql": { - "version": "7.0.2", - "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.0.2.tgz", - "integrity": "sha512-OJ2iGMtj5Tg3s6RaXH22cJcxXRi7Y3EBqbHTBRq+PQAqfaS8f/236fUrWhfSn8P4jovyzqucxme7/vWSSZBX2Q==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.0.tgz", + "integrity": "sha512-r+oZUH7aMFui1ypZnAvZmn0KSqAUgE1/tUXIWaqUCa1758ts/Jio84GZuzsvUkme98kv0WFY8//n0J1Z+vsIsQ==", "dependencies": { - "@octokit/request": "^8.0.1", - "@octokit/types": "^12.0.0", + "@octokit/request": "^8.3.0", + "@octokit/types": "^13.0.0", "universal-user-agent": "^6.0.0" }, "engines": { "node": ">= 18" } }, + "node_modules/@octokit/graphql/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/graphql/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/oauth-app": { "version": "6.1.0", "resolved": "https://registry.npmjs.org/@octokit/oauth-app/-/oauth-app-6.1.0.tgz", @@ -3463,20 +3545,33 @@ } }, "node_modules/@octokit/oauth-methods": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.0.1.tgz", - "integrity": "sha512-1NdTGCoBHyD6J0n2WGXg9+yDLZrRNZ0moTEex/LSPr49m530WNKcCfXDghofYptr3st3eTii+EHoG5k/o+vbtw==", + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/@octokit/oauth-methods/-/oauth-methods-4.1.0.tgz", + "integrity": "sha512-4tuKnCRecJ6CG6gr0XcEXdZtkTDbfbnD5oaHBmLERTjTMZNi2CbfEHZxPU41xXLDG4DfKf+sonu00zvKI9NSbw==", "dependencies": { "@octokit/oauth-authorization-url": "^6.0.2", - "@octokit/request": "^8.0.2", - "@octokit/request-error": "^5.0.0", - "@octokit/types": "^12.0.0", + "@octokit/request": "^8.3.1", + "@octokit/request-error": "^5.1.0", + "@octokit/types": "^13.0.0", "btoa-lite": "^1.0.0" }, "engines": { "node": ">= 18" } }, + "node_modules/@octokit/oauth-methods/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/oauth-methods/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/openapi-types": { "version": "19.1.0", "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-19.1.0.tgz", @@ -3579,13 +3674,13 @@ } }, "node_modules/@octokit/request": { - "version": "8.2.0", - "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.2.0.tgz", - "integrity": "sha512-exPif6x5uwLqv1N1irkLG1zZNJkOtj8bZxuVHd71U5Ftuxf2wGNvAJyNBcPbPC+EBzwYEbBDdSFb8EPcjpYxPQ==", + "version": "8.4.0", + "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz", + "integrity": "sha512-9Bb014e+m2TgBeEJGEbdplMVWwPmL1FPtggHQRkV+WVsMggPtEkLKPlcVYm/o8xKLkpJ7B+6N8WfQMtDLX2Dpw==", "dependencies": { - "@octokit/endpoint": "^9.0.0", - "@octokit/request-error": "^5.0.0", - "@octokit/types": "^12.0.0", + "@octokit/endpoint": "^9.0.1", + "@octokit/request-error": "^5.1.0", + "@octokit/types": "^13.1.0", "universal-user-agent": "^6.0.0" }, "engines": { @@ -3593,11 +3688,11 @@ } }, "node_modules/@octokit/request-error": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.0.1.tgz", - "integrity": "sha512-X7pnyTMV7MgtGmiXBwmO6M5kIPrntOXdyKZLigNfQWSEQzVxR4a4vo49vJjTWX70mPndj8KhfT4Dx+2Ng3vnBQ==", + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz", + "integrity": "sha512-GETXfE05J0+7H2STzekpKObFe765O5dlAKUTLNGeH+x47z7JjXHfsHKo5z21D/o/IOZTUEI6nyWyR+bZVP/n5Q==", "dependencies": { - "@octokit/types": "^12.0.0", + "@octokit/types": "^13.1.0", "deprecation": "^2.0.0", "once": "^1.4.0" }, @@ -3605,6 +3700,32 @@ "node": ">= 18" } }, + "node_modules/@octokit/request-error/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/request-error/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, + "node_modules/@octokit/request/node_modules/@octokit/openapi-types": { + "version": "22.1.0", + "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz", + "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q==" + }, + "node_modules/@octokit/request/node_modules/@octokit/types": { + "version": "13.4.1", + "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz", + "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==", + "dependencies": { + "@octokit/openapi-types": "^22.1.0" + } + }, "node_modules/@octokit/types": { "version": "12.4.0", "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.4.0.tgz", @@ -3651,12 +3772,12 @@ } }, "node_modules/@playwright/test": { - "version": "1.42.1", - "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.42.1.tgz", - "integrity": "sha512-Gq9rmS54mjBL/7/MvBaNOBwbfnh7beHvS6oS4srqXFcQHpQCV1+c8JXWE8VLPyRDhgS3H8x8A7hztqI9VnwrAQ==", + "version": "1.43.1", + "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.43.1.tgz", + "integrity": "sha512-HgtQzFgNEEo4TE22K/X7sYTYNqEMMTZmFS8kTq6m8hXj+m1D8TgwgIbumHddJa9h4yl4GkKb8/bgAl2+g7eDgA==", "dev": true, "dependencies": { - "playwright": "1.42.1" + "playwright": "1.43.1" }, "bin": { "playwright": "cli.js" @@ -4477,9 +4598,9 @@ } }, "node_modules/@rollup/rollup-android-arm-eabi": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.14.0.tgz", - "integrity": "sha512-jwXtxYbRt1V+CdQSy6Z+uZti7JF5irRKF8hlKfEnF/xJpcNGuuiZMBvuoYM+x9sr9iWGnzrlM0+9hvQ1kgkf1w==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.17.0.tgz", + "integrity": "sha512-nNvLvC2fjC+3+bHYN9uaGF3gcyy7RHGZhtl8TB/kINj9hiOQza8kWJGZh47GRPMrqeseO8U+Z8ElDMCZlWBdHA==", "cpu": [ "arm" ], @@ -4490,9 +4611,9 @@ ] }, "node_modules/@rollup/rollup-android-arm64": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.14.0.tgz", - "integrity": "sha512-fI9nduZhCccjzlsA/OuAwtFGWocxA4gqXGTLvOyiF8d+8o0fZUeSztixkYjcGq1fGZY3Tkq4yRvHPFxU+jdZ9Q==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.17.0.tgz", + "integrity": "sha512-+kjt6dvxnyTIAo7oHeYseYhDyZ7xRKTNl/FoQI96PHkJVxoChldJnne/LzYqpqidoK1/0kX0/q+5rrYqjpth6w==", "cpu": [ "arm64" ], @@ -4503,9 +4624,9 @@ ] }, "node_modules/@rollup/rollup-darwin-arm64": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.14.0.tgz", - "integrity": "sha512-BcnSPRM76/cD2gQC+rQNGBN6GStBs2pl/FpweW8JYuz5J/IEa0Fr4AtrPv766DB/6b2MZ/AfSIOSGw3nEIP8SA==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.17.0.tgz", + "integrity": "sha512-Oj6Tp0unMpGTBjvNwbSRv3DopMNLu+mjBzhKTt2zLbDJ/45fB1pltr/rqrO4bE95LzuYwhYn127pop+x/pzf5w==", "cpu": [ "arm64" ], @@ -4516,9 +4637,9 @@ ] }, "node_modules/@rollup/rollup-darwin-x64": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.14.0.tgz", - "integrity": "sha512-LDyFB9GRolGN7XI6955aFeI3wCdCUszFWumWU0deHA8VpR3nWRrjG6GtGjBrQxQKFevnUTHKCfPR4IvrW3kCgQ==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.17.0.tgz", + "integrity": "sha512-3nJx0T+yptxMd+v93rBRxSPTAVCv8szu/fGZDJiKX7kvRe9sENj2ggXjCH/KK1xZEmJOhaNo0c9sGMgGdfkvEw==", "cpu": [ "x64" ], @@ -4529,9 +4650,22 @@ ] }, "node_modules/@rollup/rollup-linux-arm-gnueabihf": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.14.0.tgz", - "integrity": "sha512-ygrGVhQP47mRh0AAD0zl6QqCbNsf0eTo+vgwkY6LunBcg0f2Jv365GXlDUECIyoXp1kKwL5WW6rsO429DBY/bA==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.17.0.tgz", + "integrity": "sha512-Vb2e8p9b2lxxgqyOlBHmp6hJMu/HSU6g//6Tbr7x5V1DlPCHWLOm37nSIVK314f+IHzORyAQSqL7+9tELxX3zQ==", + "cpu": [ + "arm" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm-musleabihf": { + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.17.0.tgz", + "integrity": "sha512-Md60KsmC5ZIaRq/bYYDloklgU+XLEZwS2EXXVcSpiUw+13/ZASvSWQ/P92rQ9YDCL6EIoXxuQ829JkReqdYbGg==", "cpu": [ "arm" ], @@ -4542,9 +4676,9 @@ ] }, "node_modules/@rollup/rollup-linux-arm64-gnu": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.14.0.tgz", - "integrity": "sha512-x+uJ6MAYRlHGe9wi4HQjxpaKHPM3d3JjqqCkeC5gpnnI6OWovLdXTpfa8trjxPLnWKyBsSi5kne+146GAxFt4A==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.17.0.tgz", + "integrity": "sha512-zL5rBFtJ+2EGnMRm2TqKjdjgFqlotSU+ZJEN37nV+fiD3I6Gy0dUh3jBWN0wSlcXVDEJYW7YBe+/2j0N9unb2w==", "cpu": [ "arm64" ], @@ -4555,9 +4689,9 @@ ] }, "node_modules/@rollup/rollup-linux-arm64-musl": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.14.0.tgz", - "integrity": "sha512-nrRw8ZTQKg6+Lttwqo6a2VxR9tOroa2m91XbdQ2sUUzHoedXlsyvY1fN4xWdqz8PKmf4orDwejxXHjh7YBGUCA==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.17.0.tgz", + "integrity": "sha512-s2xAyNkJqUdtRVgNK4NK4P9QttS538JuX/kfVQOdZDI5FIKVAUVdLW7qhGfmaySJ1EvN/Bnj9oPm5go9u8navg==", "cpu": [ "arm64" ], @@ -4568,11 +4702,11 @@ ] }, "node_modules/@rollup/rollup-linux-powerpc64le-gnu": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.14.0.tgz", - "integrity": "sha512-xV0d5jDb4aFu84XKr+lcUJ9y3qpIWhttO3Qev97z8DKLXR62LC3cXT/bMZXrjLF9X+P5oSmJTzAhqwUbY96PnA==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.17.0.tgz", + "integrity": "sha512-7F99yzVT67B7IUNMjLD9QCFDCyHkyCJMS1dywZrGgVFJao4VJ9szrIEgH67cR+bXQgEaY01ur/WSL6B0jtcLyA==", "cpu": [ - "ppc64le" + "ppc64" ], "dev": true, "optional": true, @@ -4581,9 +4715,9 @@ ] }, "node_modules/@rollup/rollup-linux-riscv64-gnu": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.14.0.tgz", - "integrity": "sha512-SDDhBQwZX6LPRoPYjAZWyL27LbcBo7WdBFWJi5PI9RPCzU8ijzkQn7tt8NXiXRiFMJCVpkuMkBf4OxSxVMizAw==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.17.0.tgz", + "integrity": "sha512-leFtyiXisfa3Sg9pgZJwRKITWnrQfhtqDjCamnZhkZuIsk1FXmYwKoTkp6lsCgimIcneFFkHKp/yGLxDesga4g==", "cpu": [ "riscv64" ], @@ -4594,9 +4728,9 @@ ] }, "node_modules/@rollup/rollup-linux-s390x-gnu": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.14.0.tgz", - "integrity": "sha512-RxB/qez8zIDshNJDufYlTT0ZTVut5eCpAZ3bdXDU9yTxBzui3KhbGjROK2OYTTor7alM7XBhssgoO3CZ0XD3qA==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.17.0.tgz", + "integrity": "sha512-FtOgui6qMJ4jbSXTxElsy/60LEe/3U0rXkkz2G5CJ9rbHPAvjMvI+3qF0A0fwLQ5hW+/ZC6PbnS2KfRW9JkgDQ==", "cpu": [ "s390x" ], @@ -4607,9 +4741,9 @@ ] }, "node_modules/@rollup/rollup-linux-x64-gnu": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.14.0.tgz", - "integrity": "sha512-C6y6z2eCNCfhZxT9u+jAM2Fup89ZjiG5pIzZIDycs1IwESviLxwkQcFRGLjnDrP+PT+v5i4YFvlcfAs+LnreXg==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.17.0.tgz", + "integrity": "sha512-v6eiam/1w3HUfU/ZjzIDodencqgrSqzlNuNtiwH7PFJHYSo1ezL0/UIzmS2lpSJF1ORNaplXeKHYmmdt81vV2g==", "cpu": [ "x64" ], @@ -4620,9 +4754,9 @@ ] }, "node_modules/@rollup/rollup-linux-x64-musl": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.14.0.tgz", - "integrity": "sha512-i0QwbHYfnOMYsBEyjxcwGu5SMIi9sImDVjDg087hpzXqhBSosxkE7gyIYFHgfFl4mr7RrXksIBZ4DoLoP4FhJg==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.17.0.tgz", + "integrity": "sha512-OUhkSdpM5ofVlVU2k4CwVubYwiwu1a4jYWPpubzN7Vzao73GoPBowHcCfaRSFRz1SszJ3HIsk3dZYk4kzbqjgw==", "cpu": [ "x64" ], @@ -4633,9 +4767,9 @@ ] }, "node_modules/@rollup/rollup-win32-arm64-msvc": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.14.0.tgz", - "integrity": "sha512-Fq52EYb0riNHLBTAcL0cun+rRwyZ10S9vKzhGKKgeD+XbwunszSY0rVMco5KbOsTlwovP2rTOkiII/fQ4ih/zQ==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.17.0.tgz", + "integrity": "sha512-uL7UYO/MNJPGL/yflybI+HI+n6+4vlfZmQZOCb4I+z/zy1wisHT3exh7oNQsnL6Eso0EUTEfgQ/PaGzzXf6XyQ==", "cpu": [ "arm64" ], @@ -4646,9 +4780,9 @@ ] }, "node_modules/@rollup/rollup-win32-ia32-msvc": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.14.0.tgz", - "integrity": "sha512-e/PBHxPdJ00O9p5Ui43+vixSgVf4NlLsmV6QneGERJ3lnjIua/kim6PRFe3iDueT1rQcgSkYP8ZBBXa/h4iPvw==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.17.0.tgz", + "integrity": "sha512-4WnSgaUiUmXILwFqREdOcqvSj6GD/7FrvSjhaDjmwakX9w4Z2F8JwiSP1AZZbuRkPqzi444UI5FPv33VKOWYFQ==", "cpu": [ "ia32" ], @@ -4659,9 +4793,9 @@ ] }, "node_modules/@rollup/rollup-win32-x64-msvc": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.14.0.tgz", - "integrity": "sha512-aGg7iToJjdklmxlUlJh/PaPNa4PmqHfyRMLunbL3eaMO0gp656+q1zOKkpJ/CVe9CryJv6tAN1HDoR8cNGzkag==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.17.0.tgz", + "integrity": "sha512-ve+D8t1prRSRnF2S3pyDtTXDlvW1Pngbz76tjgYFQW1jxVSysmQCZfPoDAo4WP+Ano8zeYp85LsArZBI12HfwQ==", "cpu": [ "x64" ], @@ -4701,9 +4835,9 @@ "integrity": "sha512-/s55Jujywdw/Jpan+vsy6JZs1z2ZTGxTmbZTPiuSL2wz9mfzA2gN1zzaqmvfi4pq+uOt7Du85fkiwv5ymW84aQ==" }, "node_modules/@skeletonlabs/skeleton": { - "version": "2.9.0", - "resolved": "https://registry.npmjs.org/@skeletonlabs/skeleton/-/skeleton-2.9.0.tgz", - "integrity": "sha512-s6l29M0PU+0he8+ifmfA6aA6Hvua58QDgcNlHrm9FFFdlj2D89BkT67f49LihNODOrTia7KewswkbdtYlPe8Ow==", + "version": "2.9.2", + "resolved": "https://registry.npmjs.org/@skeletonlabs/skeleton/-/skeleton-2.9.2.tgz", + "integrity": "sha512-yBRSyxx9eyLsQXqEuYb5YyqE+CY+IfyTroaqfQ4OmqDcIulMivqU7lY58bmLMGHC/g9lzliFkeY4UO4ssaWVpA==", "dev": true, "dependencies": { "esm-env": "1.0.0" @@ -4729,12 +4863,12 @@ "optional": true }, "node_modules/@storybook/addon-actions": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-actions/-/addon-actions-7.6.17.tgz", - "integrity": "sha512-TBphs4v6LRfyTpFo/WINF0TkMaE3rrNog7wW5mbz6n0j8o53kDN4o9ZEcygSL5zQX43CAaghQTeDCss7ueG7ZQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-actions/-/addon-actions-7.6.18.tgz", + "integrity": "sha512-HWS2NqUNH7FGG5QyWMvV3aw2IcwXw6xQwCx2xLUD7fJFqCAf4cDXZIsGnTVHCtoddVRBIlcS+LRmiGU8+mQKdw==", "dev": true, "dependencies": { - "@storybook/core-events": "7.6.17", + "@storybook/core-events": "7.6.18", "@storybook/global": "^5.0.0", "@types/uuid": "^9.0.1", "dequal": "^2.0.2", @@ -4747,9 +4881,9 @@ } }, "node_modules/@storybook/addon-backgrounds": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-backgrounds/-/addon-backgrounds-7.6.17.tgz", - "integrity": "sha512-7dize7x8+37PH77kmt69b0xSaeDqOcZ4fpzW6+hk53hIaCVU26eGs4+j+743Xva31eOgZWNLupUhOpUDc6SqZw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-backgrounds/-/addon-backgrounds-7.6.18.tgz", + "integrity": "sha512-Bai0n3RfO+PmsQ69KdRhPvuwCistNLvpKtAEzo9nlpHfYh921OgVfZrKFfWJgYskvyVlaNu0DeR3t6TT8CbT/A==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0", @@ -4762,12 +4896,12 @@ } }, "node_modules/@storybook/addon-controls": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-controls/-/addon-controls-7.6.17.tgz", - "integrity": "sha512-zR0aLaUF7FtV/nMRyfniFbCls/e0DAAoXACuOAUAwNAv0lbIS8AyZZiHSmKucCvziUQ6WceeCC7+du3C+9y0rQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-controls/-/addon-controls-7.6.18.tgz", + "integrity": "sha512-iH/JbltgjDFihRppeniNlGE3Qc86Q5oW8+p77E9B0ILn3yGk3rNOSlOTUg7a1seMjddJfsptDn4xMFHuunYuyQ==", "dev": true, "dependencies": { - "@storybook/blocks": "7.6.17", + "@storybook/blocks": "7.6.18", "lodash": "^4.17.21", "ts-dedent": "^2.0.0" }, @@ -4777,26 +4911,26 @@ } }, "node_modules/@storybook/addon-docs": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-7.6.17.tgz", - "integrity": "sha512-FKa4Mdy7nhgvEVZJHpMkHriDzpVHbohn87zv9NCL+Ctjs1iAmzGwxEm0culszyDS1HN2ToVoY0h8CSi2RSSZqA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-docs/-/addon-docs-7.6.18.tgz", + "integrity": "sha512-+JzGL5ImwZ5VE+PiEUzRHWKbgvFsg/G2OTzyqZD8vQ+NlB6rmKGzGpXz0c4D6xEupzIJwjbpSN2ZOzgld0Du9Q==", "dev": true, "dependencies": { "@jest/transform": "^29.3.1", "@mdx-js/react": "^2.1.5", - "@storybook/blocks": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/components": "7.6.17", - "@storybook/csf-plugin": "7.6.17", - "@storybook/csf-tools": "7.6.17", + "@storybook/blocks": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/components": "7.6.18", + "@storybook/csf-plugin": "7.6.18", + "@storybook/csf-tools": "7.6.18", "@storybook/global": "^5.0.0", "@storybook/mdx2-csf": "^1.0.0", - "@storybook/node-logger": "7.6.17", - "@storybook/postinstall": "7.6.17", - "@storybook/preview-api": "7.6.17", - "@storybook/react-dom-shim": "7.6.17", - "@storybook/theming": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/node-logger": "7.6.18", + "@storybook/postinstall": "7.6.18", + "@storybook/preview-api": "7.6.18", + "@storybook/react-dom-shim": "7.6.18", + "@storybook/theming": "7.6.18", + "@storybook/types": "7.6.18", "fs-extra": "^11.1.0", "remark-external-links": "^8.0.0", "remark-slug": "^6.0.0", @@ -4812,24 +4946,24 @@ } }, "node_modules/@storybook/addon-essentials": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-essentials/-/addon-essentials-7.6.17.tgz", - "integrity": "sha512-qlSpamxuYfT2taF953nC9QijGF2pSbg1ewMNpdwLTj16PTZvR/d8NCDMTJujI1bDwM2m18u8Yc43ibh5LEmxCw==", - "dev": true, - "dependencies": { - "@storybook/addon-actions": "7.6.17", - "@storybook/addon-backgrounds": "7.6.17", - "@storybook/addon-controls": "7.6.17", - "@storybook/addon-docs": "7.6.17", - "@storybook/addon-highlight": "7.6.17", - "@storybook/addon-measure": "7.6.17", - "@storybook/addon-outline": "7.6.17", - "@storybook/addon-toolbars": "7.6.17", - "@storybook/addon-viewport": "7.6.17", - "@storybook/core-common": "7.6.17", - "@storybook/manager-api": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/preview-api": "7.6.17", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-essentials/-/addon-essentials-7.6.18.tgz", + "integrity": "sha512-qgVH442LhIdzCbx0E+eB1+xTj1TOKqSqrUy76viILCK1wfMSeIsU8TNkqnc8hzUQH2IatUJb/t76wXh2eV9s4w==", + "dev": true, + "dependencies": { + "@storybook/addon-actions": "7.6.18", + "@storybook/addon-backgrounds": "7.6.18", + "@storybook/addon-controls": "7.6.18", + "@storybook/addon-docs": "7.6.18", + "@storybook/addon-highlight": "7.6.18", + "@storybook/addon-measure": "7.6.18", + "@storybook/addon-outline": "7.6.18", + "@storybook/addon-toolbars": "7.6.18", + "@storybook/addon-viewport": "7.6.18", + "@storybook/core-common": "7.6.18", + "@storybook/manager-api": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/preview-api": "7.6.18", "ts-dedent": "^2.0.0" }, "funding": { @@ -4842,9 +4976,9 @@ } }, "node_modules/@storybook/addon-highlight": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-highlight/-/addon-highlight-7.6.17.tgz", - "integrity": "sha512-R1yBPUUqGn+60aJakn8q+5Zt34E/gU3n3VmgPdryP0LJUdZ5q1/RZShoVDV+yYQ40htMH6oaCv3OyyPzFAGJ6A==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-highlight/-/addon-highlight-7.6.18.tgz", + "integrity": "sha512-XUR9sTcxqYbes9ckj1b/GyAJ3yFfE/2YnvPFz8vWO9hIZjlL0Wvyiy/1L2DePF1S+zHrYA8+dg65vK8pMXUrnQ==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0" @@ -4855,13 +4989,13 @@ } }, "node_modules/@storybook/addon-interactions": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-interactions/-/addon-interactions-7.6.17.tgz", - "integrity": "sha512-6zlX+RDQ1PlA6fp7C+hun8t7h2RXfCGs5dGrhEenp2lqnR/rYuUJRC0tmKpkZBb8kZVcbSChzkB/JYkBjBCzpQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-interactions/-/addon-interactions-7.6.18.tgz", + "integrity": "sha512-+wMkNpU6rlaLNx7N7VbfRBA4ud1Fx7hGoUs6Tgkbf8rvAKAPV6Bd66O/V2mmUCGLULshdu4HLv5SSKDXId8pag==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0", - "@storybook/types": "7.6.17", + "@storybook/types": "7.6.18", "jest-mock": "^27.0.6", "polished": "^4.2.2", "ts-dedent": "^2.2.0" @@ -4872,9 +5006,9 @@ } }, "node_modules/@storybook/addon-links": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-7.6.17.tgz", - "integrity": "sha512-iFUwKObRn0EKI0zMETsil2p9a/81rCuSMEWECsi+khkCAs1FUnD2cT6Ag5ydcNcBXsdtdfDJdtXQrkw+TSoStQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-links/-/addon-links-7.6.18.tgz", + "integrity": "sha512-KOA9mcl+cSLjdHx4WNkTB/Y+flRnM3MY+Q9/f7suznIYEmx1KKQoOhcmudFKJZEEH5FaQUDaaJE/3sj0JTiBRQ==", "dev": true, "dependencies": { "@storybook/csf": "^0.1.2", @@ -4895,9 +5029,9 @@ } }, "node_modules/@storybook/addon-measure": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-measure/-/addon-measure-7.6.17.tgz", - "integrity": "sha512-O5vnHZNkduvZ95jf1UssbOl6ivIxzl5tv+4EpScPYId7w700bxWsJH+QX7ip6KlrCf2o3iUhmPe8bm05ghG2KA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-measure/-/addon-measure-7.6.18.tgz", + "integrity": "sha512-ixEW/RG3iJCiyJQ51vKqlTJHq6vJ7O/xHGGMFV9+RYP0S2klZctQQwLZxUWUjSLUUjCX/DrxVlmK03h+7f+wWA==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0", @@ -4909,9 +5043,9 @@ } }, "node_modules/@storybook/addon-outline": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-outline/-/addon-outline-7.6.17.tgz", - "integrity": "sha512-9o9JXDsYjNaDgz/cY5+jv694+aik/1aiRGGvsCv68e1p/ob0glkGKav4lnJe2VJqD+gCmaARoD8GOJlhoQl8JQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-outline/-/addon-outline-7.6.18.tgz", + "integrity": "sha512-YKHjir/+KZH0P/F8spmm9l/EC28VXlE0beAxeErvpPiA6t1Ykrh7GEPvPEolY1DydKBaLLnd20adLhDskl+oGg==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0", @@ -4923,9 +5057,9 @@ } }, "node_modules/@storybook/addon-toolbars": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-toolbars/-/addon-toolbars-7.6.17.tgz", - "integrity": "sha512-UMrchbUHiyWrh6WuGnpy34Jqzkx/63B+MSgb3CW7YsQaXz64kE0Rol0TNSznnB+mYXplcqH+ndI4r4kFsmgwDg==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-toolbars/-/addon-toolbars-7.6.18.tgz", + "integrity": "sha512-AlqW8rA5gNtxjbTyJtJlVfmqbcSJAWFHTvC7OfwbZRZLmF5agdBUQeAZYI75WBZpdlYrp23s88O+MRMa/CF2yA==", "dev": true, "funding": { "type": "opencollective", @@ -4933,9 +5067,9 @@ } }, "node_modules/@storybook/addon-viewport": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/addon-viewport/-/addon-viewport-7.6.17.tgz", - "integrity": "sha512-sA0QCcf4QAMixWvn8uvRYPfkKCSl6JajJaAspoPqXSxHEpK7uwOlpg3kqFU5XJJPXD0X957M+ONgNvBzYqSpEw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/addon-viewport/-/addon-viewport-7.6.18.tgz", + "integrity": "sha512-fgn38aXappEeDNg5u52fswhjkNN5Sru6Rf/2WhuuQXteIC2tX27J03Ud8h2aKydzHai7zz8jJ0IoGt7cA6W0Nw==", "dev": true, "dependencies": { "memoizerific": "^1.11.3" @@ -4946,22 +5080,22 @@ } }, "node_modules/@storybook/blocks": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/blocks/-/blocks-7.6.17.tgz", - "integrity": "sha512-PsNVoe0bX1mMn4Kk3nbKZ0ItDZZ0YJnYAFJ6toAbsyBAbgzg1sce88sQinzvbn58/RT9MPKeWMPB45ZS7ggiNg==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/blocks/-/blocks-7.6.18.tgz", + "integrity": "sha512-mCEyGew2nyiFwJ1iHfm4ItB/bDrVzYUODkKktmHDmJJgjKFIDQJPTgLsiQhXBtxqW0TImL4JpSU/aUAAbXpZeg==", "dev": true, "dependencies": { - "@storybook/channels": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/components": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/channels": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/components": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/csf": "^0.1.2", - "@storybook/docs-tools": "7.6.17", + "@storybook/docs-tools": "7.6.18", "@storybook/global": "^5.0.0", - "@storybook/manager-api": "7.6.17", - "@storybook/preview-api": "7.6.17", - "@storybook/theming": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/manager-api": "7.6.18", + "@storybook/preview-api": "7.6.18", + "@storybook/theming": "7.6.18", + "@storybook/types": "7.6.18", "@types/lodash": "^4.14.167", "color-convert": "^2.0.1", "dequal": "^2.0.2", @@ -4985,15 +5119,15 @@ } }, "node_modules/@storybook/builder-manager": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/builder-manager/-/builder-manager-7.6.17.tgz", - "integrity": "sha512-Sj8hcDYiPCCMfeLzus37czl0zdrAxAz4IyYam2jBjVymrIrcDAFyL1OCZvnq33ft179QYQWhUs9qwzVmlR/ZWg==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/builder-manager/-/builder-manager-7.6.18.tgz", + "integrity": "sha512-kXnC/lDA3zUeXgwAoHKed+CXbDcKV8GJ6qrPCw1D1a3ug5Lw5DYPBJC/KP3CgNpVx6vukkeEIwKYg2M+LRmI6g==", "dev": true, "dependencies": { "@fal-works/esbuild-plugin-global-externals": "^2.1.2", - "@storybook/core-common": "7.6.17", - "@storybook/manager": "7.6.17", - "@storybook/node-logger": "7.6.17", + "@storybook/core-common": "7.6.18", + "@storybook/manager": "7.6.18", + "@storybook/node-logger": "7.6.18", "@types/ejs": "^3.1.1", "@types/find-cache-dir": "^3.2.1", "@yarnpkg/esbuild-plugin-pnp": "^3.0.0-rc.10", @@ -5013,19 +5147,19 @@ } }, "node_modules/@storybook/builder-vite": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-7.6.17.tgz", - "integrity": "sha512-2Q32qalI401EsKKr9Hkk8TAOcHEerqwsjCpQgTNJnCu6GgCVKoVUcb99oRbR9Vyg0xh+jb19XiWqqQujFtLYlQ==", - "dev": true, - "dependencies": { - "@storybook/channels": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/core-common": "7.6.17", - "@storybook/csf-plugin": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/preview": "7.6.17", - "@storybook/preview-api": "7.6.17", - "@storybook/types": "7.6.17", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-7.6.18.tgz", + "integrity": "sha512-f3chnC6ug9KJDz3Z+HNl8yhJ/SUT0ASdJjKViVJ90MKKyFpeCvzs2DSgMGv2UJrPfBMh6PhFM2dy26+LksioCQ==", + "dev": true, + "dependencies": { + "@storybook/channels": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/core-common": "7.6.18", + "@storybook/csf-plugin": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/preview": "7.6.18", + "@storybook/preview-api": "7.6.18", + "@storybook/types": "7.6.18", "@types/find-cache-dir": "^3.2.1", "browser-assert": "^1.2.1", "es-module-lexer": "^0.9.3", @@ -5058,13 +5192,13 @@ } }, "node_modules/@storybook/channels": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/channels/-/channels-7.6.17.tgz", - "integrity": "sha512-GFG40pzaSxk1hUr/J/TMqW5AFDDPUSu+HkeE/oqSWJbOodBOLJzHN6CReJS6y1DjYSZLNFt1jftPWZZInG/XUA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/channels/-/channels-7.6.18.tgz", + "integrity": "sha512-ayMJ6GJot81URJySXcwZG1mLacblUVdLgAMIhU7oSW1K1v4KvQPxv3FqjNN+48g/1s+2A9UraCDqN0qzO3wznQ==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/client-logger": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/global": "^5.0.0", "qs": "^6.10.0", "telejson": "^7.2.0", @@ -5076,23 +5210,23 @@ } }, "node_modules/@storybook/cli": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/cli/-/cli-7.6.17.tgz", - "integrity": "sha512-1sCo+nCqyR+nKfTcEidVu8XzNoECC7Y1l+uW38/r7s2f/TdDorXaIGAVrpjbSaXSoQpx5DxYJVaKCcQuOgqwcA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/cli/-/cli-7.6.18.tgz", + "integrity": "sha512-2zlCyX4m1Jb3p+P/Z+7ioa7cXA+Sv+j0JevUWaaVZbBLrjj/G2k5bYzgrks0FhQZ6MLv5bkuZPGtJMgWQ8+c3Q==", "dev": true, "dependencies": { "@babel/core": "^7.23.2", "@babel/preset-env": "^7.23.2", "@babel/types": "^7.23.0", "@ndelangen/get-tarball": "^3.0.7", - "@storybook/codemod": "7.6.17", - "@storybook/core-common": "7.6.17", - "@storybook/core-events": "7.6.17", - "@storybook/core-server": "7.6.17", - "@storybook/csf-tools": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/telemetry": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/codemod": "7.6.18", + "@storybook/core-common": "7.6.18", + "@storybook/core-events": "7.6.18", + "@storybook/core-server": "7.6.18", + "@storybook/csf-tools": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/telemetry": "7.6.18", + "@storybook/types": "7.6.18", "@types/semver": "^7.3.4", "@yarnpkg/fslib": "2.10.3", "@yarnpkg/libzip": "2.3.0", @@ -5174,9 +5308,9 @@ "dev": true }, "node_modules/@storybook/client-logger": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/client-logger/-/client-logger-7.6.17.tgz", - "integrity": "sha512-6WBYqixAXNAXlSaBWwgljWpAu10tPRBJrcFvx2gPUne58EeMM20Gi/iHYBz2kMCY+JLAgeIH7ZxInqwO8vDwiQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/client-logger/-/client-logger-7.6.18.tgz", + "integrity": "sha512-/mSKa968G++M7RTW1XLM0jgNMUATxKv/vggLyQ9Oo2UpQhRaXX8dKRl7GVu2yFDRm9sDKs7rg+KSsstrEjQcSg==", "dev": true, "dependencies": { "@storybook/global": "^5.0.0" @@ -5187,18 +5321,18 @@ } }, "node_modules/@storybook/codemod": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/codemod/-/codemod-7.6.17.tgz", - "integrity": "sha512-JuTmf2u3C4fCnjO7o3dqRgrq3ozNYfWlrRP8xuIdvT7niMap7a396hJtSKqS10FxCgKFcMAOsRgrCalH1dWxUg==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/codemod/-/codemod-7.6.18.tgz", + "integrity": "sha512-XV9/oZYctRKQzllqjwcH17Fys91cmaL+/Vy9aJmpnv/+yNFUdvsyrjqEGfVpl5c00/Ge3ueP+y7YhLYSjTezUg==", "dev": true, "dependencies": { "@babel/core": "^7.23.2", "@babel/preset-env": "^7.23.2", "@babel/types": "^7.23.0", "@storybook/csf": "^0.1.2", - "@storybook/csf-tools": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/csf-tools": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/types": "7.6.18", "@types/cross-spawn": "^6.0.2", "cross-spawn": "^7.0.3", "globby": "^11.0.2", @@ -5213,18 +5347,18 @@ } }, "node_modules/@storybook/components": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/components/-/components-7.6.17.tgz", - "integrity": "sha512-lbh7GynMidA+CZcJnstVku6Nhs+YkqjYaZ+mKPugvlVhGVWv0DaaeQFVuZ8cJtUGJ/5FFU4Y+n+gylYUHkGBMA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/components/-/components-7.6.18.tgz", + "integrity": "sha512-t27jyQUTkLgpQc2b7AQ848MJkihOfTgXsDIIMW1sYixqYO1R2anWE2qF5+1ZXZ58xyQEbUWnWUNYrGj3jGwAOw==", "dev": true, "dependencies": { "@radix-ui/react-select": "^1.2.2", "@radix-ui/react-toolbar": "^1.0.4", - "@storybook/client-logger": "7.6.17", + "@storybook/client-logger": "7.6.18", "@storybook/csf": "^0.1.2", "@storybook/global": "^5.0.0", - "@storybook/theming": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/theming": "7.6.18", + "@storybook/types": "7.6.18", "memoizerific": "^1.11.3", "use-resize-observer": "^9.1.0", "util-deprecate": "^1.0.2" @@ -5239,13 +5373,13 @@ } }, "node_modules/@storybook/core-client": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/core-client/-/core-client-7.6.17.tgz", - "integrity": "sha512-LuDbADK+DPNAOOCXOlvY09hdGVueXlDetsdOJ/DgYnSa9QSWv9Uv+F8QcEgR3QckZJbPlztKJIVLgP2n/Xkijw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/core-client/-/core-client-7.6.18.tgz", + "integrity": "sha512-gKelPHlE4Xr8mkC0q1CotxB1hoR54P94LeJ6NrmNp2W8vZLiV8d/3CShJwTyEEkhhOB8diEGyya2LawboMYPpg==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", - "@storybook/preview-api": "7.6.17" + "@storybook/client-logger": "7.6.18", + "@storybook/preview-api": "7.6.18" }, "funding": { "type": "opencollective", @@ -5253,14 +5387,14 @@ } }, "node_modules/@storybook/core-common": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/core-common/-/core-common-7.6.17.tgz", - "integrity": "sha512-me2TP3Q9/qzqCLoDHUSsUF+VS1MHxfHbTVF6vAz0D/COTxzsxLpu9TxTbzJoBCxse6XRb6wWI1RgF1mIcjic7g==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/core-common/-/core-common-7.6.18.tgz", + "integrity": "sha512-ZZbvjpDKs3KPyoUWLTaMn8/0N2S8tXZpMfdrZrHHOzy9O3mmbk2Silr1OytWS6CBICFgDb71p7EWZ026KOVNkA==", "dev": true, "dependencies": { - "@storybook/core-events": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/core-events": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/types": "7.6.18", "@types/find-cache-dir": "^3.2.1", "@types/node": "^18.0.0", "@types/node-fetch": "^2.6.4", @@ -5288,18 +5422,18 @@ } }, "node_modules/@storybook/core-common/node_modules/@types/node": { - "version": "18.19.29", - "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.29.tgz", - "integrity": "sha512-5pAX7ggTmWZdhUrhRWLPf+5oM7F80bcKVCBbr0zwEkTNzTJL2CWQjznpFgHYy6GrzkYi2Yjy7DHKoynFxqPV8g==", + "version": "18.19.31", + "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.31.tgz", + "integrity": "sha512-ArgCD39YpyyrtFKIqMDvjz79jto5fcI/SVUs2HwB+f0dAzq68yqOdyaSivLiLugSziTpNXLQrVb7RZFmdZzbhA==", "dev": true, "dependencies": { "undici-types": "~5.26.4" } }, "node_modules/@storybook/core-events": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/core-events/-/core-events-7.6.17.tgz", - "integrity": "sha512-AriWMCm/k1cxlv10f+jZ1wavThTRpLaN3kY019kHWbYT9XgaSuLU67G7GPr3cGnJ6HuA6uhbzu8qtqVCd6OfXA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/core-events/-/core-events-7.6.18.tgz", + "integrity": "sha512-K4jrHedFRfokvkIfKfNtQTcguPzeWF3oiuyXQR4gv4bnMCndCoiSRKfCE5zesgGmfml/Krt2zb4nNz/UPLbDeA==", "dev": true, "dependencies": { "ts-dedent": "^2.0.0" @@ -5310,26 +5444,26 @@ } }, "node_modules/@storybook/core-server": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/core-server/-/core-server-7.6.17.tgz", - "integrity": "sha512-KWGhTTaL1Q14FolcoKKZgytlPJUbH6sbJ1Ptj/84EYWFewcnEgVs0Zlnh1VStRZg+Rd1WC1V4yVd/bbDzxrvQA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/core-server/-/core-server-7.6.18.tgz", + "integrity": "sha512-LXsbVqsHHcF/9mCcCDebRUO+ZuvK10Xtrgt8KJfAuWGU2nj8D2sJLw7suuDEB7UBTNMsJMOAmyrVU9FQbfWLCQ==", "dev": true, "dependencies": { "@aw-web-design/x-default-browser": "1.4.126", "@discoveryjs/json-ext": "^0.5.3", - "@storybook/builder-manager": "7.6.17", - "@storybook/channels": "7.6.17", - "@storybook/core-common": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/builder-manager": "7.6.18", + "@storybook/channels": "7.6.18", + "@storybook/core-common": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/csf": "^0.1.2", - "@storybook/csf-tools": "7.6.17", + "@storybook/csf-tools": "7.6.18", "@storybook/docs-mdx": "^0.1.0", "@storybook/global": "^5.0.0", - "@storybook/manager": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/preview-api": "7.6.17", - "@storybook/telemetry": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/manager": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/preview-api": "7.6.18", + "@storybook/telemetry": "7.6.18", + "@storybook/types": "7.6.18", "@types/detect-port": "^1.3.0", "@types/node": "^18.0.0", "@types/pretty-hrtime": "^1.0.0", @@ -5363,9 +5497,9 @@ } }, "node_modules/@storybook/core-server/node_modules/@types/node": { - "version": "18.19.29", - "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.29.tgz", - "integrity": "sha512-5pAX7ggTmWZdhUrhRWLPf+5oM7F80bcKVCBbr0zwEkTNzTJL2CWQjznpFgHYy6GrzkYi2Yjy7DHKoynFxqPV8g==", + "version": "18.19.31", + "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.31.tgz", + "integrity": "sha512-ArgCD39YpyyrtFKIqMDvjz79jto5fcI/SVUs2HwB+f0dAzq68yqOdyaSivLiLugSziTpNXLQrVb7RZFmdZzbhA==", "dev": true, "dependencies": { "undici-types": "~5.26.4" @@ -5405,21 +5539,21 @@ "dev": true }, "node_modules/@storybook/csf": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/@storybook/csf/-/csf-0.1.3.tgz", - "integrity": "sha512-IPZvXXo4b3G+gpmgBSBqVM81jbp2ePOKsvhgJdhyZJtkYQCII7rg9KKLQhvBQM5sLaF1eU6r0iuwmyynC9d9SA==", + "version": "0.1.5", + "resolved": "https://registry.npmjs.org/@storybook/csf/-/csf-0.1.5.tgz", + "integrity": "sha512-pW7Dtk/bE2JGrAe/KuBY4Io02NBe/2CLP2DkgVgWlSwvEVdm/rbQyiwy8RaL0lQlJCv9CsGBY+n9HQG8d4bZjQ==", "dev": true, "dependencies": { "type-fest": "^2.19.0" } }, "node_modules/@storybook/csf-plugin": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-7.6.17.tgz", - "integrity": "sha512-xTHv9BUh3bkDVCvcbmdfVF0/e96BdrEgqPJ3G3RmKbSzWLOkQ2U9yiPfHzT0KJWPhVwj12fjfZp0zunu+pcS6Q==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-7.6.18.tgz", + "integrity": "sha512-dV/f0oIuv/OsmAh3FVqBkZAvQ5YRQXglZlHynaqt8cUVXi+Nsc/b7kFTBGj2GyIi9TCdiqfV5Yns+Bq2bIVHrA==", "dev": true, "dependencies": { - "@storybook/csf-tools": "7.6.17", + "@storybook/csf-tools": "7.6.18", "unplugin": "^1.3.1" }, "funding": { @@ -5428,9 +5562,9 @@ } }, "node_modules/@storybook/csf-tools": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/csf-tools/-/csf-tools-7.6.17.tgz", - "integrity": "sha512-dAQtam0EBPeTJYcQPLxXgz4L9JFqD+HWbLFG9CmNIhMMjticrB0mpk1EFIS6vPXk/VsVWpBgMLD7dZlD6YMKcQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/csf-tools/-/csf-tools-7.6.18.tgz", + "integrity": "sha512-ngRNHEtLJv6vMlqCeJaG8dh1CwtCaGCHi7xuS+b71Y97xXLJlA6RR9rhsMG6bDwMJR+xiIqKUc6HH3ZBSVVhiA==", "dev": true, "dependencies": { "@babel/generator": "^7.23.0", @@ -5438,7 +5572,7 @@ "@babel/traverse": "^7.23.2", "@babel/types": "^7.23.0", "@storybook/csf": "^0.1.2", - "@storybook/types": "7.6.17", + "@storybook/types": "7.6.18", "fs-extra": "^11.1.0", "recast": "^0.23.1", "ts-dedent": "^2.0.0" @@ -5455,14 +5589,14 @@ "dev": true }, "node_modules/@storybook/docs-tools": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/docs-tools/-/docs-tools-7.6.17.tgz", - "integrity": "sha512-bYrLoj06adqklyLkEwD32C0Ww6t+9ZVvrJHiVT42bIhTRpFiFPAetl1a9KPHtFLnfduh4n2IxIr1jv32ThPDTA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/docs-tools/-/docs-tools-7.6.18.tgz", + "integrity": "sha512-gE4He4YoOAFnFwarSsOJVLC1YVN6iilQXMZsKD2SNI0M30nOeqK5NjFwXtAklq6QQvBZVZV7VRG5sY7i4aGBcQ==", "dev": true, "dependencies": { - "@storybook/core-common": "7.6.17", - "@storybook/preview-api": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/core-common": "7.6.18", + "@storybook/preview-api": "7.6.18", + "@storybook/types": "7.6.18", "@types/doctrine": "^0.0.3", "assert": "^2.1.0", "doctrine": "^3.0.0", @@ -5480,16 +5614,16 @@ "dev": true }, "node_modules/@storybook/instrumenter": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/instrumenter/-/instrumenter-7.6.17.tgz", - "integrity": "sha512-zTLIPTt1fvlWgkIVUyQpF327iVE+EiPdpM0Or0aARaNfIikPRBTcjU+6cK96E+Ust2E1qKajEjIuv4i4lLQPng==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/instrumenter/-/instrumenter-7.6.18.tgz", + "integrity": "sha512-OpGKjsUtgKJCl0AaOCL2I9bRJbQ1psrXd+HgAaIB1VovBHeCxmhktjGxu6GfychVNCFWdoK/plgOUxblAT3CPA==", "dev": true, "dependencies": { - "@storybook/channels": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/channels": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/global": "^5.0.0", - "@storybook/preview-api": "7.6.17", + "@storybook/preview-api": "7.6.18", "@vitest/utils": "^0.34.6", "util": "^0.12.4" }, @@ -5499,9 +5633,9 @@ } }, "node_modules/@storybook/manager": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/manager/-/manager-7.6.17.tgz", - "integrity": "sha512-A1LDDIqMpwRzq/dqkbbiza0QI04o4ZHCl2a3UMDZUV/+QLc2nsr2DAaLk4CVL4/cIc5zGqmIcaOTvprx2YKVBw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/manager/-/manager-7.6.18.tgz", + "integrity": "sha512-ZFatbkbK5qv2a4jJEm6WqKZZqkYm++t0uAZozBA6TNq/bWMaD9ihummPTGND8R0M7SW0rfUVFDAE8bv14gLcdg==", "dev": true, "funding": { "type": "opencollective", @@ -5509,19 +5643,19 @@ } }, "node_modules/@storybook/manager-api": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/manager-api/-/manager-api-7.6.17.tgz", - "integrity": "sha512-IJIV1Yc6yw1dhCY4tReHCfBnUKDqEBnMyHp3mbXpsaHxnxJZrXO45WjRAZIKlQKhl/Ge1CrnznmHRCmYgqmrWg==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/manager-api/-/manager-api-7.6.18.tgz", + "integrity": "sha512-4c2japUMjnHiel38wQoNWh5RVac6ATMcWxvzPhOKx3I19gbSoUF1CcDg+1piRMWuSyzUBIBlIrBB3s4/02gnnA==", "dev": true, "dependencies": { - "@storybook/channels": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/channels": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/csf": "^0.1.2", "@storybook/global": "^5.0.0", - "@storybook/router": "7.6.17", - "@storybook/theming": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/router": "7.6.18", + "@storybook/theming": "7.6.18", + "@storybook/types": "7.6.18", "dequal": "^2.0.2", "lodash": "^4.17.21", "memoizerific": "^1.11.3", @@ -5541,9 +5675,9 @@ "dev": true }, "node_modules/@storybook/node-logger": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/node-logger/-/node-logger-7.6.17.tgz", - "integrity": "sha512-w59MQuXhhUNrUVmVkXhMwIg2nvFWjdDczLTwYLorhfsE36CWeUOY5QCZWQy0Qf/h+jz8Uo7Evy64qn18v9C4wA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/node-logger/-/node-logger-7.6.18.tgz", + "integrity": "sha512-e75XQ6TekxjpzdlW6rZAFtv/9aD/nQb4z9kaBr3GhuVMGVJNihs9ek6eVEFZLxpks4FDVSPTSg0QtFpSgOpbrg==", "dev": true, "funding": { "type": "opencollective", @@ -5551,9 +5685,9 @@ } }, "node_modules/@storybook/postinstall": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/postinstall/-/postinstall-7.6.17.tgz", - "integrity": "sha512-WaWqB8o9vUc9aaVls+povQSVirf1Xd1LZcVhUKfAocAF3mzYUsnJsVqvnbjRj/F96UFVihOyDt9Zjl/9OvrCvQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/postinstall/-/postinstall-7.6.18.tgz", + "integrity": "sha512-TTTvuR6LyaRfzrtJvSr+L4Bys8gp3wOKACOErZBXjt3UCQR4rwhwGP7k2GsysiHHLbxGu25ZU2fnnT2OYYeTNA==", "dev": true, "funding": { "type": "opencollective", @@ -5561,9 +5695,9 @@ } }, "node_modules/@storybook/preview": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/preview/-/preview-7.6.17.tgz", - "integrity": "sha512-LvkMYK/y6alGjwRVNDIKL1lFlbyZ0H0c8iAbcQkiMoaFiujMQyVswMDKlWcj42Upfr/B1igydiruomc+eUt0mw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/preview/-/preview-7.6.18.tgz", + "integrity": "sha512-iltkZxz991GmzXMNkM9b7ddM45IsfZoQ+pMGXOv902Xawx9otvNkMVxBMhpXG+tf7G3FrSM1DFT6V9SycC6pqg==", "dev": true, "funding": { "type": "opencollective", @@ -5571,17 +5705,17 @@ } }, "node_modules/@storybook/preview-api": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/preview-api/-/preview-api-7.6.17.tgz", - "integrity": "sha512-wLfDdI9RWo1f2zzFe54yRhg+2YWyxLZvqdZnSQ45mTs4/7xXV5Wfbv3QNTtcdw8tT3U5KRTrN1mTfTCiRJc0Kw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/preview-api/-/preview-api-7.6.18.tgz", + "integrity": "sha512-X3r3MnoLJWUhHTVFggJcfHzDLCKSOdHNOpXXRNkdG2WXFcCZAlTdm0KqThCvQmdqS4OAOJMfn4pHqtxPG8yfyg==", "dev": true, "dependencies": { - "@storybook/channels": "7.6.17", - "@storybook/client-logger": "7.6.17", - "@storybook/core-events": "7.6.17", + "@storybook/channels": "7.6.18", + "@storybook/client-logger": "7.6.18", + "@storybook/core-events": "7.6.18", "@storybook/csf": "^0.1.2", "@storybook/global": "^5.0.0", - "@storybook/types": "7.6.17", + "@storybook/types": "7.6.18", "@types/qs": "^6.9.5", "dequal": "^2.0.2", "lodash": "^4.17.21", @@ -5597,9 +5731,9 @@ } }, "node_modules/@storybook/react-dom-shim": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-7.6.17.tgz", - "integrity": "sha512-32Sa/G+WnvaPiQ1Wvjjw5UM9rr2c4GDohwCcWVv3/LJuiFPqNS6zglAtmnsrlIBnUwRBMLMh/ekCTdqMiUmfDw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/react-dom-shim/-/react-dom-shim-7.6.18.tgz", + "integrity": "sha512-s4eIq5KVnS7E4pIXdq31YzqRZX0FZEYKoUeZziBBajRvmPAJ/zWSBbrGeOIR71xDHT7UkUoeb5EuyfykS9yuoA==", "dev": true, "funding": { "type": "opencollective", @@ -5611,12 +5745,12 @@ } }, "node_modules/@storybook/router": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/router/-/router-7.6.17.tgz", - "integrity": "sha512-GnyC0j6Wi5hT4qRhSyT8NPtJfGmf82uZw97LQRWeyYu5gWEshUdM7aj40XlNiScd5cZDp0owO1idduVF2k2l2A==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/router/-/router-7.6.18.tgz", + "integrity": "sha512-Kw6nAPWRAFE9DM//pnyjL7Xnxt+yQIONdERDnPrdEmHG5mErXGtO18aFMsb/7GiAD50J/i5ObTp7FJsWffAnbg==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", + "@storybook/client-logger": "7.6.18", "memoizerific": "^1.11.3", "qs": "^6.10.0" }, @@ -5626,18 +5760,18 @@ } }, "node_modules/@storybook/svelte": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/svelte/-/svelte-7.6.17.tgz", - "integrity": "sha512-Qzy6jP66Q8OP7GLSCS7CCKFCf5kQIGxDzUSjgixunf25tw4+SevdpgJ1YFXO7YDdCdgh9IRBRq4DsxuG2Z/jHQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/svelte/-/svelte-7.6.18.tgz", + "integrity": "sha512-MxUKa0/KZhqgUQQvv+wyzPm4AK8FKVnYgaOsqbaLRfY1vEcK4kABTAYRxTvaL1lo+KhClYdMgV6feQj5Kkc0cA==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", - "@storybook/core-client": "7.6.17", - "@storybook/core-events": "7.6.17", - "@storybook/docs-tools": "7.6.17", + "@storybook/client-logger": "7.6.18", + "@storybook/core-client": "7.6.18", + "@storybook/core-events": "7.6.18", + "@storybook/docs-tools": "7.6.18", "@storybook/global": "^5.0.0", - "@storybook/preview-api": "7.6.17", - "@storybook/types": "7.6.17", + "@storybook/preview-api": "7.6.18", + "@storybook/types": "7.6.18", "sveltedoc-parser": "^4.2.1", "ts-dedent": "^2.0.0", "type-fest": "~2.19" @@ -5654,14 +5788,14 @@ } }, "node_modules/@storybook/svelte-vite": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/svelte-vite/-/svelte-vite-7.6.17.tgz", - "integrity": "sha512-0B/8f61B6X/yQRJ/2gT4kRuPHLTIwpZjrV7ETo6r35C9Lt2nIEW2N8UiI4X4kgTirPkYMyeGLIsUFOSIpfdwXQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/svelte-vite/-/svelte-vite-7.6.18.tgz", + "integrity": "sha512-/ezoeZ+hYTaZKNryJVJrrojHatZpId5umScpsjUnzJUXExvvHad+4zzIEXZZv8N/F0X+fBbaXJa8vI5aeopFyg==", "dev": true, "dependencies": { - "@storybook/builder-vite": "7.6.17", - "@storybook/node-logger": "7.6.17", - "@storybook/svelte": "7.6.17", + "@storybook/builder-vite": "7.6.18", + "@storybook/node-logger": "7.6.18", + "@storybook/svelte": "7.6.18", "@sveltejs/vite-plugin-svelte": "^2.4.2", "magic-string": "^0.30.0", "svelte-preprocess": "^5.0.4", @@ -5719,16 +5853,28 @@ "vite": "^4.0.0" } }, + "node_modules/@storybook/svelte-vite/node_modules/svelte-hmr": { + "version": "0.15.3", + "resolved": "https://registry.npmjs.org/svelte-hmr/-/svelte-hmr-0.15.3.tgz", + "integrity": "sha512-41snaPswvSf8TJUhlkoJBekRrABDXDMdpNpT2tfHIv4JuhgvHqLMhEPGtaQn0BmbNSTkuz2Ed20DF2eHw0SmBQ==", + "dev": true, + "engines": { + "node": "^12.20 || ^14.13.1 || >= 16" + }, + "peerDependencies": { + "svelte": "^3.19.0 || ^4.0.0" + } + }, "node_modules/@storybook/sveltekit": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/sveltekit/-/sveltekit-7.6.17.tgz", - "integrity": "sha512-xEPlTeRU2ULwk/R/DIl7wODLbJ/Myg4YTGH89dEGsO89Q8g5aMDXmIxKBInRk97chtXFhtaHAFMzAotq8IvAeQ==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/sveltekit/-/sveltekit-7.6.18.tgz", + "integrity": "sha512-SzreIlV13GCpn8WiUbfXUlK4t9dbn/VuMlbb6aeYoxo/M9zDw9LDyBkYLk2G4aDX6QyWmA/P5AaPychFp6n2kA==", "dev": true, "dependencies": { - "@storybook/addon-actions": "7.6.17", - "@storybook/builder-vite": "7.6.17", - "@storybook/svelte": "7.6.17", - "@storybook/svelte-vite": "7.6.17" + "@storybook/addon-actions": "7.6.18", + "@storybook/builder-vite": "7.6.18", + "@storybook/svelte": "7.6.18", + "@storybook/svelte-vite": "7.6.18" }, "engines": { "node": "^14.18 || >=16" @@ -5743,14 +5889,14 @@ } }, "node_modules/@storybook/telemetry": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/telemetry/-/telemetry-7.6.17.tgz", - "integrity": "sha512-WOcOAmmengYnGInH98Px44F47DSpLyk20BM+Z/IIQDzfttGOLlxNqBBG1XTEhNRn+AYuk4aZ2JEed2lCjVIxcA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/telemetry/-/telemetry-7.6.18.tgz", + "integrity": "sha512-fVgQtWYpAA1Htiu05GwipBNM5odCi05FpaoaxnCO/CsqrTfKYBJTorVo8mh8wc03gfQJs1/nXN2v0WEo0ahUoA==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", - "@storybook/core-common": "7.6.17", - "@storybook/csf-tools": "7.6.17", + "@storybook/client-logger": "7.6.18", + "@storybook/core-common": "7.6.18", + "@storybook/csf-tools": "7.6.18", "chalk": "^4.1.0", "detect-package-manager": "^2.0.1", "fetch-retry": "^5.0.2", @@ -5763,15 +5909,15 @@ } }, "node_modules/@storybook/test": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/test/-/test-7.6.17.tgz", - "integrity": "sha512-WGrmUUtKiuq3bzDsN4MUvluGcX120jwczMik1GDTyxS+JBoe7P0t2Y8dDuVs/l3nZd1J7qY4z0RGxMDYqONIOw==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/test/-/test-7.6.18.tgz", + "integrity": "sha512-NJGHewnP10c9tSXrZylUURAwhk18ZFr3HkA4z6V/Gsn0lgEKYEx5DJjN8GeyZblW0JyZ2LQNSmh5gq8yeNY8Lg==", "dev": true, "dependencies": { - "@storybook/client-logger": "7.6.17", - "@storybook/core-events": "7.6.17", - "@storybook/instrumenter": "7.6.17", - "@storybook/preview-api": "7.6.17", + "@storybook/client-logger": "7.6.18", + "@storybook/core-events": "7.6.18", + "@storybook/instrumenter": "7.6.18", + "@storybook/preview-api": "7.6.18", "@testing-library/dom": "^9.3.1", "@testing-library/jest-dom": "^6.1.3", "@testing-library/user-event": "14.3.0", @@ -5787,13 +5933,13 @@ } }, "node_modules/@storybook/theming": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/theming/-/theming-7.6.17.tgz", - "integrity": "sha512-ZbaBt3KAbmBtfjNqgMY7wPMBshhSJlhodyMNQypv+95xLD/R+Az6aBYbpVAOygLaUQaQk4ar7H/Ww6lFIoiFbA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/theming/-/theming-7.6.18.tgz", + "integrity": "sha512-5nwqV/rAVzS8wZ6DbsX5/ugDLV189hn2m3K9JlJmhVW9b2mSDYW5i1cTjpoChh1t9gMZl82VPnEhgPRMx5bXgw==", "dev": true, "dependencies": { "@emotion/use-insertion-effect-with-fallbacks": "^1.0.0", - "@storybook/client-logger": "7.6.17", + "@storybook/client-logger": "7.6.18", "@storybook/global": "^5.0.0", "memoizerific": "^1.11.3" }, @@ -5807,12 +5953,12 @@ } }, "node_modules/@storybook/types": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/@storybook/types/-/types-7.6.17.tgz", - "integrity": "sha512-GRY0xEJQ0PrL7DY2qCNUdIfUOE0Gsue6N+GBJw9ku1IUDFLJRDOF+4Dx2BvYcVCPI5XPqdWKlEyZdMdKjiQN7Q==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/@storybook/types/-/types-7.6.18.tgz", + "integrity": "sha512-W7/8kUtMhEopZhwXFMOKlXwQCrz0PBJ5wQwmJNZ4i0YPTVfFzb+/6pgpkzUNtbXiTp6dfxi3ERoAF9wz9Zyt7w==", "dev": true, "dependencies": { - "@storybook/channels": "7.6.17", + "@storybook/channels": "7.6.18", "@types/babel__core": "^7.0.0", "@types/express": "^4.7.0", "file-system-cache": "2.3.0" @@ -5850,9 +5996,9 @@ } }, "node_modules/@sveltejs/adapter-node/node_modules/rollup": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.14.0.tgz", - "integrity": "sha512-Qe7w62TyawbDzB4yt32R0+AbIo6m1/sqO7UPzFS8Z/ksL5mrfhA0v4CavfdmFav3D+ub4QeAgsGEe84DoWe/nQ==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.17.0.tgz", + "integrity": "sha512-wZJSn0WMtWrxhYKQRt5Z6GIXlziOoMDFmbHmRfL3v+sBTAshx2DBq1AfMArB7eIjF63r4ocn2ZTAyUptg/7kmQ==", "dev": true, "dependencies": { "@types/estree": "1.0.5" @@ -5865,34 +6011,35 @@ "npm": ">=8.0.0" }, "optionalDependencies": { - "@rollup/rollup-android-arm-eabi": "4.14.0", - "@rollup/rollup-android-arm64": "4.14.0", - "@rollup/rollup-darwin-arm64": "4.14.0", - "@rollup/rollup-darwin-x64": "4.14.0", - "@rollup/rollup-linux-arm-gnueabihf": "4.14.0", - "@rollup/rollup-linux-arm64-gnu": "4.14.0", - "@rollup/rollup-linux-arm64-musl": "4.14.0", - "@rollup/rollup-linux-powerpc64le-gnu": "4.14.0", - "@rollup/rollup-linux-riscv64-gnu": "4.14.0", - "@rollup/rollup-linux-s390x-gnu": "4.14.0", - "@rollup/rollup-linux-x64-gnu": "4.14.0", - "@rollup/rollup-linux-x64-musl": "4.14.0", - "@rollup/rollup-win32-arm64-msvc": "4.14.0", - "@rollup/rollup-win32-ia32-msvc": "4.14.0", - "@rollup/rollup-win32-x64-msvc": "4.14.0", + "@rollup/rollup-android-arm-eabi": "4.17.0", + "@rollup/rollup-android-arm64": "4.17.0", + "@rollup/rollup-darwin-arm64": "4.17.0", + "@rollup/rollup-darwin-x64": "4.17.0", + "@rollup/rollup-linux-arm-gnueabihf": "4.17.0", + "@rollup/rollup-linux-arm-musleabihf": "4.17.0", + "@rollup/rollup-linux-arm64-gnu": "4.17.0", + "@rollup/rollup-linux-arm64-musl": "4.17.0", + "@rollup/rollup-linux-powerpc64le-gnu": "4.17.0", + "@rollup/rollup-linux-riscv64-gnu": "4.17.0", + "@rollup/rollup-linux-s390x-gnu": "4.17.0", + "@rollup/rollup-linux-x64-gnu": "4.17.0", + "@rollup/rollup-linux-x64-musl": "4.17.0", + "@rollup/rollup-win32-arm64-msvc": "4.17.0", + "@rollup/rollup-win32-ia32-msvc": "4.17.0", + "@rollup/rollup-win32-x64-msvc": "4.17.0", "fsevents": "~2.3.2" } }, "node_modules/@sveltejs/kit": { - "version": "2.5.5", - "resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.5.5.tgz", - "integrity": "sha512-ULe3PB00q4+wYRL+IS5FDPsCEVnhEITofm7b9Yz8malcH3r1SAnW/JJ6T13hIMeu8QNRIuVQWo+P4+2VklbnLQ==", + "version": "2.5.7", + "resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.5.7.tgz", + "integrity": "sha512-6uedTzrb7nQrw6HALxnPrPaXdIN2jJJTzTIl96Z3P5NiG+OAfpdPbrWrvkJ3GN4CfWqrmU4dJqwMMRMTD/C7ow==", "dev": true, "hasInstallScript": true, "dependencies": { "@types/cookie": "^0.6.0", "cookie": "^0.6.0", - "devalue": "^4.3.2", + "devalue": "^5.0.0", "esm-env": "^1.0.0", "import-meta-resolve": "^4.0.0", "kleur": "^4.1.5", @@ -5916,17 +6063,17 @@ } }, "node_modules/@sveltejs/vite-plugin-svelte": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte/-/vite-plugin-svelte-3.0.2.tgz", - "integrity": "sha512-MpmF/cju2HqUls50WyTHQBZUV3ovV/Uk8k66AN2gwHogNAG8wnW8xtZDhzNBsFJJuvmq1qnzA5kE7YfMJNFv2Q==", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte/-/vite-plugin-svelte-3.1.0.tgz", + "integrity": "sha512-sY6ncCvg+O3njnzbZexcVtUqOBE3iYmQPJ9y+yXSkOwG576QI/xJrBnQSRXFLGwJNBa0T78JEKg5cIR0WOAuUw==", "dev": true, "dependencies": { "@sveltejs/vite-plugin-svelte-inspector": "^2.0.0", "debug": "^4.3.4", "deepmerge": "^4.3.1", "kleur": "^4.1.5", - "magic-string": "^0.30.5", - "svelte-hmr": "^0.15.3", + "magic-string": "^0.30.9", + "svelte-hmr": "^0.16.0", "vitefu": "^0.2.5" }, "engines": { @@ -5938,9 +6085,9 @@ } }, "node_modules/@sveltejs/vite-plugin-svelte-inspector": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte-inspector/-/vite-plugin-svelte-inspector-2.0.0.tgz", - "integrity": "sha512-gjr9ZFg1BSlIpfZ4PRewigrvYmHWbDrq2uvvPB1AmTWKuM+dI1JXQSUu2pIrYLb/QncyiIGkFDFKTwJ0XqQZZg==", + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte-inspector/-/vite-plugin-svelte-inspector-2.1.0.tgz", + "integrity": "sha512-9QX28IymvBlSCqsCll5t0kQVxipsfhFFL+L2t3nTWfXnddYwxBuAEtTtlaVQpRz9c37BhJjltSeY4AJSC03SSg==", "dev": true, "dependencies": { "debug": "^4.3.4" @@ -5967,9 +6114,9 @@ } }, "node_modules/@tailwindcss/typography": { - "version": "0.5.12", - "resolved": "https://registry.npmjs.org/@tailwindcss/typography/-/typography-0.5.12.tgz", - "integrity": "sha512-CNwpBpconcP7ppxmuq3qvaCxiRWnbhANpY/ruH4L5qs2GCiVDJXde/pjj2HWPV1+Q4G9+V/etrwUYopdcjAlyg==", + "version": "0.5.13", + "resolved": "https://registry.npmjs.org/@tailwindcss/typography/-/typography-0.5.13.tgz", + "integrity": "sha512-ADGcJ8dX21dVVHIwTRgzrcunY6YY9uSlAHHGVKvkA+vLc5qLwEszvKts40lx7z0qc4clpjclwLeK5rVCV2P/uw==", "dev": true, "dependencies": { "lodash.castarray": "^4.4.0", @@ -6065,9 +6212,9 @@ "dev": true }, "node_modules/@testing-library/svelte": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/@testing-library/svelte/-/svelte-4.1.0.tgz", - "integrity": "sha512-MJqe7x9WowkiAVdk9mvazEC2ktFZdmK2OqFVoO557PC37aBemQ4ozqdK3yrG34Zg9kuln3qgTVeLSh08e69AMw==", + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/@testing-library/svelte/-/svelte-4.2.3.tgz", + "integrity": "sha512-8vM2+JSPc6wZWkO9ICPmHvzacjy8jBw+iVjmNs+0VsPV3AO3v4P8qCLWTaQ9nYW/e+IR1BCy3MM3Uqg21dlBkw==", "dev": true, "dependencies": { "@testing-library/dom": "^9.3.1" @@ -6076,7 +6223,7 @@ "node": ">= 10" }, "peerDependencies": { - "svelte": "^3 || ^4" + "svelte": "^3 || ^4 || ^5" } }, "node_modules/@testing-library/user-event": { @@ -6108,9 +6255,9 @@ "dev": true }, "node_modules/@types/aws-lambda": { - "version": "8.10.136", - "resolved": "https://registry.npmjs.org/@types/aws-lambda/-/aws-lambda-8.10.136.tgz", - "integrity": "sha512-cmmgqxdVGhxYK9lZMYYXYRJk6twBo53ivtXjIUEFZxfxe4TkZTZBK3RRWrY2HjJcUIix0mdifn15yjOAat5lTA==" + "version": "8.10.137", + "resolved": "https://registry.npmjs.org/@types/aws-lambda/-/aws-lambda-8.10.137.tgz", + "integrity": "sha512-YNFwzVarXAOXkjuFxONyDw1vgRNzyH8AuyN19s0bM+ChSu/bzxb5XPxYFLXoqoM+tvgzwR3k7fXcEOW125yJxg==" }, "node_modules/@types/babel__core": { "version": "7.20.5", @@ -6240,9 +6387,9 @@ } }, "node_modules/@types/express-serve-static-core": { - "version": "4.17.43", - "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.17.43.tgz", - "integrity": "sha512-oaYtiBirUOPQGSWNGPWnzyAFJ0BP3cwvN4oWZQY+zUBwpVIGsKUkpBpSztp74drYcjavs7SKFZ4DX1V2QeN8rg==", + "version": "4.19.0", + "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.19.0.tgz", + "integrity": "sha512-bGyep3JqPCRry1wq+O5n7oiBgGWmeIJXPjXXCo8EK0u8duZGSYar7cGqd3ML2JUsLGeB7fmc06KYo9fLGWqPvQ==", "dev": true, "dependencies": { "@types/node": "*", @@ -6317,9 +6464,9 @@ "dev": true }, "node_modules/@types/mdx": { - "version": "2.0.12", - "resolved": "https://registry.npmjs.org/@types/mdx/-/mdx-2.0.12.tgz", - "integrity": "sha512-H9VZ9YqE+H28FQVchC83RCs5xQ2J7mAAv6qdDEaWmXEVl3OpdH+xfrSUzQ1lp7U7oSTRZ0RvW08ASPJsYBi7Cw==", + "version": "2.0.13", + "resolved": "https://registry.npmjs.org/@types/mdx/-/mdx-2.0.13.tgz", + "integrity": "sha512-+OWZQfAYyio6YkJb3HLxDrvnx6SWWDbC0zVPfBRzUk0/nqoDyf6dNxQi3eArPe8rJ473nobTMQ/8Zk+LxJ+Yuw==", "dev": true }, "node_modules/@types/mime": { @@ -6335,9 +6482,9 @@ "dev": true }, "node_modules/@types/node": { - "version": "20.12.4", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.4.tgz", - "integrity": "sha512-E+Fa9z3wSQpzgYQdYmme5X3OTuejnnTx88A6p6vkkJosR3KBz+HpE3kqNm98VE6cfLFcISx7zW7MsJkH6KwbTw==", + "version": "20.12.7", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.7.tgz", + "integrity": "sha512-wq0cICSkRLVaf3UGLMGItu/PtdY7oaXaI/RVU+xliKVOtRna3PRY57ZDfztpDL0n11vfymMUnXv8QwYCO7L1wg==", "dependencies": { "undici-types": "~5.26.4" } @@ -6377,9 +6524,9 @@ "dev": true }, "node_modules/@types/qs": { - "version": "6.9.14", - "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.14.tgz", - "integrity": "sha512-5khscbd3SwWMhFqylJBLQ0zIu7c1K6Vz0uBIt915BI3zV0q1nfjRQD3RqSBcPaO6PHEF4ov/t9y89fSiyThlPA==", + "version": "6.9.15", + "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.15.tgz", + "integrity": "sha512-uXHQKES6DQKKCLh441Xv/dwxOq1TVS3JPUMlEqoEglvlhR6Mxnlew/Xq/LRVHpLyk7iK3zODe1qYHIMltO7XGg==", "dev": true }, "node_modules/@types/range-parser": { @@ -6389,9 +6536,9 @@ "dev": true }, "node_modules/@types/react": { - "version": "18.2.74", - "resolved": "https://registry.npmjs.org/@types/react/-/react-18.2.74.tgz", - "integrity": "sha512-9AEqNZZyBx8OdZpxzQlaFEVCSFUM2YXJH46yPOiOpm078k6ZLOCcuAzGum/zK8YBwY+dbahVNbHrbgrAwIRlqw==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/@types/react/-/react-18.3.1.tgz", + "integrity": "sha512-V0kuGBX3+prX+DQ/7r2qsv1NsdfnCLnTgnRJ1pYnxykBhGMz+qj+box5lq7XsO5mtZsBqpjwwTu/7wszPfMBcw==", "dev": true, "dependencies": { "@types/prop-types": "*", @@ -6811,9 +6958,9 @@ } }, "node_modules/@vitest/coverage-v8": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-1.4.0.tgz", - "integrity": "sha512-4hDGyH1SvKpgZnIByr9LhGgCEuF9DKM34IBLCC/fVfy24Z3+PZ+Ii9hsVBsHvY1umM1aGPEjceRkzxCfcQ10wg==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-1.5.2.tgz", + "integrity": "sha512-QJqxRnbCwNtbbegK9E93rBmhN3dbfG1bC/o52Bqr0zGCYhQzwgwvrJBG7Q8vw3zilX6Ryy6oa/mkZku2lLJx1Q==", "dev": true, "dependencies": { "@ampproject/remapping": "^2.2.1", @@ -6828,14 +6975,13 @@ "picocolors": "^1.0.0", "std-env": "^3.5.0", "strip-literal": "^2.0.0", - "test-exclude": "^6.0.0", - "v8-to-istanbul": "^9.2.0" + "test-exclude": "^6.0.0" }, "funding": { "url": "https://opencollective.com/vitest" }, "peerDependencies": { - "vitest": "1.4.0" + "vitest": "1.5.2" } }, "node_modules/@vitest/expect": { @@ -6853,12 +6999,12 @@ } }, "node_modules/@vitest/runner": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-1.4.0.tgz", - "integrity": "sha512-EDYVSmesqlQ4RD2VvWo3hQgTJ7ZrFQ2VSJdfiJiArkCerDAGeyF1i6dHkmySqk573jLp6d/cfqCN+7wUB5tLgg==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-1.5.2.tgz", + "integrity": "sha512-7IJ7sJhMZrqx7HIEpv3WrMYcq8ZNz9L6alo81Y6f8hV5mIE6yVZsFoivLZmr0D777klm1ReqonE9LyChdcmw6g==", "dev": true, "dependencies": { - "@vitest/utils": "1.4.0", + "@vitest/utils": "1.5.2", "p-limit": "^5.0.0", "pathe": "^1.1.1" }, @@ -6867,9 +7013,9 @@ } }, "node_modules/@vitest/runner/node_modules/@vitest/utils": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.4.0.tgz", - "integrity": "sha512-mx3Yd1/6e2Vt/PUC98DcqTirtfxUyAZ32uK82r8rZzbtBeBo+nqgnjx/LvqQdWsrvNtm14VmurNgcf4nqY5gJg==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.5.2.tgz", + "integrity": "sha512-sWOmyofuXLJ85VvXNsroZur7mOJGiQeM0JN3/0D1uU8U9bGFM69X1iqHaRXl6R8BwaLY6yPCogP257zxTzkUdA==", "dev": true, "dependencies": { "diff-sequences": "^29.6.3", @@ -6932,9 +7078,9 @@ } }, "node_modules/@vitest/runner/node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/@vitest/runner/node_modules/yocto-queue": { @@ -6950,9 +7096,9 @@ } }, "node_modules/@vitest/snapshot": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-1.4.0.tgz", - "integrity": "sha512-saAFnt5pPIA5qDGxOHxJ/XxhMFKkUSBJmVt5VgDsAqPTX6JP326r5C/c9UuCMPoXNzuudTPsYDZCoJ5ilpqG2A==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-1.5.2.tgz", + "integrity": "sha512-CTEp/lTYos8fuCc9+Z55Ga5NVPKUgExritjF5VY7heRFUfheoAqBneUlvXSUJHUZPjnPmyZA96yLRJDP1QATFQ==", "dev": true, "dependencies": { "magic-string": "^0.30.5", @@ -6990,9 +7136,9 @@ } }, "node_modules/@vitest/snapshot/node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/@vitest/spy": { @@ -7008,12 +7154,12 @@ } }, "node_modules/@vitest/ui": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/ui/-/ui-1.4.0.tgz", - "integrity": "sha512-XC6CMhN1gzYcGbpn6/Oanj4Au2EXwQEX6vpcOeLlZv8dy7g11Ukx8zwtYQbwxs9duK2s9j2o5rbQiCP5DPAcmw==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/ui/-/ui-1.5.2.tgz", + "integrity": "sha512-pYDitwgCOn7i3FH7Ka94G70dmj85xpBA42BaWCx82blPehyVO8FU6OLHNP9iAKJIHaIOXwZ+bgOXYSj3wZCxFA==", "dev": true, "dependencies": { - "@vitest/utils": "1.4.0", + "@vitest/utils": "1.5.2", "fast-glob": "^3.3.2", "fflate": "^0.8.1", "flatted": "^3.2.9", @@ -7025,13 +7171,13 @@ "url": "https://opencollective.com/vitest" }, "peerDependencies": { - "vitest": "1.4.0" + "vitest": "1.5.2" } }, "node_modules/@vitest/ui/node_modules/@vitest/utils": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.4.0.tgz", - "integrity": "sha512-mx3Yd1/6e2Vt/PUC98DcqTirtfxUyAZ32uK82r8rZzbtBeBo+nqgnjx/LvqQdWsrvNtm14VmurNgcf4nqY5gJg==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.5.2.tgz", + "integrity": "sha512-sWOmyofuXLJ85VvXNsroZur7mOJGiQeM0JN3/0D1uU8U9bGFM69X1iqHaRXl6R8BwaLY6yPCogP257zxTzkUdA==", "dev": true, "dependencies": { "diff-sequences": "^29.6.3", @@ -7079,9 +7225,9 @@ } }, "node_modules/@vitest/ui/node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/@vitest/utils": { @@ -7125,9 +7271,9 @@ } }, "node_modules/@vitest/utils/node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/@yarnpkg/esbuild-plugin-pnp": { @@ -7564,13 +7710,13 @@ } }, "node_modules/babel-plugin-polyfill-corejs2": { - "version": "0.4.10", - "resolved": "https://registry.npmjs.org/babel-plugin-polyfill-corejs2/-/babel-plugin-polyfill-corejs2-0.4.10.tgz", - "integrity": "sha512-rpIuu//y5OX6jVU+a5BCn1R5RSZYWAl2Nar76iwaOdycqb6JPxediskWFMMl7stfwNJR4b7eiQvh5fB5TEQJTQ==", + "version": "0.4.11", + "resolved": "https://registry.npmjs.org/babel-plugin-polyfill-corejs2/-/babel-plugin-polyfill-corejs2-0.4.11.tgz", + "integrity": "sha512-sMEJ27L0gRHShOh5G54uAAPaiCOygY/5ratXuiyb2G46FmlSpc9eFCzYVyDiPxfNbwzA7mYahmjQc5q+CZQ09Q==", "dev": true, "dependencies": { "@babel/compat-data": "^7.22.6", - "@babel/helper-define-polyfill-provider": "^0.6.1", + "@babel/helper-define-polyfill-provider": "^0.6.2", "semver": "^6.3.1" }, "peerDependencies": { @@ -7591,12 +7737,12 @@ } }, "node_modules/babel-plugin-polyfill-regenerator": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/babel-plugin-polyfill-regenerator/-/babel-plugin-polyfill-regenerator-0.6.1.tgz", - "integrity": "sha512-JfTApdE++cgcTWjsiCQlLyFBMbTUft9ja17saCc93lgV33h4tuCVj7tlvu//qpLwaG+3yEz7/KhahGrUMkVq9g==", + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/babel-plugin-polyfill-regenerator/-/babel-plugin-polyfill-regenerator-0.6.2.tgz", + "integrity": "sha512-2R25rQZWP63nGwaAswvDazbPXfrM3HwVoBXK6HcqeKrSrL/JqcC/rDcf95l4r7LXLyxDXc8uQDa064GubtCABg==", "dev": true, "dependencies": { - "@babel/helper-define-polyfill-provider": "^0.6.1" + "@babel/helper-define-polyfill-provider": "^0.6.2" }, "peerDependencies": { "@babel/core": "^7.4.0 || ^8.0.0-0 <8.0.0" @@ -7956,9 +8102,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001605", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001605.tgz", - "integrity": "sha512-nXwGlFWo34uliI9z3n6Qc0wZaf7zaZWA1CPZ169La5mV3I/gem7bst0vr5XQH5TJXZIMfDeZyOrZnSlVzKxxHQ==", + "version": "1.0.30001614", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001614.tgz", + "integrity": "sha512-jmZQ1VpmlRwHgdP1/uiKzgiAuGOfLEJsYFP4+GBou/QQ4U6IOJCB4NP1c+1p9RGLpwObcT94jA5/uO+F1vBbog==", "dev": true, "funding": [ { @@ -8363,6 +8509,12 @@ "safe-buffer": "~5.1.0" } }, + "node_modules/confbox": { + "version": "0.1.7", + "resolved": "https://registry.npmjs.org/confbox/-/confbox-0.1.7.tgz", + "integrity": "sha512-uJcB/FKZtBMCJpK8MQji6bJHgu1tixKPxRLeGkNzBoOZzpnZUJm0jm2/sBDWcuBx1dYgxV4JU+g5hmNxCyAmdA==", + "dev": true + }, "node_modules/consola": { "version": "3.2.3", "resolved": "https://registry.npmjs.org/consola/-/consola-3.2.3.tgz", @@ -8414,9 +8566,9 @@ "dev": true }, "node_modules/core-js-compat": { - "version": "3.36.1", - "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.36.1.tgz", - "integrity": "sha512-Dk997v9ZCt3X/npqzyGdTlq6t7lDBhZwGvV94PKzDArjp7BTRm7WlDAXYd/OWdeFHO8OChQYRJNJvUCqCbrtKA==", + "version": "3.37.0", + "resolved": "https://registry.npmjs.org/core-js-compat/-/core-js-compat-3.37.0.tgz", + "integrity": "sha512-vYq4L+T8aS5UuFg4UwDhc7YNRWVeVZwltad9C/jV3R2LgVOpS9BDr7l/WL6BN0dbV3k1XejPTHqqEzJgsa0frA==", "dev": true, "dependencies": { "browserslist": "^4.23.0" @@ -8528,9 +8680,9 @@ } }, "node_modules/dayjs": { - "version": "1.11.10", - "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.10.tgz", - "integrity": "sha512-vjAczensTgRcqDERK0SR2XMwsF/tSvnvlv6VcF2GIhg6Sx4yOIt/irsr1RDJsKiIyBzJDpCoXiWWq28MqH2cnQ==", + "version": "1.11.11", + "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.11.tgz", + "integrity": "sha512-okzr3f11N6WuqYtZSvm+F776mB41wRZMhKP+hc34YdW+KmtYYK9iqvHSwo2k9FEH3fhGXvOPV6yz2IcSrfRUDg==", "dev": true, "optional": true }, @@ -8832,9 +8984,9 @@ } }, "node_modules/devalue": { - "version": "4.3.2", - "resolved": "https://registry.npmjs.org/devalue/-/devalue-4.3.2.tgz", - "integrity": "sha512-KqFl6pOgOW+Y6wJgu80rHpo2/3H07vr8ntR9rkkFIRETewbf5GaYYcakYfiKz89K+sLsuPkQIZaXDMjUObZwWg==", + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/devalue/-/devalue-5.0.0.tgz", + "integrity": "sha512-gO+/OMXF7488D+u3ue+G7Y4AA3ZmUnB3eHJXmBTgNHvr4ZNzl36A0ZtG+XCRNYCkYx/bFmw4qtkoFLa+wSrwAA==", "dev": true }, "node_modules/didyoumean": { @@ -9103,9 +9255,9 @@ "dev": true }, "node_modules/ejs": { - "version": "3.1.9", - "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.9.tgz", - "integrity": "sha512-rC+QVNMJWv+MtPgkt0y+0rVEIdbtxVADApW9JXrUVlzHetgcyczP/E7DJmWJ4fJCZF2cPcBk0laWO9ZHMG3DmQ==", + "version": "3.1.10", + "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz", + "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==", "dev": true, "dependencies": { "jake": "^10.8.5" @@ -9118,9 +9270,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.4.726", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.726.tgz", - "integrity": "sha512-xtjfBXn53RORwkbyKvDfTajtnTp0OJoPOIBzXvkNbb7+YYvCHJflba3L7Txyx/6Fov3ov2bGPr/n5MTixmPhdQ==", + "version": "1.4.750", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.750.tgz", + "integrity": "sha512-9ItEpeu15hW5m8jKdriL+BQrgwDTXEL9pn4SkillWFu73ZNNNQ2BKKLS+ZHv2vC9UkNhosAeyfxOf/5OSeTCPA==", "dev": true }, "node_modules/emoji-regex": { @@ -9173,9 +9325,9 @@ } }, "node_modules/envinfo": { - "version": "7.11.1", - "resolved": "https://registry.npmjs.org/envinfo/-/envinfo-7.11.1.tgz", - "integrity": "sha512-8PiZgZNIB4q/Lw4AhOvAfB/ityHAd2bli3lESSWmWSzSsl5dKpy5N1d1Rfkd2teq/g9xN90lc6o98DOjMeYHpg==", + "version": "7.12.0", + "resolved": "https://registry.npmjs.org/envinfo/-/envinfo-7.12.0.tgz", + "integrity": "sha512-Iw9rQJBGpJRd3rwXm9ft/JiGoAZmLxxJZELYDQoPRZ4USVhkKtIcNBPw6U+/K2mBpaqM25JSV6Yl4Az9vO2wJg==", "dev": true, "bin": { "envinfo": "dist/cli.js" @@ -9410,10 +9562,13 @@ } }, "node_modules/eslint-compat-utils": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/eslint-compat-utils/-/eslint-compat-utils-0.1.2.tgz", - "integrity": "sha512-Jia4JDldWnFNIru1Ehx1H5s9/yxiRHY/TimCuUc0jNexew3cF1gI6CYZil1ociakfWO3rRqFjl1mskBblB3RYg==", + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/eslint-compat-utils/-/eslint-compat-utils-0.5.0.tgz", + "integrity": "sha512-dc6Y8tzEcSYZMHa+CMPLi/hyo1FzNeonbhJL7Ol0ccuKQkwopJcJBA9YL/xmMTLU1eKigXo9vj9nALElWYSowg==", "dev": true, + "dependencies": { + "semver": "^7.5.4" + }, "engines": { "node": ">=12" }, @@ -9421,6 +9576,39 @@ "eslint": ">=6.0.0" } }, + "node_modules/eslint-compat-utils/node_modules/lru-cache": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", + "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "dev": true, + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/eslint-compat-utils/node_modules/semver": { + "version": "7.6.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz", + "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==", + "dev": true, + "dependencies": { + "lru-cache": "^6.0.0" + }, + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/eslint-compat-utils/node_modules/yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "dev": true + }, "node_modules/eslint-config-prettier": { "version": "8.10.0", "resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-8.10.0.tgz", @@ -9461,23 +9649,23 @@ } }, "node_modules/eslint-plugin-svelte": { - "version": "2.35.1", - "resolved": "https://registry.npmjs.org/eslint-plugin-svelte/-/eslint-plugin-svelte-2.35.1.tgz", - "integrity": "sha512-IF8TpLnROSGy98Z3NrsKXWDSCbNY2ReHDcrYTuXZMbfX7VmESISR78TWgO9zdg4Dht1X8coub5jKwHzP0ExRug==", + "version": "2.38.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-svelte/-/eslint-plugin-svelte-2.38.0.tgz", + "integrity": "sha512-IwwxhHzitx3dr0/xo0z4jjDlb2AAHBPKt+juMyKKGTLlKi1rZfA4qixMwnveU20/JTHyipM6keX4Vr7LZFYc9g==", "dev": true, "dependencies": { - "@eslint-community/eslint-utils": "^4.2.0", - "@jridgewell/sourcemap-codec": "^1.4.14", - "debug": "^4.3.1", - "eslint-compat-utils": "^0.1.2", + "@eslint-community/eslint-utils": "^4.4.0", + "@jridgewell/sourcemap-codec": "^1.4.15", + "debug": "^4.3.4", + "eslint-compat-utils": "^0.5.0", "esutils": "^2.0.3", - "known-css-properties": "^0.29.0", - "postcss": "^8.4.5", + "known-css-properties": "^0.30.0", + "postcss": "^8.4.38", "postcss-load-config": "^3.1.4", "postcss-safe-parser": "^6.0.0", - "postcss-selector-parser": "^6.0.11", - "semver": "^7.5.3", - "svelte-eslint-parser": ">=0.33.0 <1.0.0" + "postcss-selector-parser": "^6.0.16", + "semver": "^7.6.0", + "svelte-eslint-parser": ">=0.35.0 <1.0.0" }, "engines": { "node": "^14.17.0 || >=16.0.0" @@ -9486,8 +9674,8 @@ "url": "https://github.com/sponsors/ota-meshi" }, "peerDependencies": { - "eslint": "^7.0.0 || ^8.0.0-0", - "svelte": "^3.37.0 || ^4.0.0" + "eslint": "^7.0.0 || ^8.0.0-0 || ^9.0.0-0", + "svelte": "^3.37.0 || ^4.0.0 || ^5.0.0-next.112" }, "peerDependenciesMeta": { "svelte": { @@ -10224,9 +10412,9 @@ "dev": true }, "node_modules/flow-parser": { - "version": "0.233.0", - "resolved": "https://registry.npmjs.org/flow-parser/-/flow-parser-0.233.0.tgz", - "integrity": "sha512-E/mv51GYJfLuRX6fZnw4M52gBxYa8pkHUOgNEZOcQK2RTXS8YXeU5rlalkTcY99UpwbeNVCSUFKaavpOksi/pQ==", + "version": "0.235.1", + "resolved": "https://registry.npmjs.org/flow-parser/-/flow-parser-0.235.1.tgz", + "integrity": "sha512-s04193L4JE+ntEcQXbD6jxRRlyj9QXcgEl2W6xSjH4l9x4b0eHoCHfbYHjqf9LdZFUiM5LhgpiqsvLj/AyOyYQ==", "dev": true, "engines": { "node": ">=0.4.0" @@ -11840,9 +12028,9 @@ } }, "node_modules/joi": { - "version": "17.12.3", - "resolved": "https://registry.npmjs.org/joi/-/joi-17.12.3.tgz", - "integrity": "sha512-2RRziagf555owrm9IRVtdKynOBeITiDpuZqIpgwqXShPncPKNiRQoiGsl/T8SQdq+8ugRzH2LqY67irr2y/d+g==", + "version": "17.13.0", + "resolved": "https://registry.npmjs.org/joi/-/joi-17.13.0.tgz", + "integrity": "sha512-9qcrTyoBmFZRNHeVP4edKqIUEgFzq7MHvTNSDuHSqkpOPtiBkgNgcmTSqmiw1kw9tdKaiddvIDv/eCJDxmqWCA==", "dev": true, "optional": true, "dependencies": { @@ -12017,12 +12205,6 @@ "node": ">=6" } }, - "node_modules/jsonc-parser": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/jsonc-parser/-/jsonc-parser-3.2.1.tgz", - "integrity": "sha512-AilxAyFOAcK5wA1+LeaySVBrHsGQvUFCDWXKpZjzaL0PqW+xfBOttn8GNtWKFWqneyMZj41MWF9Kl6iPWLwgOA==", - "dev": true - }, "node_modules/jsonfile": { "version": "6.1.0", "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.1.0.tgz", @@ -12139,9 +12321,9 @@ } }, "node_modules/known-css-properties": { - "version": "0.29.0", - "resolved": "https://registry.npmjs.org/known-css-properties/-/known-css-properties-0.29.0.tgz", - "integrity": "sha512-Ne7wqW7/9Cz54PDt4I3tcV+hAyat8ypyOGzYRJQfdxnnjeWsTxt1cy8pjvvKeI5kfXuyvULyeeAvwvvtAX3ayQ==", + "version": "0.30.0", + "resolved": "https://registry.npmjs.org/known-css-properties/-/known-css-properties-0.30.0.tgz", + "integrity": "sha512-VSWXYUnsPu9+WYKkfmJyLKtIvaRJi1kXUqVmBACORXZQxT5oZDsoZ2vQP+bQFDnWtpI/4eq3MLoRMjI2fnLzTQ==", "dev": true }, "node_modules/lazy-universal-dotenv": { @@ -12346,25 +12528,22 @@ } }, "node_modules/magic-string": { - "version": "0.30.9", - "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.9.tgz", - "integrity": "sha512-S1+hd+dIrC8EZqKyT9DstTH/0Z+f76kmmvZnkfQVmOpDEF9iVgdYif3Q/pIWHmCoo59bQVGW0kVL3e2nl+9+Sw==", + "version": "0.30.10", + "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.10.tgz", + "integrity": "sha512-iIRwTIf0QKV3UAnYK4PU8uiEc4SRh5jX0mwpIwETPpHdhVM4f53RSwS/vXvN1JhGX+Cs7B8qIq3d6AH49O5fAQ==", "dependencies": { "@jridgewell/sourcemap-codec": "^1.4.15" - }, - "engines": { - "node": ">=12" } }, "node_modules/magicast": { - "version": "0.3.3", - "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.3.3.tgz", - "integrity": "sha512-ZbrP1Qxnpoes8sz47AM0z08U+jW6TyRgZzcWy3Ma3vDhJttwMwAFDMMQFobwdBxByBD46JYmxRzeF7w2+wJEuw==", + "version": "0.3.4", + "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.3.4.tgz", + "integrity": "sha512-TyDF/Pn36bBji9rWKHlZe+PZb6Mx5V8IHCSxk7X4aljM4e/vyDvZZYwHewdVaqiA0nb3ghfHU/6AUpDxWoER2Q==", "dev": true, "dependencies": { - "@babel/parser": "^7.23.6", - "@babel/types": "^7.23.6", - "source-map-js": "^1.0.2" + "@babel/parser": "^7.24.4", + "@babel/types": "^7.24.0", + "source-map-js": "^1.2.0" } }, "node_modules/make-dir": { @@ -12398,9 +12577,9 @@ "dev": true }, "node_modules/markdown-to-jsx": { - "version": "7.4.5", - "resolved": "https://registry.npmjs.org/markdown-to-jsx/-/markdown-to-jsx-7.4.5.tgz", - "integrity": "sha512-c8NB0H/ig+FOWssE9be0PKsYbCDhcWEkicxMnpdfUuHbFljnen4LAdgUShOyR/PgO3/qKvt9cwfQ0U/zQvZ44A==", + "version": "7.4.7", + "resolved": "https://registry.npmjs.org/markdown-to-jsx/-/markdown-to-jsx-7.4.7.tgz", + "integrity": "sha512-0+ls1IQZdU6cwM1yu0ZjjiVWYtkbExSyUIFU2ZeDIFuZM1W42Mh4OlJ4nb4apX4H8smxDHRdFaoIVJGwfv5hkg==", "dev": true, "engines": { "node": ">= 10" @@ -12897,9 +13076,9 @@ } }, "node_modules/nwsapi": { - "version": "2.2.7", - "resolved": "https://registry.npmjs.org/nwsapi/-/nwsapi-2.2.7.tgz", - "integrity": "sha512-ub5E4+FBPKwAZx0UwIQOjYWGHTEq5sPqHQNRN8Z9e4A7u3Tj1weLJsL59yH9vmvqEtBHaOmT6cYQKIZOxp35FQ==", + "version": "2.2.9", + "resolved": "https://registry.npmjs.org/nwsapi/-/nwsapi-2.2.9.tgz", + "integrity": "sha512-2f3F0SEEer8bBu0dsNCFF50N0cTThV1nWFYcEYFZttdW0lDAoybv9cQoK7X7/68Z89S7FoRrVjP1LPX4XRf9vg==", "dev": true }, "node_modules/nypm": { @@ -13201,17 +13380,17 @@ } }, "node_modules/optionator": { - "version": "0.9.3", - "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", - "integrity": "sha512-JjCoypp+jKn1ttEFExxhetCKeJt9zhAgAve5FXHixTvFDW/5aEktX9bufBKLRRMdU7bNtpLfcGu94B3cdEJgjg==", + "version": "0.9.4", + "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz", + "integrity": "sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==", "dev": true, "dependencies": { - "@aashutoshrathi/word-wrap": "^1.2.3", "deep-is": "^0.1.3", "fast-levenshtein": "^2.0.6", "levn": "^0.4.1", "prelude-ls": "^1.2.1", - "type-check": "^0.4.0" + "type-check": "^0.4.0", + "word-wrap": "^1.2.5" }, "engines": { "node": ">= 0.8.0" @@ -13400,9 +13579,9 @@ } }, "node_modules/path-scurry/node_modules/lru-cache": { - "version": "10.2.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.0.tgz", - "integrity": "sha512-2bIM8x+VAf6JT4bKAljS1qUWgMsqZRPGJS6FSahIMPVvctcNhyVp7AJu7quxOW9jwkryBReKZY5tY5JYv2n/7Q==", + "version": "10.2.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.1.tgz", + "integrity": "sha512-tS24spDe/zXhWbNPErCHs/AGOzbKGHT+ybSBqmdLm8WZ1xXLWvH8Qn71QPAlqVhd0qUTWjy+Kl9JmISgDdEjsA==", "dev": true, "engines": { "node": "14 || >=16.14" @@ -13531,23 +13710,23 @@ } }, "node_modules/pkg-types": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-1.0.3.tgz", - "integrity": "sha512-nN7pYi0AQqJnoLPC9eHFQ8AcyaixBUOwvqc5TDnIKCMEE6I0y8P7OKA7fPexsXGCGxQDl/cmrLAp26LhcwxZ4A==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/pkg-types/-/pkg-types-1.1.0.tgz", + "integrity": "sha512-/RpmvKdxKf8uILTtoOhAgf30wYbP2Qw+L9p3Rvshx1JZVX+XQNZQFjlbmGHEGIm4CkVPlSn+NXmIM8+9oWQaSA==", "dev": true, "dependencies": { - "jsonc-parser": "^3.2.0", - "mlly": "^1.2.0", - "pathe": "^1.1.0" + "confbox": "^0.1.7", + "mlly": "^1.6.1", + "pathe": "^1.1.2" } }, "node_modules/playwright": { - "version": "1.42.1", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.42.1.tgz", - "integrity": "sha512-PgwB03s2DZBcNRoW+1w9E+VkLBxweib6KTXM0M3tkiT4jVxKSi6PmVJ591J+0u10LUrgxB7dLRbiJqO5s2QPMg==", + "version": "1.43.1", + "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.43.1.tgz", + "integrity": "sha512-V7SoH0ai2kNt1Md9E3Gwas5B9m8KR2GVvwZnAI6Pg0m3sh7UvgiYhRrhsziCmqMJNouPckiOhk8T+9bSAK0VIA==", "dev": true, "dependencies": { - "playwright-core": "1.42.1" + "playwright-core": "1.43.1" }, "bin": { "playwright": "cli.js" @@ -13560,9 +13739,9 @@ } }, "node_modules/playwright-core": { - "version": "1.42.1", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.42.1.tgz", - "integrity": "sha512-mxz6zclokgrke9p1vtdy/COWBH+eOZgYUVVU34C73M+4j4HLlQJHtfcqiqqxpP0o8HhMkflvfbquLX5dg6wlfA==", + "version": "1.43.1", + "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.43.1.tgz", + "integrity": "sha512-EI36Mto2Vrx6VF7rm708qSnesVQKbxEWvPrfA1IPY6HgczBplDx7ENtx+K2n4kJ41sLLkuGfmb0ZLSSXlDhqPg==", "dev": true, "bin": { "playwright-core": "cli.js" @@ -14111,9 +14290,9 @@ } }, "node_modules/qs": { - "version": "6.12.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.12.0.tgz", - "integrity": "sha512-trVZiI6RMOkO476zLGaBIzszOdFPnCCXHPG9kn0yuS1uz6xdVxPfZdB3vUig9pxPFDM9BRAgz/YUIVQ1/vuiUg==", + "version": "6.12.1", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.12.1.tgz", + "integrity": "sha512-zWmv4RSuB9r2mYQw3zxQuHWeU+42aKi1wWig/j4ele4ygELZ7PEO6MM7rim9oAQH2A5MWfsAVf/jPvTPgCbvUQ==", "dev": true, "dependencies": { "side-channel": "^1.0.6" @@ -14186,9 +14365,9 @@ } }, "node_modules/react": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react/-/react-18.2.0.tgz", - "integrity": "sha512-/3IjMdb2L9QbBdWiW5e3P2/npwMBaU9mHCSCUzNln0ZCYbcfTsGbTJrU/kGemdH2IWmB2ioZ+zkxtmq6g09fGQ==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz", + "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==", "dev": true, "dependencies": { "loose-envify": "^1.1.0" @@ -14208,16 +14387,16 @@ } }, "node_modules/react-dom": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.2.0.tgz", - "integrity": "sha512-6IMTriUmvsjHUjNtEDudZfuDQUoWXVxKHhlEGSk81n4YFS+r/Kl99wXiwlVXtPBtJenozv2P+hxDsw9eA7Xo6g==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz", + "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==", "dev": true, "dependencies": { "loose-envify": "^1.1.0", - "scheduler": "^0.23.0" + "scheduler": "^0.23.2" }, "peerDependencies": { - "react": "^18.2.0" + "react": "^18.3.1" } }, "node_modules/react-is": { @@ -14852,9 +15031,9 @@ } }, "node_modules/scheduler": { - "version": "0.23.0", - "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.0.tgz", - "integrity": "sha512-CtuThmgHNg7zIZWAXi3AsyIzA3n4xx7aNyjwC2VJldO2LMVDhFK+63xGqq6CsJH4rTAt6/M+N4GhZiDYPx9eUw==", + "version": "0.23.2", + "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.2.tgz", + "integrity": "sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==", "dev": true, "dependencies": { "loose-envify": "^1.1.0" @@ -15274,12 +15453,12 @@ "dev": true }, "node_modules/storybook": { - "version": "7.6.17", - "resolved": "https://registry.npmjs.org/storybook/-/storybook-7.6.17.tgz", - "integrity": "sha512-8+EIo91bwmeFWPg1eysrxXlhIYv3OsXrznTr4+4Eq0NikqAoq6oBhtlN5K2RGS2lBVF537eN+9jTCNbR+WrzDA==", + "version": "7.6.18", + "resolved": "https://registry.npmjs.org/storybook/-/storybook-7.6.18.tgz", + "integrity": "sha512-AUhWAVISi+qTsfpJlVuo65VfhqWtapkqJDXA/bK+4actBR9DpRXXwow6xJQJH5wrp8TZk0X9Pkqm3fykTQ5MCA==", "dev": true, "dependencies": { - "@storybook/cli": "7.6.17" + "@storybook/cli": "7.6.18" }, "bin": { "sb": "index.js", @@ -15512,9 +15691,10 @@ } }, "node_modules/svelte": { - "version": "4.2.12", - "resolved": "https://registry.npmjs.org/svelte/-/svelte-4.2.12.tgz", - "integrity": "sha512-d8+wsh5TfPwqVzbm4/HCXC783/KPHV60NvwitJnyTA5lWn1elhXMNWhXGCJ7PwPa8qFUnyJNIyuIRt2mT0WMug==", + "version": "4.2.15", + "resolved": "https://registry.npmjs.org/svelte/-/svelte-4.2.15.tgz", + "integrity": "sha512-j9KJSccHgLeRERPlhMKrCXpk2TqL2m5Z+k+OBTQhZOhIdCCd3WfqV+ylPWeipEwq17P/ekiSFWwrVQv93i3bsg==", + "dev": true, "dependencies": { "@ampproject/remapping": "^2.2.1", "@jridgewell/sourcemap-codec": "^1.4.15", @@ -15536,9 +15716,9 @@ } }, "node_modules/svelte-check": { - "version": "3.6.9", - "resolved": "https://registry.npmjs.org/svelte-check/-/svelte-check-3.6.9.tgz", - "integrity": "sha512-hDQrk3L0osX07djQyMiXocKysTLfusqi8AriNcCiQxhQR49/LonYolcUGMtZ0fbUR8HTR198Prrgf52WWU9wEg==", + "version": "3.7.0", + "resolved": "https://registry.npmjs.org/svelte-check/-/svelte-check-3.7.0.tgz", + "integrity": "sha512-Va6sGL4Vy4znn0K+vaatk98zoBvG2aDee4y3r5X4S80z8DXfbACHvdLlyXa4C4c5tQzK9H0Uq2pbd20wH3ucjQ==", "dev": true, "dependencies": { "@jridgewell/trace-mapping": "^0.3.17", @@ -15558,16 +15738,16 @@ } }, "node_modules/svelte-eslint-parser": { - "version": "0.33.1", - "resolved": "https://registry.npmjs.org/svelte-eslint-parser/-/svelte-eslint-parser-0.33.1.tgz", - "integrity": "sha512-vo7xPGTlKBGdLH8T5L64FipvTrqv3OQRx9d2z5X05KKZDlF4rQk8KViZO4flKERY+5BiVdOh7zZ7JGJWo5P0uA==", + "version": "0.35.0", + "resolved": "https://registry.npmjs.org/svelte-eslint-parser/-/svelte-eslint-parser-0.35.0.tgz", + "integrity": "sha512-CtbPseajW0gjwEvHiuzYJkPDjAcHz2FaHt540j6RVYrZgnE6xWkzUBodQ4I3nV+G5AS0Svt8K6aIA/CIU9xT2Q==", "dev": true, "dependencies": { - "eslint-scope": "^7.0.0", - "eslint-visitor-keys": "^3.0.0", - "espree": "^9.0.0", - "postcss": "^8.4.29", - "postcss-scss": "^4.0.8" + "eslint-scope": "^7.2.2", + "eslint-visitor-keys": "^3.4.3", + "espree": "^9.6.1", + "postcss": "^8.4.38", + "postcss-scss": "^4.0.9" }, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" @@ -15576,7 +15756,7 @@ "url": "https://github.com/sponsors/ota-meshi" }, "peerDependencies": { - "svelte": "^3.37.0 || ^4.0.0" + "svelte": "^3.37.0 || ^4.0.0 || ^5.0.0-next.112" }, "peerDependenciesMeta": { "svelte": { @@ -15610,9 +15790,9 @@ } }, "node_modules/svelte-hmr": { - "version": "0.15.3", - "resolved": "https://registry.npmjs.org/svelte-hmr/-/svelte-hmr-0.15.3.tgz", - "integrity": "sha512-41snaPswvSf8TJUhlkoJBekRrABDXDMdpNpT2tfHIv4JuhgvHqLMhEPGtaQn0BmbNSTkuz2Ed20DF2eHw0SmBQ==", + "version": "0.16.0", + "resolved": "https://registry.npmjs.org/svelte-hmr/-/svelte-hmr-0.16.0.tgz", + "integrity": "sha512-Gyc7cOS3VJzLlfj7wKS0ZnzDVdv3Pn2IuVeJPk9m2skfhcu5bq3wtIZyQGggr7/Iim5rH5cncyQft/kRLupcnA==", "dev": true, "engines": { "node": "^12.20 || ^14.13.1 || >= 16" @@ -15622,17 +15802,65 @@ } }, "node_modules/svelte-multiselect": { - "version": "10.2.0", - "resolved": "https://registry.npmjs.org/svelte-multiselect/-/svelte-multiselect-10.2.0.tgz", - "integrity": "sha512-nbv0dTgSHGENbwKdiN5seFD4ljtGSAEZGcMkHfcc+Nnk7tVwM2jxvCgkRKp9FdPUKG1M6Zp8ZXLDU+xoZxHyTA==", + "version": "10.3.0", + "resolved": "https://registry.npmjs.org/svelte-multiselect/-/svelte-multiselect-10.3.0.tgz", + "integrity": "sha512-Pyvlcn4TK3dB2WWo6hDEeNH+x2O/DP82UuUf61PQFX8KMB3cm1Cam+zTKrcrOoRRVI2SwH/8dPF8hSTfJFaMmA==", "dependencies": { - "svelte": "^4.2.0" + "svelte": "4.2.12" + } + }, + "node_modules/svelte-multiselect/node_modules/aria-query": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.0.tgz", + "integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==", + "dependencies": { + "dequal": "^2.0.3" + } + }, + "node_modules/svelte-multiselect/node_modules/estree-walker": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz", + "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==", + "dependencies": { + "@types/estree": "^1.0.0" + } + }, + "node_modules/svelte-multiselect/node_modules/is-reference": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.2.tgz", + "integrity": "sha512-v3rht/LgVcsdZa3O2Nqs+NMowLOxeOm7Ay9+/ARQ2F+qEoANRcqrjAZKGN0v8ymUetZGgkp26LTnGT7H0Qo9Pg==", + "dependencies": { + "@types/estree": "*" + } + }, + "node_modules/svelte-multiselect/node_modules/svelte": { + "version": "4.2.12", + "resolved": "https://registry.npmjs.org/svelte/-/svelte-4.2.12.tgz", + "integrity": "sha512-d8+wsh5TfPwqVzbm4/HCXC783/KPHV60NvwitJnyTA5lWn1elhXMNWhXGCJ7PwPa8qFUnyJNIyuIRt2mT0WMug==", + "dependencies": { + "@ampproject/remapping": "^2.2.1", + "@jridgewell/sourcemap-codec": "^1.4.15", + "@jridgewell/trace-mapping": "^0.3.18", + "@types/estree": "^1.0.1", + "acorn": "^8.9.0", + "aria-query": "^5.3.0", + "axobject-query": "^4.0.0", + "code-red": "^1.0.3", + "css-tree": "^2.3.1", + "estree-walker": "^3.0.3", + "is-reference": "^3.0.1", + "locate-character": "^3.0.0", + "magic-string": "^0.30.4", + "periscopic": "^3.1.0" + }, + "engines": { + "node": ">=16" } }, "node_modules/svelte-preprocess": { - "version": "5.1.3", - "resolved": "https://registry.npmjs.org/svelte-preprocess/-/svelte-preprocess-5.1.3.tgz", - "integrity": "sha512-xxAkmxGHT+J/GourS5mVJeOXZzne1FR5ljeOUAMXUkfEhkLEllRreXpbl3dIYJlcJRfL1LO1uIAPpBpBfiqGPw==", + "version": "5.1.4", + "resolved": "https://registry.npmjs.org/svelte-preprocess/-/svelte-preprocess-5.1.4.tgz", + "integrity": "sha512-IvnbQ6D6Ao3Gg6ftiM5tdbR6aAETwjhHV+UKGf5bHGYR69RQvF1ho0JKPcbUON4vy4R7zom13jPjgdOWCQ5hDA==", "dev": true, "hasInstallScript": true, "dependencies": { @@ -15643,8 +15871,7 @@ "strip-indent": "^3.0.0" }, "engines": { - "node": ">= 16.0.0", - "pnpm": "^8.0.0" + "node": ">= 16.0.0" }, "peerDependencies": { "@babel/core": "^7.10.2", @@ -15708,6 +15935,7 @@ "version": "5.3.0", "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.0.tgz", "integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==", + "dev": true, "dependencies": { "dequal": "^2.0.3" } @@ -15716,6 +15944,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz", "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==", + "dev": true, "dependencies": { "@types/estree": "^1.0.0" } @@ -15724,6 +15953,7 @@ "version": "3.0.2", "resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.2.tgz", "integrity": "sha512-v3rht/LgVcsdZa3O2Nqs+NMowLOxeOm7Ay9+/ARQ2F+qEoANRcqrjAZKGN0v8ymUetZGgkp26LTnGT7H0Qo9Pg==", + "dev": true, "dependencies": { "@types/estree": "*" } @@ -16006,9 +16236,9 @@ } }, "node_modules/sveltekit-superforms": { - "version": "2.12.5", - "resolved": "https://registry.npmjs.org/sveltekit-superforms/-/sveltekit-superforms-2.12.5.tgz", - "integrity": "sha512-p8qHNsMcPoB1mgTU8catzID8HJmxIK9ozRbGrv50Jk/XPotOjn5zTvW/stkVDBDL/tPLz0vfw+2PNbkkHCdhlw==", + "version": "2.12.6", + "resolved": "https://registry.npmjs.org/sveltekit-superforms/-/sveltekit-superforms-2.12.6.tgz", + "integrity": "sha512-qVA6HjD+WlPughk+YGGWXTY5lIvNP8JUoEK4TqzLhDkC8j6y0d2aB7ofgzqpkvY7nV77aNG3erP/qxr2DzBJEg==", "dev": true, "funding": [ { @@ -16025,23 +16255,23 @@ } ], "dependencies": { - "devalue": "^4.3.2", + "devalue": "^4.3.3", "just-clone": "^6.2.0", "memoize-weak": "^1.0.2", "ts-deepmerge": "^7.0.0" }, "optionalDependencies": { "@gcornut/valibot-json-schema": "^0.0.27", - "@sinclair/typebox": "^0.32.20", + "@sinclair/typebox": "^0.32.22", "@sodaru/yup-to-json-schema": "^2.0.1", "@vinejs/vine": "^1.8.0", "arktype": "1.0.29-alpha", - "joi": "^17.12.3", + "joi": "^17.13.0", "superstruct": "^1.0.4", "valibot": "^0.30.0", "yup": "^1.4.0", - "zod": "^3.22.4", - "zod-to-json-schema": "^3.22.5" + "zod": "^3.23.4", + "zod-to-json-schema": "^3.23.0" }, "peerDependencies": { "@sinclair/typebox": ">=0.32.13 <1", @@ -16053,7 +16283,7 @@ "svelte": "3.x || 4.x || >=5.0.0-next.51", "valibot": ">=0.28.1 <1", "yup": "^1.3.3", - "zod": "^3.22.4" + "zod": "^3.23.4" }, "peerDependenciesMeta": { "@sinclair/typebox": { @@ -16083,12 +16313,18 @@ } }, "node_modules/sveltekit-superforms/node_modules/@sinclair/typebox": { - "version": "0.32.22", - "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.32.22.tgz", - "integrity": "sha512-4uH8BLhNbptL2UkfS/a63tQ6uZGGZ4DT6zFq7ZkE+KQi7/56ZYkkWniAqz4bUr4cZGfoR83zRvSh39ZpH8DKDw==", + "version": "0.32.27", + "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.32.27.tgz", + "integrity": "sha512-JHRrubCKiXi6VKlbBTpTQnExkUFasPMIaXCJYJhqVBGLliQVt1yBZZgiZo3/uSmvAdXlIIdGoTAT6RB09L0QqA==", "dev": true, "optional": true }, + "node_modules/sveltekit-superforms/node_modules/devalue": { + "version": "4.3.3", + "resolved": "https://registry.npmjs.org/devalue/-/devalue-4.3.3.tgz", + "integrity": "sha512-UH8EL6H2ifcY8TbD2QsxwCC/pr5xSwPvv85LrLXVihmHVC3T3YqTCIwnR5ak0yO1KYqlxrPVOA/JVZJYPy2ATg==", + "dev": true + }, "node_modules/symbol-tree": { "version": "3.2.4", "resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz", @@ -16199,9 +16435,9 @@ } }, "node_modules/tailwindcss/node_modules/yaml": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.4.1.tgz", - "integrity": "sha512-pIXzoImaqmfOrL7teGUBt/T7ZDnyeGBWyXQBvOVhLkWLN37GXv8NMLK406UY6dS51JfcQHsmcW5cJ441bHg6Lg==", + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.4.2.tgz", + "integrity": "sha512-B3VqDZ+JAg1nZpaEmWtTXUlBneoGx6CPM9b0TENK6aoSu5t73dItudwdgmi6tHlIZZId4dZ9skcAQ2UbcyAeVA==", "dev": true, "bin": { "yaml": "bin.mjs" @@ -16520,15 +16756,15 @@ "dev": true }, "node_modules/tinybench": { - "version": "2.6.0", - "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.6.0.tgz", - "integrity": "sha512-N8hW3PG/3aOoZAN5V/NSAEDz0ZixDSSt5b/a05iqtpgfLWMSVuCo7w0k2vVvEjdrIoeGqZzweX2WlyioNIHchA==", + "version": "2.8.0", + "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.8.0.tgz", + "integrity": "sha512-1/eK7zUnIklz4JUUlL+658n58XO2hHLQfSk1Zf2LKieUjxidN16eKFEoDEfjHc3ohofSSqK3X5yO6VGb6iW8Lw==", "dev": true }, "node_modules/tinypool": { - "version": "0.8.3", - "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-0.8.3.tgz", - "integrity": "sha512-Ud7uepAklqRH1bvwy22ynrliC7Dljz7Tm8M/0RBUW+YRa4YHhZ6e4PpgE+fu1zr/WqB1kbeuVrdfeuyIBpy4tw==", + "version": "0.8.4", + "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-0.8.4.tgz", + "integrity": "sha512-i11VH5gS6IFeLY3gMBQ00/MmLncVP7JLXOw1vlgkytLmJK7QnEr7NXf0LBdxfmNPAeyetukOk0bOYrJrFGjYJQ==", "dev": true, "engines": { "node": ">=14.0.0" @@ -16570,9 +16806,9 @@ } }, "node_modules/tocbot": { - "version": "4.25.0", - "resolved": "https://registry.npmjs.org/tocbot/-/tocbot-4.25.0.tgz", - "integrity": "sha512-kE5wyCQJ40hqUaRVkyQ4z5+4juzYsv/eK+aqD97N62YH0TxFhzJvo22RUQQZdO3YnXAk42ZOfOpjVdy+Z0YokA==", + "version": "4.27.13", + "resolved": "https://registry.npmjs.org/tocbot/-/tocbot-4.27.13.tgz", + "integrity": "sha512-zS8GVVg14x/KBTxbvF6s3BNLltfMNZxTPaBpj+FjuwmnSv+ZK0trNN4uV5Ptw64NLFi2E30gt33+/a1Fkt3cWQ==", "dev": true }, "node_modules/toidentifier": { @@ -16740,9 +16976,9 @@ "dev": true }, "node_modules/typescript": { - "version": "5.4.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.3.tgz", - "integrity": "sha512-KrPd3PKaCLr78MalgiwJnA25Nm8HAmdwN3mYUYZgG/wizIo9EainNVQI9/yDavtVFRN2h3k8uf3GLHuhDMgEHg==", + "version": "5.4.5", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.5.tgz", + "integrity": "sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==", "dev": true, "bin": { "tsc": "bin/tsc", @@ -17071,20 +17307,6 @@ "integrity": "sha512-ocyWc3bAHBB/guyqJQVI5o4BZkPhznPYUG2ea80Gond/BgNWpap8TOmLSeeQG7bnh2KMISxskdADG59j7zruhw==", "dev": true }, - "node_modules/v8-to-istanbul": { - "version": "9.2.0", - "resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.2.0.tgz", - "integrity": "sha512-/EH/sDgxU2eGxajKdwLCDmQ4FWq+kpi3uCmBGpw1xJtnAxEjlD8j8PEiGWpCIMIs3ciNAgH0d3TTJiUkYzyZjA==", - "dev": true, - "dependencies": { - "@jridgewell/trace-mapping": "^0.3.12", - "@types/istanbul-lib-coverage": "^2.0.1", - "convert-source-map": "^2.0.0" - }, - "engines": { - "node": ">=10.12.0" - } - }, "node_modules/valibot": { "version": "0.30.0", "resolved": "https://registry.npmjs.org/valibot/-/valibot-0.30.0.tgz", @@ -17122,9 +17344,9 @@ } }, "node_modules/vite": { - "version": "5.2.8", - "resolved": "https://registry.npmjs.org/vite/-/vite-5.2.8.tgz", - "integrity": "sha512-OyZR+c1CE8yeHw5V5t59aXsUPPVTHMDjEZz8MgguLL/Q7NblxhZUlTu9xSPqlsUO/y+X7dlU05jdhvyycD55DA==", + "version": "5.2.10", + "resolved": "https://registry.npmjs.org/vite/-/vite-5.2.10.tgz", + "integrity": "sha512-PAzgUZbP7msvQvqdSD+ErD5qGnSFiGOoWmV5yAKUEI0kdhjbH6nMWVyZQC/hSc4aXwc0oJ9aEdIiF9Oje0JFCw==", "dev": true, "dependencies": { "esbuild": "^0.20.1", @@ -17177,9 +17399,9 @@ } }, "node_modules/vite-node": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-1.4.0.tgz", - "integrity": "sha512-VZDAseqjrHgNd4Kh8icYHWzTKSCZMhia7GyHfhtzLW33fZlG9SwsB6CEhgyVOWkJfJ2pFLrp/Gj1FSfAiqH9Lw==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-1.5.2.tgz", + "integrity": "sha512-Y8p91kz9zU+bWtF7HGt6DVw2JbhyuB2RlZix3FPYAYmUyZ3n7iTp8eSyLyY6sxtPegvxQtmlTMhfPhUfCUF93A==", "dev": true, "dependencies": { "cac": "^6.7.14", @@ -17611,9 +17833,9 @@ } }, "node_modules/vite/node_modules/rollup": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.14.0.tgz", - "integrity": "sha512-Qe7w62TyawbDzB4yt32R0+AbIo6m1/sqO7UPzFS8Z/ksL5mrfhA0v4CavfdmFav3D+ub4QeAgsGEe84DoWe/nQ==", + "version": "4.17.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.17.0.tgz", + "integrity": "sha512-wZJSn0WMtWrxhYKQRt5Z6GIXlziOoMDFmbHmRfL3v+sBTAshx2DBq1AfMArB7eIjF63r4ocn2ZTAyUptg/7kmQ==", "dev": true, "dependencies": { "@types/estree": "1.0.5" @@ -17626,21 +17848,22 @@ "npm": ">=8.0.0" }, "optionalDependencies": { - "@rollup/rollup-android-arm-eabi": "4.14.0", - "@rollup/rollup-android-arm64": "4.14.0", - "@rollup/rollup-darwin-arm64": "4.14.0", - "@rollup/rollup-darwin-x64": "4.14.0", - "@rollup/rollup-linux-arm-gnueabihf": "4.14.0", - "@rollup/rollup-linux-arm64-gnu": "4.14.0", - "@rollup/rollup-linux-arm64-musl": "4.14.0", - "@rollup/rollup-linux-powerpc64le-gnu": "4.14.0", - "@rollup/rollup-linux-riscv64-gnu": "4.14.0", - "@rollup/rollup-linux-s390x-gnu": "4.14.0", - "@rollup/rollup-linux-x64-gnu": "4.14.0", - "@rollup/rollup-linux-x64-musl": "4.14.0", - "@rollup/rollup-win32-arm64-msvc": "4.14.0", - "@rollup/rollup-win32-ia32-msvc": "4.14.0", - "@rollup/rollup-win32-x64-msvc": "4.14.0", + "@rollup/rollup-android-arm-eabi": "4.17.0", + "@rollup/rollup-android-arm64": "4.17.0", + "@rollup/rollup-darwin-arm64": "4.17.0", + "@rollup/rollup-darwin-x64": "4.17.0", + "@rollup/rollup-linux-arm-gnueabihf": "4.17.0", + "@rollup/rollup-linux-arm-musleabihf": "4.17.0", + "@rollup/rollup-linux-arm64-gnu": "4.17.0", + "@rollup/rollup-linux-arm64-musl": "4.17.0", + "@rollup/rollup-linux-powerpc64le-gnu": "4.17.0", + "@rollup/rollup-linux-riscv64-gnu": "4.17.0", + "@rollup/rollup-linux-s390x-gnu": "4.17.0", + "@rollup/rollup-linux-x64-gnu": "4.17.0", + "@rollup/rollup-linux-x64-musl": "4.17.0", + "@rollup/rollup-win32-arm64-msvc": "4.17.0", + "@rollup/rollup-win32-ia32-msvc": "4.17.0", + "@rollup/rollup-win32-x64-msvc": "4.17.0", "fsevents": "~2.3.2" } }, @@ -17659,16 +17882,16 @@ } }, "node_modules/vitest": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/vitest/-/vitest-1.4.0.tgz", - "integrity": "sha512-gujzn0g7fmwf83/WzrDTnncZt2UiXP41mHuFYFrdwaLRVQ6JYQEiME2IfEjU3vcFL3VKa75XhI3lFgn+hfVsQw==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/vitest/-/vitest-1.5.2.tgz", + "integrity": "sha512-l9gwIkq16ug3xY7BxHwcBQovLZG75zZL0PlsiYQbf76Rz6QGs54416UWMtC0jXeihvHvcHrf2ROEjkQRVpoZYw==", "dev": true, "dependencies": { - "@vitest/expect": "1.4.0", - "@vitest/runner": "1.4.0", - "@vitest/snapshot": "1.4.0", - "@vitest/spy": "1.4.0", - "@vitest/utils": "1.4.0", + "@vitest/expect": "1.5.2", + "@vitest/runner": "1.5.2", + "@vitest/snapshot": "1.5.2", + "@vitest/spy": "1.5.2", + "@vitest/utils": "1.5.2", "acorn-walk": "^8.3.2", "chai": "^4.3.10", "debug": "^4.3.4", @@ -17680,9 +17903,9 @@ "std-env": "^3.5.0", "strip-literal": "^2.0.0", "tinybench": "^2.5.1", - "tinypool": "^0.8.2", + "tinypool": "^0.8.3", "vite": "^5.0.0", - "vite-node": "1.4.0", + "vite-node": "1.5.2", "why-is-node-running": "^2.2.2" }, "bin": { @@ -17697,8 +17920,8 @@ "peerDependencies": { "@edge-runtime/vm": "*", "@types/node": "^18.0.0 || >=20.0.0", - "@vitest/browser": "1.4.0", - "@vitest/ui": "1.4.0", + "@vitest/browser": "1.5.2", + "@vitest/ui": "1.5.2", "happy-dom": "*", "jsdom": "*" }, @@ -17724,13 +17947,13 @@ } }, "node_modules/vitest/node_modules/@vitest/expect": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-1.4.0.tgz", - "integrity": "sha512-Jths0sWCJZ8BxjKe+p+eKsoqev1/T8lYcrjavEaz8auEJ4jAVY0GwW3JKmdVU4mmNPLPHixh4GNXP7GFtAiDHA==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-1.5.2.tgz", + "integrity": "sha512-rf7MTD1WCoDlN3FfYJ9Llfp0PbdtOMZ3FIF0AVkDnKbp3oiMW1c8AmvRZBcqbAhDUAvF52e9zx4WQM1r3oraVA==", "dev": true, "dependencies": { - "@vitest/spy": "1.4.0", - "@vitest/utils": "1.4.0", + "@vitest/spy": "1.5.2", + "@vitest/utils": "1.5.2", "chai": "^4.3.10" }, "funding": { @@ -17738,9 +17961,9 @@ } }, "node_modules/vitest/node_modules/@vitest/spy": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-1.4.0.tgz", - "integrity": "sha512-Ywau/Qs1DzM/8Uc+yA77CwSegizMlcgTJuYGAi0jujOteJOUf1ujunHThYo243KG9nAyWT3L9ifPYZ5+As/+6Q==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-1.5.2.tgz", + "integrity": "sha512-xCcPvI8JpCtgikT9nLpHPL1/81AYqZy1GCy4+MCHBE7xi8jgsYkULpW5hrx5PGLgOQjUpb6fd15lqcriJ40tfQ==", "dev": true, "dependencies": { "tinyspy": "^2.2.0" @@ -17750,9 +17973,9 @@ } }, "node_modules/vitest/node_modules/@vitest/utils": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.4.0.tgz", - "integrity": "sha512-mx3Yd1/6e2Vt/PUC98DcqTirtfxUyAZ32uK82r8rZzbtBeBo+nqgnjx/LvqQdWsrvNtm14VmurNgcf4nqY5gJg==", + "version": "1.5.2", + "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-1.5.2.tgz", + "integrity": "sha512-sWOmyofuXLJ85VvXNsroZur7mOJGiQeM0JN3/0D1uU8U9bGFM69X1iqHaRXl6R8BwaLY6yPCogP257zxTzkUdA==", "dev": true, "dependencies": { "diff-sequences": "^29.6.3", @@ -17910,9 +18133,9 @@ } }, "node_modules/vitest/node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/vitest/node_modules/strip-final-newline": { @@ -18122,6 +18345,15 @@ "node": ">=8" } }, + "node_modules/word-wrap": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz", + "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/wordwrap": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-1.0.0.tgz", @@ -18247,9 +18479,9 @@ "dev": true }, "node_modules/ws": { - "version": "8.16.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.16.0.tgz", - "integrity": "sha512-HS0c//TP7Ina87TfiPUz1rQzMhHrl/SG2guqRcTOIUYD2q8uhUdNHZYJUaQ8aTGPzCh+c6oawMKW35nFl1dxyQ==", + "version": "8.17.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.0.tgz", + "integrity": "sha512-uJq6108EgZMAl20KagGkzCKfMEjxmKvZHG7Tlq0Z6nOky7YF7aq4mOx6xK8TJ/i1LeK4Qus7INktacctDgY8Ow==", "dev": true, "engines": { "node": ">=10.0.0" @@ -18342,22 +18574,22 @@ } }, "node_modules/zod": { - "version": "3.22.4", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.4.tgz", - "integrity": "sha512-iC+8Io04lddc+mVqQ9AZ7OQ2MrUKGN+oIQyq1vemgt46jwCwLfhq7/pwnBnNXXXZb8VTVLKwp9EDkx+ryxIWmg==", + "version": "3.23.4", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.23.4.tgz", + "integrity": "sha512-/AtWOKbBgjzEYYQRNfoGKHObgfAZag6qUJX1VbHo2PRBgS+wfWagEY2mizjfyAPcGesrJOcx/wcl0L9WnVrHFw==", "dev": true, "funding": { "url": "https://github.com/sponsors/colinhacks" } }, "node_modules/zod-to-json-schema": { - "version": "3.22.5", - "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.22.5.tgz", - "integrity": "sha512-+akaPo6a0zpVCCseDed504KBJUQpEW5QZw7RMneNmKw+fGaML1Z9tUNLnHHAC8x6dzVRO1eB2oEMyZRnuBZg7Q==", + "version": "3.23.0", + "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.23.0.tgz", + "integrity": "sha512-az0uJ243PxsRIa2x1WmNE/pnuA05gUq/JB8Lwe1EDCCL/Fz9MgjYQ0fPlyc2Tcv6aF2ZA7WM5TWaRZVEFaAIag==", "dev": true, "optional": true, "peerDependencies": { - "zod": "^3.22.4" + "zod": "^3.23.3" } }, "node_modules/zrender": { diff --git a/frontend/src/lib/components/Forms/Score.svelte b/frontend/src/lib/components/Forms/Score.svelte index 4eead013e..bce9cc2ce 100644 --- a/frontend/src/lib/components/Forms/Score.svelte +++ b/frontend/src/lib/components/Forms/Score.svelte @@ -11,13 +11,13 @@ export let max_score = 100; export let score_step = 1; - interface ScoreDefinition { + interface ScoresDefinition { score: number; name: string; description: string; } - export let score_definition: ScoreDefinition[] = []; + export let scores_definition: ScoresDefinition[] = []; export let form: SuperForm>; const { value, errors, constraints } = formFieldProxy(form, field); @@ -71,8 +71,8 @@ >

{m.scoringHelpText()}

- {#if $isScored && score_definition && $value !== null} - {#each score_definition as definition} + {#if $isScored && scores_definition && $value !== null} + {#each scores_definition as definition} {#if definition.score === $value}

{definition.name}{definition.description ? `: ${definition.description}` : ''} diff --git a/frontend/src/lib/utils/locales.ts b/frontend/src/lib/utils/locales.ts index f4ea0d70b..50c274377 100644 --- a/frontend/src/lib/utils/locales.ts +++ b/frontend/src/lib/utils/locales.ts @@ -321,7 +321,7 @@ export function localItems(languageTag: string): LocalItems { invalidLibraryFileError: m.invalidLibraryFileError({ languageTag: languageTag }), minScore: m.minScore({ languageTag: languageTag }), maxScore: m.maxScore({ languageTag: languageTag }), - scoreDefinition: m.scoreDefinition({ languageTag: languageTag }), + scoresDefinition: m.scoresDefinition({ languageTag: languageTag }), attemptToDeleteOnlyAdminAccountError: m.attemptToDeleteOnlyAdminAccountError({ languageTag: languageTag }), diff --git a/frontend/src/routes/(app)/frameworks/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/frameworks/[id=uuid]/+page.svelte index cb0b48422..dcc216f54 100644 --- a/frontend/src/routes/(app)/frameworks/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/frameworks/[id=uuid]/+page.svelte @@ -60,7 +60,7 @@ {#if key === 'library'} {@const itemHref = `/libraries/${value.urn}`} {value.name} - {:else if key === 'score_definition'} + {:else if key === 'scores_definition'} {#each Object.entries(value) as [key, definition]}

{definition.score}. diff --git a/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte index 070a7ec3f..812b47715 100644 --- a/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte @@ -272,7 +272,7 @@ {form} min_score={data.compliance_assessment_score.min_score} max_score={data.compliance_assessment_score.max_score} - score_definition={data.compliance_assessment_score.score_definition} + scores_definition={data.compliance_assessment_score.scores_definition} field="score" label="Score" /> diff --git a/tools/README.md b/tools/README.md index e52452c10..fbaf89b7a 100644 --- a/tools/README.md +++ b/tools/README.md @@ -49,7 +49,7 @@ Conventions: - ref_id - name - description - - maturity + - implementation_groups - threats - reference_controls - annotation diff --git a/tools/aircyber/aircyber-v1.5.2.xlsx b/tools/aircyber/aircyber-v1.5.2.xlsx index cb8ee9af1..211d2bb2e 100644 Binary files a/tools/aircyber/aircyber-v1.5.2.xlsx and b/tools/aircyber/aircyber-v1.5.2.xlsx differ diff --git a/tools/aircyber/aircyber.py b/tools/aircyber/aircyber.py index b16600117..72d3ad944 100644 --- a/tools/aircyber/aircyber.py +++ b/tools/aircyber/aircyber.py @@ -1,7 +1,7 @@ -''' +""" Simple script to convert AirCyber v1.5.2 excel in a CISO Assistant Excel file Source; https://boostaerospace.com/aircyber/ -''' +""" import openpyxl import sys @@ -10,25 +10,26 @@ from openpyxl.styles import numbers parser = argparse.ArgumentParser( - prog='convert_aircyber', - description='convert AirCyber controls offical v1.5.2 Excel file to CISO Assistant Excel file') + prog="convert_aircyber", + description="convert AirCyber controls offical v1.5.2 Excel file to CISO Assistant Excel file", +) -parser.add_argument('filename', help='name of official AirCyber Excel file') +parser.add_argument("filename", help="name of official AirCyber Excel file") args = parser.parse_args() input_file_name = args.filename output_file_name = "aircyber-v1.5.2.xlsx" -library_copyright = '''© Boost Aerospace +library_copyright = """© Boost Aerospace This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Any commercial use of this work must be contracted with BoostAeroSpace. Permission given to include AirCyber in CISO Assistant. -''' -packager = 'intuitem' +""" +packager = "intuitem" -library_description = '''AirCyber is the AeroSpace and Defense official standard for Cybersecurity maturity evaluation and increase built by Airbus, Dassault Aviation, Safran and Thales to help the AeroSpace SupplyChain to be more resilient. +library_description = """AirCyber is the AeroSpace and Defense official standard for Cybersecurity maturity evaluation and increase built by Airbus, Dassault Aviation, Safran and Thales to help the AeroSpace SupplyChain to be more resilient. Their joint venture BoostAeroSpace is offering this extract of the AirCyber maturity level matrix to provide further details on this standard, the questions and the AirCyber maturity levels they are associated to. AirCyber program uses this maturity level matrix as the base of the cyber maturity evaluation as is the evaluation activity is the very starting point for any cyber maturity progression. Being aware of the problems is the mandatory very first knowledge a company shall know to decide to launch a cybersecurity company program. Source: https://boostaerospace.com/aircyber/ -''' +""" print("parsing", input_file_name) @@ -44,41 +45,64 @@ for row in tab: line += 1 if line > 2: - (_, question_number, question_name, question_en, question_fr, level, cmr, industrial_it, corporate_it, product, devenv, _, _) = (r.value for r in row) - if question_number[0:3] == 'Ext': + ( + _, + question_number, + question_name, + question_en, + question_fr, + level, + cmr, + industrial_it, + corporate_it, + product, + devenv, + _, + _, + ) = (r.value for r in row) + if question_number[0:3] == "Ext": if industrial_it: - question_en += '\n[Industrial IT]' + question_en += "\n[Industrial IT]" if corporate_it: - question_en += '\n[Corporate IT]' + question_en += "\n[Corporate IT]" if product: - question_en += '\n[Product]' + question_en += "\n[Product]" if devenv: - question_en += '\n[Development Environment]' - output_table.append(('x', 1, question_number, question_name, question_en)) + question_en += "\n[Development Environment]" + output_table.append( + ("x", 1, question_number, question_name, question_en, level) + ) print("generating", output_file_name) wb_output = openpyxl.Workbook() ws = wb_output.active -ws.title='library_content' -ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:aircyber-v1.5.2']) -ws.append(['library_version', '1']) -ws.append(['library_locale', 'en']) -ws.append(['library_ref_id', 'AirCyber v1.5.2']) -ws.append(['library_name', 'Public AirCyber Maturity Level Matrix']) -ws.append(['library_description', library_description]) -ws.append(['library_copyright', library_copyright]) -ws.append(['library_provider', 'Boost Aerospace']) -ws.append(['library_packager', packager]) -ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:aircyber-v1.5.2']) -ws.append(['framework_ref_id', 'AirCyber v1.5.2']) -ws.append(['framework_name', 'Public AirCyber Maturity Level Matrix']) -ws.append(['framework_description', library_description]) -ws.append(['tab', 'controls', 'requirements']) +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:aircyber-v1.5.2"]) +ws.append(["library_version", 1]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "AirCyber-v1.5.2"]) +ws.append(["library_name", "Public AirCyber Maturity Level Matrix"]) +ws.append(["library_description", library_description]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "Boost Aerospace"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:aircyber-v1.5.2"]) +ws.append(["framework_ref_id", "AirCyber-v1.5.2"]) +ws.append(["framework_name", "Public AirCyber Maturity Level Matrix"]) +ws.append(["framework_description", library_description]) +ws.append(["tab", "controls", "requirements"]) +ws.append(["tab", "implementation_groups", "implementation_groups"]) ws1 = wb_output.create_sheet("controls") -ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description']) +ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]) for row in output_table: ws1.append(row) +ws2 = wb_output.create_sheet("implementation_groups") +ws2.append(["ref_id", "name", "description"]) +ws2.append(["Bronze", "", ""]) +ws2.append(["Silver", "", ""]) +ws2.append(["Gold", "", ""]) + print("generate ", output_file_name) wb_output.save(output_file_name) diff --git a/tools/ccb/ccb-cff-2023-03-01.xlsx b/tools/ccb/ccb-cff-2023-03-01.xlsx new file mode 100644 index 000000000..65afa73b9 Binary files /dev/null and b/tools/ccb/ccb-cff-2023-03-01.xlsx differ diff --git a/tools/ccb/cff.xlsx b/tools/ccb/cff.xlsx deleted file mode 100644 index b3c9936c7..000000000 Binary files a/tools/ccb/cff.xlsx and /dev/null differ diff --git a/tools/ccm/convert_ccm.py b/tools/ccm/convert_ccm.py index 0200c75bd..f27204481 100644 --- a/tools/ccm/convert_ccm.py +++ b/tools/ccm/convert_ccm.py @@ -1,6 +1,6 @@ -''' +""" simple script to transform the official CCM Excel file to another Excel file for CISO assistant framework conversion tool -''' +""" import openpyxl import sys @@ -14,18 +14,20 @@ def pretify_content(content): stop_join = False for line in content.splitlines(): if stop_join: - res = res + '\n' + line if res else line + res = res + "\n" + line if res else line else: - res = res + ' ' + line if res else line - if line[-1] == ':': + res = res + " " + line if res else line + if line[-1] == ":": stop_join = True return res + parser = argparse.ArgumentParser( - prog='convert_ccm', - description='convert CCM controls offical Excel file to CISO Assistant Excel file') -parser.add_argument('filename', help='name of CCM controls Excel file') -parser.add_argument('packager', help='name of packager entity') + prog="convert_ccm", + description="convert CCM controls offical Excel file to CISO Assistant Excel file", +) +parser.add_argument("filename", help="name of CCM controls Excel file") +parser.add_argument("packager", help="name of packager entity") args = parser.parse_args() input_file_name = args.filename @@ -42,7 +44,7 @@ def pretify_content(content): print("parsing tab", tab.title) title = tab.title if title == "CCM": - line=0 + line = 0 eos = False for row in tab: line += 1 @@ -50,24 +52,24 @@ def pretify_content(content): continue (domain, title, id, specification, lite) = (r.value for r in row[0:5]) if eos: - library_copyright = domain # last line after end of standard + library_copyright = domain # last line after end of standard elif lite: - output_table.append(('x', 2, id, title, pretify_content(specification), 1 if lite else 2)) + output_table.append( + ( + "x", + 2, + id, + title, + pretify_content(specification), + "lite,full" if lite == "Yes" else "full", + ) + ) else: if "End of Standard" in domain: eos = True else: - (d, id) = domain.split(' - ') - output_table.append(('', 1, id, d, '', None)) - # if re.match(r'\d+', control): - # if not safeguard: - # safeguard_index = 0 - # output_table.append(('', 1, control, title, description)) - # else: - # safeguard_index += 1 - # safeguard = f'{control},{safeguard_index}' - # maturity = 1 if ig1 else 2 if ig2 else 3 - # output_table.append(('x', 2, safeguard, title, description, maturity)) + (d, id) = domain.split(" - ") + output_table.append(("", 1, id, d, "", None)) else: print(f"Ignored tab: {title}") @@ -75,25 +77,32 @@ def pretify_content(content): print("generating", output_file_name) wb_output = openpyxl.Workbook() ws = wb_output.active -ws.title='library_content' -ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:ccm-controls-v4']) -ws.append(['library_version', '1']) -ws.append(['library_locale', 'en']) -ws.append(['library_ref_id', 'CCM-Controls-v4']) -ws.append(['library_name', 'CCM Controls v4']) -ws.append(['library_description', 'CCM Controls v4']) -ws.append(['library_copyright', library_copyright]) -ws.append(['library_provider', 'CSA']) -ws.append(['library_packager', packager]) -ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:ccm-controls-v4']) -ws.append(['framework_ref_id', 'CCM-Controls-v4']) -ws.append(['framework_name', 'CCM Controls v4']) -ws.append(['framework_description', 'CCM Controls v4']) -ws.append(['tab', 'controls', 'requirements']) +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:ccm-controls-v4"]) +ws.append(["library_version", "1"]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "CCM-Controls-v4"]) +ws.append(["library_name", "CCM Controls v4"]) +ws.append(["library_description", "CCM Controls v4"]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "CSA"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:ccm-controls-v4"]) +ws.append(["framework_ref_id", "CCM-Controls-v4"]) +ws.append(["framework_name", "CCM Controls v4"]) +ws.append(["framework_description", "CCM Controls v4"]) +ws.append(["tab", "controls", "requirements"]) +ws.append(["tab", "implementation_groups", "implementation_groups"]) ws1 = wb_output.create_sheet("controls") -ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description', 'maturity']) +ws1.append( + ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"] + ) for row in output_table: ws1.append(row) +ws2 = wb_output.create_sheet("implementation_groups") +ws2.append(["ref_id", "name", "description"]) +ws2.append(["lite", "foundational", "foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile"]) +ws2.append(["full", "systematic ", "systematic assessment of a cloud implementation"]) print("generate ", output_file_name) wb_output.save(output_file_name) diff --git a/tools/cis/convert_cis.py b/tools/cis/convert_cis.py index 979d06dcb..945a10e89 100644 --- a/tools/cis/convert_cis.py +++ b/tools/cis/convert_cis.py @@ -1,6 +1,6 @@ -''' +""" simple script to transform the official CIS Excel file to another Excel file for CISO assistant framework conversion tool -''' +""" import openpyxl import sys @@ -9,10 +9,11 @@ from openpyxl.styles import numbers parser = argparse.ArgumentParser( - prog='convert_cis', - description='convert CIS controls offical Excel file to CISO Assistant Excel file') -parser.add_argument('filename', help='name of CIS controls Excel file') -parser.add_argument('packager', help='name of packager entity') + prog="convert_cis", + description="convert CIS controls offical Excel file to CISO Assistant Excel file", +) +parser.add_argument("filename", help="name of CIS controls Excel file") +parser.add_argument("packager", help="name of packager entity") args = parser.parse_args() input_file_name = args.filename @@ -29,20 +30,24 @@ print("parsing tab", tab.title) title = tab.title if title == "License for Use": - library_copyright = tab['B11'].value + '\n' + tab['B13'].value + library_copyright = tab["B11"].value + "\n" + tab["B13"].value elif title == "Controls V8": for row in tab: - (control, safeguard, asset_type, sf, title, description, ig1, ig2, ig3) = (r.value for r in row) + (control, safeguard, asset_type, sf, title, description, ig1, ig2, ig3) = ( + r.value for r in row + ) control = str(control).strip() - if re.match(r'\d+', control): + if re.match(r"\d+", control): if not safeguard: safeguard_index = 0 - output_table.append(('', 1, control, title, description)) + output_table.append(("", 1, control, title, description)) else: safeguard_index += 1 - safeguard = f'{control},{safeguard_index}' - maturity = 1 if ig1 else 2 if ig2 else 3 - output_table.append(('x', 2, safeguard, title, description, maturity)) + safeguard = f"{control},{safeguard_index}" + implementation_groups = "IG1,IG2,IG3" if ig1 else "IG2,IG3" if ig2 else "IG3" + output_table.append( + ("x", 2, safeguard, title, description, implementation_groups) + ) else: print(f"Ignored tab: {title}") @@ -50,25 +55,33 @@ print("generating", output_file_name) wb_output = openpyxl.Workbook() ws = wb_output.active -ws.title='library_content' -ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:cis-controls-v8']) -ws.append(['library_version', '1']) -ws.append(['library_locale', 'en']) -ws.append(['library_ref_id', 'CIS-Controls-v8']) -ws.append(['library_name', 'CIS Controls v8']) -ws.append(['library_description', 'CIS Controls v8']) -ws.append(['library_copyright', library_copyright]) -ws.append(['library_provider', 'CIS']) -ws.append(['library_packager', packager]) -ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:cis-controls-v8']) -ws.append(['framework_ref_id', 'CIS-Controls-v8']) -ws.append(['framework_name', 'CIS Controls v8']) -ws.append(['framework_description', 'CIS Controls v8']) -ws.append(['tab', 'controls', 'requirements']) +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:cis-controls-v8"]) +ws.append(["library_version", "1"]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "CIS-Controls-v8"]) +ws.append(["library_name", "CIS Controls v8"]) +ws.append(["library_description", "CIS Controls v8"]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "CIS"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:cis-controls-v8"]) +ws.append(["framework_ref_id", "CIS-Controls-v8"]) +ws.append(["framework_name", "CIS Controls v8"]) +ws.append(["framework_description", "CIS Controls v8"]) +ws.append(["tab", "controls", "requirements"]) +ws.append(["tab", "implementation_groups", "implementation_groups"]) ws1 = wb_output.create_sheet("controls") -ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description', 'maturity']) +ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]) for row in output_table: ws1.append(row) + +ws2 = wb_output.create_sheet("implementation_groups") +ws2.append(["ref_id", "name", "description"]) +ws2.append(["IG1", "Essential Cyber Hygiene", "Minimum standard of information security for all enterprises."]) +ws2.append(["IG2", "", "For enterprises managing IT infrastructure of multiple departments with differing risk profiles."]) +ws2.append(["IG3", "", "To secure sensitive and confidential data."]) + print("generate ", output_file_name) wb_output.save(output_file_name) diff --git a/tools/convert_framework.py b/tools/convert_framework.py index c15a44f17..6e883f014 100644 --- a/tools/convert_framework.py +++ b/tools/convert_framework.py @@ -1,28 +1,32 @@ -''' +""" simple script to transform an Excel file to a yaml library for a CISO assistant framework Conventions: | means a cell separation, <> means empty cell The first tab shall be named "library_content" and contain the description of the library in the other tabs - library_urn | - library_version | - library_locale | - library_ref_id | - library_name | - library_description | - library_copyright | - library_provider | - library_packager | - library_dependencies | - framework_ref_id | - framework_name | - framework_description | - reference_control_base_urn | | id - threat_base_urn | | id - tab | | requirements | - tab | | threats | - tab | | reference_controls | - + library_urn | + library_version | + library_locale | + library_ref_id | + library_name | + library_description | + library_copyright | + library_provider | + library_packager | + library_dependencies | + framework_ref_id | + framework_name | + framework_description | + framework_min_score | + framework_max_score | + reference_control_base_urn | | id + threat_base_urn | | id + tab | | requirements + tab | | threats | + tab | | reference_controls | + tab | | scores + tab | | implementation_groups + tab | | matrix For requirements: If no section_name is given, no upper group is defined, else an upper group (depth 0) with the section name is used. @@ -32,7 +36,7 @@ - ref_id - name - description - - maturity + - implementation_groups - threats - reference_controls - annotation @@ -49,7 +53,7 @@ - annotation A library has a single locale. Translated libraries have the same urns, they are merged during import. Dependencies are given as a comma or blank separated list of urns. -''' +""" import openpyxl import sys @@ -58,9 +62,27 @@ from pprint import pprint from collections import defaultdict -LIBRARY_VARS = ('library_urn', 'library_version', 'library_locale', 'library_ref_id', 'library_name', 'library_description', - 'framework_urn', 'framework_ref_id', 'framework_name', 'framework_description', 'library_copyright', - 'library_provider', 'library_packager', 'reference_control_base_urn', 'threat_base_urn', 'library_dependencies', 'tab') +LIBRARY_VARS = ( + "library_urn", + "library_version", + "library_locale", + "library_ref_id", + "library_name", + "library_description", + "framework_urn", + "framework_ref_id", + "framework_name", + "framework_description", + "framework_min_score", + "framework_max_score", + "library_copyright", + "library_provider", + "library_packager", + "reference_control_base_urn", + "threat_base_urn", + "library_dependencies", + "tab", +) library_vars = {} library_vars_dict = defaultdict(dict) library_vars_dict_reverse = defaultdict(dict) @@ -82,6 +104,9 @@ requirement_nodes = [] reference_controls = [] threats = [] +scores_definition = [] +implementation_groups_definition = [] + def error(message): print("Error:", message) @@ -112,40 +137,58 @@ def read_header(row): library_vars_dict[v1][str(v2)] = v3 library_vars_dict_reverse[v1][str(v3)] = v2 library_vars_dict_arg[v1][v2] = v4 - elif title not in library_vars_dict['tab']: + elif title not in library_vars_dict["tab"]: print(f"Ignored tab: {title}") - elif library_vars_dict['tab'][title] == 'requirements': + elif library_vars_dict["tab"][title] == "requirements": print("...processing requirements") - root_nodes_urn = re.sub('framework', 'req_node', library_vars['framework_urn']) + root_nodes_urn = re.sub("framework", "req_node", library_vars["framework_urn"]) current_node_urn = None current_depth = 0 parent_urn = None parent_for_depth = {} - section = library_vars_dict_arg['tab'][title] + section = library_vars_dict_arg["tab"][title] if section: - section_id = section.lower().replace(' ', '-') + section_id = section.lower().replace(" ", "-") current_node_urn = f"{root_nodes_urn}:{section_id}" - parent_for_depth[1]=current_node_urn - requirement_nodes.append({"urn": current_node_urn, "name": section, "assessable": False}) + parent_for_depth[1] = current_node_urn + requirement_nodes.append( + {"urn": current_node_urn, "name": section, "assessable": False} + ) is_header = True counter = 0 for row in tab: counter += 1 if is_header: header = read_header(row) - is_header=False - assert("assessable" in header) - assert("depth" in header) - assert("ref_id" in header) + is_header = False + assert "assessable" in header + assert "depth" in header + assert "ref_id" in header elif any([c.value for c in row]): - assessable = bool(row[header['assessable']].value) - depth = row[header['depth']].value - ref_id = str(row[header['ref_id']].value).strip() if row[header['ref_id']].value else None - name = row[header['name']].value if 'name' in header else None - description = row[header['description']].value if 'description' in header else None - annotation = row[header['annotation']].value if 'annotation' in header else None - maturity = row[header['maturity']].value if 'maturity' in header else None - ref_id_urn = ref_id.lower().replace(' ', '-') if ref_id else f"node{counter}" + assessable = bool(row[header["assessable"]].value) + depth = row[header["depth"]].value + ref_id = ( + str(row[header["ref_id"]].value).strip() + if row[header["ref_id"]].value + else None + ) + name = row[header["name"]].value if "name" in header else None + description = ( + row[header["description"]].value + if "description" in header + else None + ) + annotation = ( + row[header["annotation"]].value if "annotation" in header else None + ) + implementation_groups = ( + row[header["implementation_groups"]].value + if "implementation_groups" in header + else None + ) + ref_id_urn = ( + ref_id.lower().replace(" ", "-") if ref_id else f"node{counter}" + ) urn = f"{root_nodes_urn}:{ref_id_urn}" if urn in urn_unicity_checker: print("URN duplicate:", urn) @@ -153,7 +196,7 @@ def read_header(row): urn_unicity_checker.add(urn) assert type(depth) == int, f"incorrect depth for {row}" if depth == current_depth + 1: - parent_for_depth[depth]=current_node_urn + parent_for_depth[depth] = current_node_urn parent_urn = parent_for_depth[depth] elif depth <= current_depth: pass @@ -164,7 +207,7 @@ def read_header(row): current_depth = depth req_node = {"urn": urn, "assessable": assessable, "depth": depth} if parent_urn: - req_node['parent_urn'] = parent_urn + req_node["parent_urn"] = parent_urn if ref_id: req_node["ref_id"] = ref_id if name: @@ -173,25 +216,33 @@ def read_header(row): req_node["description"] = description if annotation: req_node["annotation"] = annotation - if maturity: - req_node["maturity"] = maturity - threats = row[header['threats']].value if 'threats' in header else None - reference_controls = row[header['reference_controls']].value if 'reference_controls' in header else None + if implementation_groups: + req_node["implementation_groups"] = implementation_groups.split(',') + threats = row[header["threats"]].value if "threats" in header else None + reference_controls = ( + row[header["reference_controls"]].value + if "reference_controls" in header + else None + ) threat_urns = [] function_urns = [] if threats: - for element in re.split(r'[\s,]+', threats): - parts = re.split(r':', element) + for element in re.split(r"[\s,]+", threats): + parts = re.split(r":", element) prefix = parts.pop(0) - part_name = ':'.join(parts) - urn_prefix = library_vars_dict_reverse['reference_control_base_urn'][prefix] + part_name = ":".join(parts) + urn_prefix = library_vars_dict_reverse[ + "reference_control_base_urn" + ][prefix] threat_urns.append(f"{urn_prefix}{part_name}") if reference_controls: - for element in re.split(r'[\s,]+', reference_controls): - parts = re.split(r':', element) + for element in re.split(r"[\s,]+", reference_controls): + parts = re.split(r":", element) prefix = parts.pop(0) - part_name = ':'.join(parts) - urn_prefix = library_vars_dict_reverse['reference_control_base_urn'][prefix] + part_name = ":".join(parts) + urn_prefix = library_vars_dict_reverse[ + "reference_control_base_urn" + ][prefix] function_urns.append(f"{urn_prefix}{part_name}") if threat_urns: req_node["threats"] = threat_urns @@ -200,107 +251,174 @@ def read_header(row): requirement_nodes.append(req_node) else: pass - #print("empty row") - elif library_vars_dict['tab'][title] == 'reference_controls': + # print("empty row") + elif library_vars_dict["tab"][title] == "reference_controls": print("...processing reference controls") current_function = {} is_header = True - reference_controls_base_urn = library_vars['reference_control_base_urn'] + reference_controls_base_urn = library_vars["reference_control_base_urn"] for row in tab: if is_header: header = read_header(row) - is_header=False - assert("ref_id" in header) + is_header = False + assert "ref_id" in header elif any([c.value for c in row]): - ref_id = str(row[header['ref_id']].value).strip() if row[header['ref_id']].value else None - name = row[header['name']].value if 'name' in header else None - description = row[header['description']].value if 'description' in header else None - category = row[header['category']].value if 'category' in header else None - annotation = row[header['annotation']].value if 'annotation' in header else None - ref_id_urn = ref_id.lower().replace(' ', '-') + ref_id = ( + str(row[header["ref_id"]].value).strip() + if row[header["ref_id"]].value + else None + ) + name = row[header["name"]].value if "name" in header else None + description = ( + row[header["description"]].value + if "description" in header + else None + ) + category = ( + row[header["category"]].value if "category" in header else None + ) + annotation = ( + row[header["annotation"]].value if "annotation" in header else None + ) + ref_id_urn = ref_id.lower().replace(" ", "-") current_function = {} - current_function['urn'] = f"{reference_controls_base_urn}:{ref_id_urn}" - current_function['ref_id'] = ref_id + current_function["urn"] = f"{reference_controls_base_urn}:{ref_id_urn}" + current_function["ref_id"] = ref_id if name: - current_function['name'] = name + current_function["name"] = name if category: - current_function['category'] = category + current_function["category"] = category if description: - current_function['description'] = description + current_function["description"] = description if annotation: - current_function['annotation'] = annotation + current_function["annotation"] = annotation reference_controls.append(current_function) - elif library_vars_dict['tab'][title] == 'threats': + elif library_vars_dict["tab"][title] == "threats": print("...processing threats") current_threat = {} is_header = True - threat_base_urn = library_vars['threat_base_urn'] + threat_base_urn = library_vars["threat_base_urn"] for row in tab: if is_header: header = read_header(row) print(header) - is_header=False - assert("ref_id" in header) + is_header = False + assert "ref_id" in header elif any([c.value for c in row]): - ref_id = str(row[header['ref_id']].value).strip() if row[header['ref_id']].value else None - name = row[header['name']].value if 'name' in header else None - description = row[header['description']].value if 'description' in header else None - annotation = row[header['annotation']].value if 'annotation' in header else None - ref_id_urn = ref_id.lower().replace(' ', '-') + ref_id = ( + str(row[header["ref_id"]].value).strip() + if row[header["ref_id"]].value + else None + ) + name = row[header["name"]].value if "name" in header else None + description = ( + row[header["description"]].value + if "description" in header + else None + ) + annotation = ( + row[header["annotation"]].value if "annotation" in header else None + ) + ref_id_urn = ref_id.lower().replace(" ", "-") current_threat = {} - current_threat['urn'] = f"{threat_base_urn}:{ref_id_urn}" - current_threat['ref_id'] = ref_id + current_threat["urn"] = f"{threat_base_urn}:{ref_id_urn}" + current_threat["ref_id"] = ref_id if name: - current_threat['name'] = name + current_threat["name"] = name if description: - current_threat['description'] = description + current_threat["description"] = description if annotation: - current_threat['annotation'] = annotation + current_threat["annotation"] = annotation threats.append(current_threat) + elif library_vars_dict["tab"][title] == "scores": + print("...processing scores") + is_header = True + for row in tab: + if is_header: + header = read_header(row) + is_header = False + assert "score" in header + assert "name" in header + assert "description" in header + elif any([c.value for c in row]): + score = row[header["score"]].value + name = row[header["name"]].value + description = row[header["description"]].value + scores_definition.append( + {"score": score, "name": name, "description": description} + ) + elif library_vars_dict["tab"][title] == "implementation_groups": + print("...processing implementation groups") + is_header = True + for row in tab: + if is_header: + header = read_header(row) + is_header = False + assert "ref_id" in header + assert "name" in header + assert "description" in header + elif any([c.value for c in row]): + ref_id = row[header["ref_id"]].value + name = row[header["name"]].value + description = row[header["description"]].value + implementation_groups_definition.append( + {"ref_id": ref_id, "name": name, "description": description} + ) -#pprint(requirement_groups) -#pprint(requirements) -##pprint(reference_controls) -##pprint(threats) - -has_framework = 'requirements' in [library_vars_dict['tab'][x] for x in library_vars_dict['tab']] -has_reference_controls = 'reference_controls' in [library_vars_dict['tab'][x] for x in library_vars_dict['tab']] -has_threats = 'threats' in [library_vars_dict['tab'][x] for x in library_vars_dict['tab']] +has_framework = "requirements" in [ + library_vars_dict["tab"][x] for x in library_vars_dict["tab"] +] +has_reference_controls = "reference_controls" in [ + library_vars_dict["tab"][x] for x in library_vars_dict["tab"] +] +has_threats = "threats" in [ + library_vars_dict["tab"][x] for x in library_vars_dict["tab"] +] library = { - 'urn': library_vars['library_urn'], - 'locale': library_vars['library_locale'], - 'ref_id': library_vars['library_ref_id'], - 'name': library_vars['library_name'], - 'description': library_vars['library_description'], - 'copyright': library_vars['library_copyright'], - 'version': library_vars['library_version'], - 'provider': library_vars['library_provider'], - 'packager': library_vars['library_packager'], + "urn": library_vars["library_urn"], + "locale": library_vars["library_locale"], + "ref_id": library_vars["library_ref_id"], + "name": library_vars["library_name"], + "description": library_vars["library_description"], + "copyright": library_vars["library_copyright"], + "version": library_vars["library_version"], + "provider": library_vars["library_provider"], + "packager": library_vars["library_packager"], } -if 'library_dependencies' in library_vars: - dependencies = [x for x in re.split(r'[\s,]+', library_vars['library_dependencies'])] - library['dependencies'] = dependencies +if "library_dependencies" in library_vars: + dependencies = [ + x for x in re.split(r"[\s,]+", library_vars["library_dependencies"]) + ] + library["dependencies"] = dependencies -library['objects'] = {} +library["objects"] = {} if has_framework: - library['objects']['framework'] = { - 'urn': library_vars['framework_urn'], - 'ref_id': library_vars['framework_ref_id'], - 'name': library_vars['framework_name'], - 'description': library_vars['framework_description'], - 'requirement_nodes': requirement_nodes - } + library["objects"]["framework"] = { + "urn": library_vars["framework_urn"], + "ref_id": library_vars["framework_ref_id"], + "name": library_vars["framework_name"], + "description": library_vars["framework_description"], + } + if "framework_min_score" in library_vars: + library["objects"]["framework"]["min_score"] = library_vars["framework_min_score"] + if "framework_max_score" in library_vars: + library["objects"]["framework"]["max_score"] = library_vars["framework_max_score"] + if scores_definition: + library["objects"]["framework"]["scores_definition"] = scores_definition + if implementation_groups_definition: + library["objects"]["framework"]["implementation_groups_definition"] = implementation_groups_definition + library["objects"]["framework"]["requirement_nodes"] = requirement_nodes if has_reference_controls: - library['objects']['reference_controls'] = reference_controls + library["objects"]["reference_controls"] = reference_controls if has_threats: - library['objects']['threats'] = threats + library["objects"]["threats"] = threats print("generating", output_file_name) -with open(output_file_name, 'w', encoding='utf8') as file: +with open(output_file_name, "w", encoding="utf8") as file: yaml.dump(library, file, sort_keys=False) diff --git a/tools/nist/csf2-tools/csfv2.py b/tools/nist/csf2-tools/csfv2.py index 715f7950f..91e2faf54 100644 --- a/tools/nist/csf2-tools/csfv2.py +++ b/tools/nist/csf2-tools/csfv2.py @@ -19,6 +19,7 @@ wb_output = openpyxl.Workbook() ws = wb_output.active + def error(message): print("Error:", message) exit(1) @@ -33,11 +34,12 @@ def read_header(row): i += 1 return header -ws.cell(row=1, column=1, value='assessable') -ws.cell(row=1, column=2, value='depth') -ws.cell(row=1, column=3, value='ref_id') -ws.cell(row=1, column=4, value='name') -ws.cell(row=1, column=5, value='description') + +ws.cell(row=1, column=1, value="assessable") +ws.cell(row=1, column=2, value="depth") +ws.cell(row=1, column=3, value="ref_id") +ws.cell(row=1, column=4, value="name") +ws.cell(row=1, column=5, value="description") line = 2 for tab in dataframe: print("parsing tab", tab.title) @@ -47,7 +49,7 @@ def read_header(row): if any([r.value for r in row]): (v1, v2, v3, v4) = (r.value for r in row[0:4]) if v1: - if ':' in v1: + if ":" in v1: print(v1) q = re.match("(\w+) \((\w+)\): (.*)", v1) function_name = q.group(1) @@ -59,29 +61,28 @@ def read_header(row): ws.cell(row=line, column=5, value=function_description) line += 1 elif v2: - q = re.match("([\w\s,]+) \((\w+.\w+)\): (.*)", v2) - category_name = q.group(1) - category_id = q.group(2) - category_description = q.group(3) - ws.cell(row=line, column=2, value=2) - ws.cell(row=line, column=3, value=category_id) - ws.cell(row=line, column=4, value=category_name) - ws.cell(row=line, column=5, value=category_description) - line += 1 + q = re.match("([\w\s,]+) \((\w+.\w+)\): (.*)", v2) + category_name = q.group(1) + category_id = q.group(2) + category_description = q.group(3) + ws.cell(row=line, column=2, value=2) + ws.cell(row=line, column=3, value=category_id) + ws.cell(row=line, column=4, value=category_name) + ws.cell(row=line, column=5, value=category_description) + line += 1 elif v3: - q = re.match("(\w+.\w+-\d+): (.*)", v3) - subcategory_id = q.group(1) - subcategory_description = q.group(2) - ws.cell(row=line, column=1, value='x') - ws.cell(row=line, column=2, value=3) - ws.cell(row=line, column=3, value=subcategory_id) - ws.cell(row=line, column=5, value=subcategory_description) - line += 1 - ws.cell(row=line, column=2, value=4) - ws.cell(row=line, column=4, value='Examples') - ws.cell(row=line, column=5, value=v4) - line += 1 - + q = re.match("(\w+.\w+-\d+): (.*)", v3) + subcategory_id = q.group(1) + subcategory_description = q.group(2) + ws.cell(row=line, column=1, value="x") + ws.cell(row=line, column=2, value=3) + ws.cell(row=line, column=3, value=subcategory_id) + ws.cell(row=line, column=5, value=subcategory_description) + line += 1 + ws.cell(row=line, column=2, value=4) + ws.cell(row=line, column=4, value="Examples") + ws.cell(row=line, column=5, value=v4) + line += 1 -wb_output.save('nist_csf-2.0-en.xlsx') +wb_output.save("nist_csf-2.0-en.xlsx") diff --git a/tools/nist/nist-csf-2.0.xlsx b/tools/nist/nist-csf-2.0.xlsx new file mode 100644 index 000000000..576c02764 Binary files /dev/null and b/tools/nist/nist-csf-2.0.xlsx differ diff --git a/tools/nist/nist_csf-2.0-en.xlsx b/tools/nist/nist_csf-2.0-en.xlsx deleted file mode 100644 index 850428a2e..000000000 Binary files a/tools/nist/nist_csf-2.0-en.xlsx and /dev/null differ diff --git a/tools/nist/nist_csf-2.0-en.yaml b/tools/nist/nist_csf-2.0-en.yaml deleted file mode 100644 index 6452a17c4..000000000 --- a/tools/nist/nist_csf-2.0-en.yaml +++ /dev/null @@ -1,2779 +0,0 @@ -urn: urn:intuitem:risk:library:nist-csf-2.0 -locale: en -ref_id: NIST-CSF-2.0 -name: NIST CSF version 2.0 -description: National Institute of Standards and Technology - Cybersecurity Framework -copyright: With the exception of material marked as copyrighted, information presented - on NIST sites are considered public information and may be distributed or copied. -version: 1 -provider: NIST -packager: intuitem -objects: - framework: - urn: urn:intuitem:risk:framework:nist-csf-2.0 - ref_id: NIST-CSF-2.0 - name: NIST CSF v2.0 - description: NIST Cybersecurity Framework - requirement_nodes: - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - assessable: false - depth: 1 - ref_id: GV - name: GOVERN - description: The organization's cybersecurity risk management strategy, expectations, - and policy are established, communicated, and monitored - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.OC - name: Organizational Context - description: The circumstances - mission, stakeholder expectations, dependencies, - and legal, regulatory, and contractual requirements - surrounding the organization's - cybersecurity risk management decisions are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-01 - description: The organizational mission is understood and informs cybersecurity - risk management - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node5 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Share the organization''s mission (e.g., through vision and mission statements, - marketing, and service strategies) to provide a basis for identifying risks - that may impede that mission' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-02 - description: Internal and external stakeholders are understood, and their needs - and expectations regarding cybersecurity risk management are understood and - considered - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node7 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify relevant internal stakeholders and their cybersecurity-related - expectations (e.g., performance and risk expectations of officers, directors, - and advisors; cultural expectations of employees) - - Ex2: Identify relevant external stakeholders and their cybersecurity-related - expectations (e.g., privacy expectations of customers, business expectations - of partnerships, compliance expectations of regulators, ethics expectations - of society)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-03 - description: Legal, regulatory, and contractual requirements regarding cybersecurity - - including privacy and civil liberties obligations - are understood and managed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node9 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine a process to track and manage legal and regulatory requirements - regarding protection of individuals'' information (e.g., Health Insurance - Portability and Accountability Act, California Consumer Privacy Act, General - Data Protection Regulation) - - Ex2: Determine a process to track and manage contractual requirements for - cybersecurity management of supplier, customer, and partner information - - Ex3: Align the organization''s cybersecurity strategy with legal, regulatory, - and contractual requirements' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-04 - description: Critical objectives, capabilities, and services that stakeholders - depend on or expect from the organization are understood and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node11 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-04 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Establish criteria for determining the criticality of capabilities and - services as viewed by internal and external stakeholders - - Ex2: Determine (e.g., from a business impact analysis) assets and business - operations that are vital to achieving mission objectives and the potential - impact of a loss (or partial loss) of such operations - - Ex3: Establish and communicate resilience objectives (e.g., recovery time - objectives) for delivering critical capabilities and services in various operating - states (e.g., under attack, during recovery, normal operation)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc - ref_id: GV.OC-05 - description: Outcomes, capabilities, and services that the organization depends - on are understood and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node13 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.oc-05 - name: Examples - description: 'Ex1: Create an inventory of the organization''s dependencies on - external resources (e.g., facilities, cloud-based hosting providers) and their - relationships to organizational assets and business functions - - Ex2: Identify and document external dependencies that are potential points - of failure for the organization''s critical capabilities and services, and - share that information with appropriate personnel - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.RM - name: Risk Management Strategy - description: The organization's priorities, constraints, risk tolerance and - appetite statements, and assumptions are established, communicated, and used - to support operational risk decisions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-01 - description: Risk management objectives are established and agreed to by organizational - stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node16 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Update near-term and long-term cybersecurity risk management objectives - as part of annual strategic planning and when major changes occur - - Ex2: Establish measurable objectives for cybersecurity risk management (e.g., - manage the quality of user training, ensure adequate risk protection for industrial - control systems) - - Ex3: Senior leaders agree about cybersecurity objectives and use them for - measuring and managing risk and performance' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-02 - description: Risk appetite and risk tolerance statements are established, communicated, - and maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node18 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine and communicate risk appetite statements that convey expectations - about the appropriate level of risk for the organization - - Ex2: Translate risk appetite statements into specific, measurable, and broadly - understandable risk tolerance statements - - Ex3: Refine organizational objectives and risk appetite periodically based - on known risk exposure and residual risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-03 - description: Cybersecurity risk management activities and outcomes are included - in enterprise risk management processes - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node20 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Aggregate and manage cybersecurity risks alongside other enterprise risks - (e.g., compliance, financial, operational, regulatory, reputational, safety) - - Ex2: Include cybersecurity risk managers in enterprise risk management planning - - Ex3: Establish criteria for escalating cybersecurity risks within enterprise - risk management' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-04 - description: Strategic direction that describes appropriate risk response options - is established and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node22 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Specify criteria for accepting and avoiding cybersecurity risk for various - classifications of data - - Ex2: Determine whether to purchase cybersecurity insurance - - Ex3: Document conditions under which shared responsibility models are acceptable - (e.g., outsourcing certain cybersecurity functions, having a third party perform - financial transactions on behalf of the organization, using public cloud-based - services)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-05 - description: Lines of communication across the organization are established - for cybersecurity risks, including risks from suppliers and other third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node24 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-05 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Determine how to update senior executives, directors, and management - on the organization''s cybersecurity posture at agreed-upon intervals - - Ex2: Identify how all departments across the organization - such as management, - operations, internal auditors, legal, acquisition, physical security, and - HR - will communicate with each other about cybersecurity risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-06 - description: A standardized method for calculating, documenting, categorizing, - and prioritizing cybersecurity risks is established and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node26 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish criteria for using a quantitative approach to cybersecurity - risk analysis, and specify probability and exposure formulas - - Ex2: Create and use templates (e.g., a risk register) to document cybersecurity - risk information (e.g., risk description, exposure, treatment, and ownership) - - Ex3: Establish criteria for risk prioritization at the appropriate levels - within the enterprise - - Ex4: Use a consistent list of risk categories to support integrating, aggregating, - and comparing cybersecurity risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm - ref_id: GV.RM-07 - description: Strategic opportunities (i.e., positive risks) are characterized - and are included in organizational cybersecurity risk discussions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node28 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rm-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Define and communicate guidance and methods for identifying opportunities - and including them in risk discussions (e.g., strengths, weaknesses, opportunities, - and threats [SWOT] analysis) - - Ex2: Identify stretch goals and document them - - Ex3: Calculate, document, and prioritize positive risks alongside negative - risks' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.RR - name: Roles, Responsibilities, and Authorities - description: Cybersecurity roles, responsibilities, and authorities to foster - accountability, performance assessment, and continuous improvement are established - and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-01 - description: Organizational leadership is responsible and accountable for cybersecurity - risk and fosters a culture that is risk-aware, ethical, and continually improving - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node31 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in - developing, implementing, and assessing the organization''s cybersecurity - strategy - - Ex2: Share leaders'' expectations regarding a secure and ethical culture, - especially when current events present the opportunity to highlight positive - or negative examples of cybersecurity risk management - - Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk - strategy and review and update it at least annually and after major events - - Ex4: Conduct reviews to ensure adequate authority and coordination among those - responsible for managing cybersecurity risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-02 - description: Roles, responsibilities, and authorities related to cybersecurity - risk management are established, communicated, understood, and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node33 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Document risk management roles and responsibilities in policy - - Ex2: Document who is responsible and accountable for cybersecurity risk management - activities and how those teams and individuals are to be consulted and informed - - Ex3: Include cybersecurity responsibilities and performance requirements in - personnel descriptions - - Ex4: Document performance goals for personnel with cybersecurity risk management - responsibilities, and periodically measure performance to identify areas for - improvement - - Ex5: Clearly articulate cybersecurity responsibilities within operations, - risk functions, and internal audit functions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-03 - description: Adequate resources are allocated commensurate with the cybersecurity - risk strategy, roles, responsibilities, and policies - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node35 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Conduct periodic management reviews to ensure that those given cybersecurity - risk management responsibilities have the necessary authority - - Ex2: Identify resource allocation and investment in line with risk tolerance - and response - - Ex3: Provide adequate and sufficient people, process, and technical resources - to support the cybersecurity strategy' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr - ref_id: GV.RR-04 - description: Cybersecurity is included in human resources practices - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node37 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.rr-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Integrate cybersecurity risk management considerations into human resources - processes (e.g., personnel screening, onboarding, change notification, offboarding) - - Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, - and retention decisions - - Ex3: Conduct background checks prior to onboarding new personnel for sensitive - roles, and periodically repeat background checks for personnel with such roles - - Ex4: Define and enforce obligations for personnel to be aware of, adhere to, - and uphold security policies as they relate to their roles' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.PO - name: Policy - description: Organizational cybersecurity policy is established, communicated, - and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - ref_id: GV.PO-01 - description: Policy for managing cybersecurity risks is established based on - organizational context, cybersecurity strategy, and priorities and is communicated - and enforced - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node40 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Create, disseminate, and maintain an understandable, usable risk management - policy with statements of management intent, expectations, and direction - - Ex2: Periodically review policy and supporting processes and procedures to - ensure that they align with risk management strategy objectives and priorities, - as well as the high-level direction of the cybersecurity policy - - Ex3: Require approval from senior management on policy - - Ex4: Communicate cybersecurity risk management policy and supporting processes - and procedures across the organization - - Ex5: Require personnel to acknowledge receipt of policy when first hired, - annually, and whenever policy is updated' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po - ref_id: GV.PO-02 - description: Policy for managing cybersecurity risks is reviewed, updated, communicated, - and enforced to reflect changes in requirements, threats, technology, and - organizational mission - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node42 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.po-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Update policy based on periodic reviews of cybersecurity risk management - results to ensure that policy and supporting processes and procedures adequately - maintain risk at an acceptable level - - Ex2: Provide a timeline for reviewing changes to the organization''s risk - environment (e.g., changes in risk or in the organization''s mission objectives), - and communicate recommended policy updates - - Ex3: Update policy to reflect changes in legal and regulatory requirements - - Ex4: Update policy to reflect changes in technology (e.g., adoption of artificial - intelligence) and changes to the business (e.g., acquisition of a new business, - new contract requirements)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.OV - name: Oversight - description: Results of organization-wide cybersecurity risk management activities - and performance are used to inform, improve, and adjust the risk management - strategy - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-01 - description: Cybersecurity risk management strategy outcomes are reviewed to - inform and adjust strategy and direction - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node45 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Measure how well the risk management strategy and risk results have helped - leaders make decisions and achieve organizational objectives - - Ex2: Examine whether cybersecurity risk strategies that impede operations - or innovation should be adjusted' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-02 - description: The cybersecurity risk management strategy is reviewed and adjusted - to ensure coverage of organizational requirements and risks - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node47 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review audit findings to confirm whether the existing cybersecurity strategy - has ensured compliance with internal and external requirements - - Ex2: Review the performance oversight of those in cybersecurity-related roles - to determine whether policy changes are necessary - - Ex3: Review strategy in light of cybersecurity incidents' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov - ref_id: GV.OV-03 - description: Organizational cybersecurity risk management performance is evaluated - and reviewed for adjustments needed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node49 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.ov-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review key performance indicators (KPIs) to ensure that organization-wide - policies and procedures achieve objectives - - Ex2: Review key risk indicators (KRIs) to identify risks the organization - faces, including likelihood and potential impact - - Ex3: Collect and communicate metrics on cybersecurity risk management with - senior leadership' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv - ref_id: GV.SC - name: Cybersecurity Supply Chain Risk Management - description: Cyber supply chain risk management processes are identified, established, - managed, monitored, and improved by organizational stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-01 - description: A cybersecurity supply chain risk management program, strategy, - objectives, policies, and processes are established and agreed to by organizational - stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node52 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-01 - name: Examples - description: 'Ex1: Establish a strategy that expresses the objectives of the - cybersecurity supply chain risk management program - - Ex2: Develop the cybersecurity supply chain risk management program, including - a plan (with milestones), policies, and procedures that guide implementation - and improvement of the program, and share the policies and procedures with - the organizational stakeholders - - Ex3: Develop and implement program processes based on the strategy, objectives, - policies, and procedures that are agreed upon and performed by the organizational - stakeholders - - Ex4: Establish a cross-organizational mechanism that ensures alignment between - functions that contribute to cybersecurity supply chain risk management, such - as cybersecurity, IT, operations, legal, human resources, and engineering - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-02 - description: Cybersecurity roles and responsibilities for suppliers, customers, - and partners are established, communicated, and coordinated internally and - externally - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node54 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-02 - name: Examples - description: 'Ex1: Identify one or more specific roles or positions that will - be responsible and accountable for planning, resourcing, and executing cybersecurity - supply chain risk management activities - - Ex2: Document cybersecurity supply chain risk management roles and responsibilities - in policy - - Ex3: Create responsibility matrixes to document who will be responsible and - accountable for cybersecurity supply chain risk management activities and - how those teams and individuals will be consulted and informed - - Ex4: Include cybersecurity supply chain risk management responsibilities and - performance requirements in personnel descriptions to ensure clarity and improve - accountability - - Ex5: Document performance goals for personnel with cybersecurity risk management-specific - responsibilities, and periodically measure them to demonstrate and improve - performance - - Ex6: Develop roles and responsibilities for suppliers, customers, and business - partners to address shared responsibilities for applicable cybersecurity risks, - and integrate them into organizational policies and applicable third-party - agreements - - Ex7: Internally communicate cybersecurity supply chain risk management roles - and responsibilities for third parties - - Ex8: Establish rules and protocols for information sharing and reporting processes - between the organization and its suppliers - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-03 - description: Cybersecurity supply chain risk management is integrated into cybersecurity - and enterprise risk management, risk assessment, and improvement processes - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node56 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-03 - name: Examples - description: 'Ex1: Identify areas of alignment and overlap with cybersecurity - and enterprise risk management - - Ex2: Establish integrated control sets for cybersecurity risk management and - cybersecurity supply chain risk management - - Ex3: Integrate cybersecurity supply chain risk management into improvement - processes - - Ex4: Escalate material cybersecurity risks in supply chains to senior management, - and address them at the enterprise risk management level - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-04 - description: Suppliers are known and prioritized by criticality - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node58 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-04 - name: Examples - description: 'Ex1: Develop criteria for supplier criticality based on, for example, - the sensitivity of data processed or possessed by suppliers, the degree of - access to the organization''s systems, and the importance of the products - or services to the organization''s mission - - Ex2: Keep a record of all suppliers, and prioritize suppliers based on the - criticality criteria - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-05 - description: Requirements to address cybersecurity risks in supply chains are - established, prioritized, and integrated into contracts and other types of - agreements with suppliers and other relevant third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node60 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-05 - name: Examples - description: 'Ex1: Establish security requirements for suppliers, products, - and services commensurate with their criticality level and potential impact - if compromised - - Ex2: Include all cybersecurity and supply chain requirements that third parties - must follow and how compliance with the requirements may be verified in default - contractual language - - Ex3: Define the rules and protocols for information sharing between the organization - and its suppliers and sub-tier suppliers in agreements - - Ex4: Manage risk by including security requirements in agreements based on - their criticality and potential impact if compromised - - Ex5: Define security requirements in service-level agreements (SLAs) for monitoring - suppliers for acceptable security performance throughout the supplier relationship - lifecycle - - Ex6: Contractually require suppliers to disclose cybersecurity features, functions, - and vulnerabilities of their products and services for the life of the product - or the term of service - - Ex7: Contractually require suppliers to provide and maintain a current component - inventory (e.g., software or hardware bill of materials) for critical products - - Ex8: Contractually require suppliers to vet their employees and guard against - insider threats - - Ex9: Contractually require suppliers to provide evidence of performing acceptable - security practices through, for example, self-attestation, conformance to - known standards, certifications, or inspections - - Ex10: Specify in contracts and other agreements the rights and responsibilities - of the organization, its suppliers, and their supply chains, with respect - to potential cybersecurity risks - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-06 - description: Planning and due diligence are performed to reduce risks before - entering into formal supplier or other third-party relationships - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node62 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-06 - name: Examples - description: 'Ex1: Perform thorough due diligence on prospective suppliers that - is consistent with procurement planning and commensurate with the level of - risk, criticality, and complexity of each supplier relationship - - Ex2: Assess the suitability of the technology and cybersecurity capabilities - and the risk management practices of prospective suppliers - - Ex3: Conduct supplier risk assessments against business and applicable cybersecurity - requirements - - Ex4: Assess the authenticity, integrity, and security of critical products - prior to acquisition and use - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-07 - description: The risks posed by a supplier, their products and services, and - other third parties are understood, recorded, prioritized, assessed, responded - to, and monitored over the course of the relationship - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node64 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-07 - name: Examples - description: 'Ex1: Adjust assessment formats and frequencies based on the third - party''s reputation and the criticality of the products or services they provide - - Ex2: Evaluate third parties'' evidence of compliance with contractual cybersecurity - requirements, such as self-attestations, warranties, certifications, and other - artifacts - - Ex3: Monitor critical suppliers to ensure that they are fulfilling their security - obligations throughout the supplier relationship lifecycle using a variety - of methods and techniques, such as inspections, audits, tests, or other forms - of evaluation - - Ex4: Monitor critical suppliers, services, and products for changes to their - risk profiles, and reevaluate supplier criticality and risk impact accordingly - - Ex5: Plan for unexpected supplier and supply chain-related interruptions to - ensure business continuity - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-08 - description: Relevant suppliers and other third parties are included in incident - planning, response, and recovery activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node66 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-08 - name: Examples - description: 'Ex1: Define and use rules and protocols for reporting incident - response and recovery activities and the status between the organization and - its suppliers - - Ex2: Identify and document the roles and responsibilities of the organization - and its suppliers for incident response - - Ex3: Include critical suppliers in incident response exercises and simulations - - Ex4: Define and coordinate crisis communication methods and protocols between - the organization and its critical suppliers - - Ex5: Conduct collaborative lessons learned sessions with critical suppliers - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-09 - description: Supply chain security practices are integrated into cybersecurity - and enterprise risk management programs, and their performance is monitored - throughout the technology product and service life cycle - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node68 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-09 - name: Examples - description: 'Ex1: Policies and procedures require provenance records for all - acquired technology products and services - - Ex2: Periodically provide risk reporting to leaders about how acquired components - are proven to be untampered and authentic - - Ex3: Communicate regularly among cybersecurity risk managers and operations - personnel about the need to acquire software patches, updates, and upgrades - only from authenticated and trustworthy software providers - - Ex4: Review policies to ensure that they require approved supplier personnel - to perform maintenance on supplier products - - Ex5: Policies and procedure require checking upgrades to critical hardware - for unauthorized changes - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc - ref_id: GV.SC-10 - description: Cybersecurity supply chain risk management plans include provisions - for activities that occur after the conclusion of a partnership or service - agreement - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node70 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:gv.sc-10 - name: Examples - description: 'Ex1: Establish processes for terminating critical relationships - under both normal and adverse circumstances - - Ex2: Define and implement plans for component end-of-life maintenance support - and obsolescence - - Ex3: Verify that supplier access to organization resources is deactivated - promptly when it is no longer needed - - Ex4: Verify that assets containing the organization''s data are returned or - properly disposed of in a timely, controlled, and safe manner - - Ex5: Develop and execute a plan for terminating or transitioning supplier - relationships that takes supply chain security risk and resiliency into account - - Ex6: Mitigate risks to data and systems created by supplier termination - - Ex7: Manage data leakage risks associated with supplier termination - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - assessable: false - depth: 1 - ref_id: ID - name: IDENTIFY - description: The organization's current cybersecurity risks are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.AM - name: Asset Management - description: Assets (e.g., data, hardware, software, systems, facilities, services, - people) that enable the organization to achieve business purposes are identified - and managed consistent with their relative importance to organizational objectives - and the organization's risk strategy - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-01 - description: Inventories of hardware managed by the organization are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node74 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, - and mobile devices - - Ex2: Constantly monitor networks to detect new hardware and automatically - update inventories' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-02 - description: Inventories of software, services, and systems managed by the organization - are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node76 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain inventories for all types of software and services, including - commercial-off-the-shelf, open-source, custom applications, API services, - and cloud-based applications and services - - Ex2: Constantly monitor all platforms, including containers and virtual machines, - for software and service inventory changes - - Ex3: Maintain an inventory of the organization''s systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-03 - description: Representations of the organization's authorized network communication - and internal and external network data flows are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node78 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Maintain baselines of communication and data flows within the organization''s - wired and wireless networks - - Ex2: Maintain baselines of communication and data flows between the organization - and third parties - - Ex3: Maintain baselines of communication and data flows for the organization''s - infrastructure-as-a-service (IaaS) usage - - Ex4: Maintain documentation of expected network ports, protocols, and services - that are typically used among authorized systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-04 - description: Inventories of services provided by suppliers are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node80 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-04 - name: Examples - description: 'Ex1: Inventory all external services used by the organization, - including third-party infrastructure-as-a-service (IaaS), platform-as-a-service - (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally - hosted application services - - Ex2: Update the inventory when a new external service is going to be utilized - to ensure adequate cybersecurity risk management monitoring of the organization''s - use of that service - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-05 - description: Assets are prioritized based on classification, criticality, resources, - and impact on the mission - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node82 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Define criteria for prioritizing each class of assets - - Ex2: Apply the prioritization criteria to assets - - Ex3: Track the asset priorities and update them periodically or when significant - changes to the organization occur' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-07 - description: Inventories of data and corresponding metadata for designated data - types are maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node84 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Maintain a list of the designated data types of interest (e.g., personally - identifiable information, protected health information, financial account - numbers, organization intellectual property, operational technology data) - - Ex2: Continuously discover and analyze ad hoc data to identify new instances - of designated data types - - Ex3: Assign data classifications to designated data types through tags or - labels - - Ex4: Track the provenance, data owner, and geolocation of each instance of - designated data types' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am - ref_id: ID.AM-08 - description: Systems, hardware, software, services, and data are managed throughout - their life cycles - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node86 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.am-08 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Integrate cybersecurity considerations throughout the life cycles of - systems, hardware, software, and services - - Ex2: Integrate cybersecurity considerations into product life cycles - - Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., - shadow IT) - - Ex4: Periodically identify redundant systems, hardware, software, and services - that unnecessarily increase the organization''s attack surface - - Ex5: Properly configure and secure systems, hardware, software, and services - prior to their deployment in production - - Ex6: Update inventories when systems, hardware, software, and services are - moved or transferred within the organization - - Ex7: Securely destroy stored data based on the organization''s data retention - policy using the prescribed destruction method, and keep and manage a record - of the destructions - - Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, - reassigned, or sent for repairs or replacement - - Ex9: Offer methods for destroying paper, storage media, and other physical - forms of data storage' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.RA - name: Risk Assessment - description: The cybersecurity risk to the organization, assets, and individuals - is understood by the organization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-01 - description: Vulnerabilities in assets are identified, validated, and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node89 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use vulnerability management technologies to identify unpatched and misconfigured - software - - Ex2: Assess network and system architectures for design and implementation - weaknesses that affect cybersecurity - - Ex3: Review, analyze, or test organization-developed software to identify - design, coding, and default configuration vulnerabilities - - Ex4: Assess facilities that house critical computing assets for physical vulnerabilities - and resilience issues - - Ex5: Monitor sources of cyber threat intelligence for information on new vulnerabilities - in products and services - - Ex6: Review processes and procedures for weaknesses that could be exploited - to affect cybersecurity' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-02 - description: Cyber threat intelligence is received from information sharing - forums and sources - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node91 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Configure cybersecurity tools and technologies with detection or response - capabilities to securely ingest cyber threat intelligence feeds - - Ex2: Receive and review advisories from reputable third parties on current - threat actors and their tactics, techniques, and procedures (TTPs) - - Ex3: Monitor sources of cyber threat intelligence for information on the types - of vulnerabilities that emerging technologies may have' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-03 - description: Internal and external threats to the organization are identified - and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node93 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Use cyber threat intelligence to maintain awareness of the types of threat - actors likely to target the organization and the TTPs they are likely to use - - Ex2: Perform threat hunting to look for signs of threat actors within the - environment - - Ex3: Implement processes for identifying internal threat actors' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-04 - description: Potential impacts and likelihoods of threats exploiting vulnerabilities - are identified and recorded - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node95 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Business leaders and cybersecurity risk management practitioners work - together to estimate the likelihood and impact of risk scenarios and record - them in risk registers - - Ex2: Enumerate the potential business impacts of unauthorized access to the - organization''s communications, systems, and data processed in or by those - systems - - Ex3: Account for the potential impacts of cascading failures for systems of - systems' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-05 - description: Threats, vulnerabilities, likelihoods, and impacts are used to - understand inherent risk and inform risk response prioritization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node97 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Develop threat models to better understand risks to the data and identify - appropriate risk responses - - Ex2: Prioritize cybersecurity resource allocations and investments based on - estimated likelihoods and impacts' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-06 - description: Risk responses are chosen, prioritized, planned, tracked, and communicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node99 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Apply the vulnerability management plan''s criteria for deciding whether - to accept, transfer, mitigate, or avoid risk - - Ex2: Apply the vulnerability management plan''s criteria for selecting compensating - controls to mitigate risk - - Ex3: Track the progress of risk response implementation (e.g., plan of action - and milestones [POA&M], risk register, risk detail report) - - Ex4: Use risk assessment findings to inform risk response decisions and actions - - Ex5: Communicate planned risk responses to affected stakeholders in priority - order' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-07 - description: Changes and exceptions are managed, assessed for risk impact, recorded, - and tracked - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node101 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-07 - name: Examples - description: 'Ex1: Implement and follow procedures for the formal documentation, - review, testing, and approval of proposed changes and requested exceptions - - Ex2: Document the possible risks of making or not making each proposed change, - and provide guidance on rolling back changes - - Ex3: Document the risks related to each requested exception and the plan for - responding to those risks - - Ex4: Periodically review risks that were accepted based upon planned future - actions or milestones' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-08 - description: Processes for receiving, analyzing, and responding to vulnerability - disclosures are established - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node103 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-08 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Conduct vulnerability information sharing between the organization and - its suppliers following the rules and protocols defined in contracts - - Ex2: Assign responsibilities and verify the execution of procedures for processing, - analyzing the impact of, and responding to cybersecurity threat, vulnerability, - or incident disclosures by suppliers, customers, partners, and government - cybersecurity organizations' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-09 - description: The authenticity and integrity of hardware and software are assessed - prior to acquisition and use - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node105 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-09 - name: Examples - description: 'Ex1: Assess the authenticity and cybersecurity of critical technology - products and services prior to acquisition and use - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra - ref_id: ID.RA-10 - description: Critical suppliers are assessed prior to acquisition - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node107 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.ra-10 - name: Examples - description: 'Ex1: Conduct supplier risk assessments against business and applicable - cybersecurity requirements, including the supply chain' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id - ref_id: ID.IM - name: Improvement - description: Improvements to organizational cybersecurity risk management processes, - procedures and activities are identified across all CSF Functions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-01 - description: Improvements are identified from evaluations - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node110 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Perform self-assessments of critical services that take current threats - and TTPs into consideration - - Ex2: Invest in third-party assessments or independent audits of the effectiveness - of the organization''s cybersecurity program to identify areas that need improvement - - Ex3: Constantly evaluate compliance with selected cybersecurity requirements - through automated means' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-02 - description: Improvements are identified from security tests and exercises, - including those done in coordination with suppliers and relevant third parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node112 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify improvements for future incident response activities based on - findings from incident response assessments (e.g., tabletop exercises and - simulations, tests, internal reviews, independent audits) - - Ex2: Identify improvements for future business continuity, disaster recovery, - and incident response activities based on exercises performed in coordination - with critical service providers and product suppliers - - Ex3: Involve internal stakeholders (e.g., senior executives, legal department, - HR) in security tests and exercises as appropriate - - Ex4: Perform penetration testing to identify opportunities to improve the - security posture of selected high-risk systems as approved by leadership - - Ex5: Exercise contingency plans for responding to and recovering from the - discovery that products or services did not originate with the contracted - supplier or partner or were altered before receipt - - Ex6: Collect and analyze performance metrics using security tools and services - to inform improvements to the cybersecurity program' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-03 - description: Improvements are identified from execution of operational processes, - procedures, and activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node114 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Conduct collaborative lessons learned sessions with suppliers - - Ex2: Annually review cybersecurity policies, processes, and procedures to - take lessons learned into account - - Ex3: Use metrics to assess operational cybersecurity performance over time' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im - ref_id: ID.IM-04 - description: Incident response plans and other cybersecurity plans that affect - operations are established, communicated, maintained, and improved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node116 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:id.im-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish contingency plans (e.g., incident response, business continuity, - disaster recovery) for responding to and recovering from adverse events that - can interfere with operations, expose confidential information, or otherwise - endanger the organization''s mission and viability - - Ex2: Include contact and communication information, processes for handling - common scenarios, and criteria for prioritization, escalation, and elevation - in all contingency plans - - Ex3: Create a vulnerability management plan to identify and assess all types - of vulnerabilities and to prioritize, test, and implement risk responses - - Ex4: Communicate cybersecurity plans (including updates) to those responsible - for carrying them out and to affected parties - - Ex5: Review and update all cybersecurity plans annually or when a need for - significant improvements is identified' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - assessable: false - depth: 1 - ref_id: PR - name: PROTECT - description: Safeguards to manage the organization's cybersecurity risks are - used - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.AA - name: Identity Management, Authentication, and Access Control - description: Access to physical and logical assets is limited to authorized - users, services, and hardware and managed commensurate with the assessed - risk of unauthorized access - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-01 - description: Identities and credentials for authorized users, services, and - hardware are managed by the organization - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node120 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Initiate requests for new access or additional access for employees, - contractors, and others, and track, review, and fulfill the requests, with - permission from system or data owners when needed - - Ex2: Issue, manage, and revoke cryptographic certificates and identity tokens, - cryptographic keys (i.e., key management), and other credentials - - Ex3: Select a unique identifier for each device from immutable hardware characteristics - or an identifier securely provisioned to the device - - Ex4: Physically label authorized hardware with an identifier for inventory - and servicing purposes' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-02 - description: Identities are proofed and bound to credentials based on the context - of interactions - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node122 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Verify a person''s claimed identity at enrollment time using government-issued - identity credentials (e.g., passport, visa, driver''s license) - - Ex2: Issue a different credential for each person (i.e., no credential sharing)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-03 - description: Users, services, and hardware are authenticated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node124 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Require multifactor authentication - - Ex2: Enforce policies for the minimum strength of passwords, PINs, and similar - authenticators - - Ex3: Periodically reauthenticate users, services, and hardware based on risk - (e.g., in zero trust architectures) - - Ex4: Ensure that authorized personnel can access accounts essential for protecting - safety under emergency conditions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-04 - description: Identity assertions are protected, conveyed, and verified - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node126 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Protect identity assertions that are used to convey authentication and - user information through single sign-on systems - - Ex2: Protect identity assertions that are used to convey authentication and - user information between federated systems - - Ex3: Implement standards-based approaches for identity assertions in all contexts, - and follow all guidance for the generation (e.g., data models, metadata), - protection (e.g., digital signing, encryption), and verification (e.g., signature - validation) of identity assertions' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-05 - description: Access permissions, entitlements, and authorizations are defined - in a policy, managed, enforced, and reviewed, and incorporate the principles - of least privilege and separation of duties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node128 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review logical and physical access privileges periodically and whenever - someone changes roles or leaves the organization, and promptly rescind privileges - that are no longer needed - - Ex2: Take attributes of the requester and the requested resource into account - for authorization decisions (e.g., geolocation, day/time, requester endpoint''s - cyber health) - - Ex3: Restrict access and privileges to the minimum necessary (e.g., zero trust - architecture) - - Ex4: Periodically review the privileges associated with critical business - functions to confirm proper separation of duties' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa - ref_id: PR.AA-06 - description: Physical access to assets is managed, monitored, and enforced commensurate - with risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node130 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.aa-06 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Use security guards, security cameras, locked entrances, alarm systems, - and other physical controls to monitor facilities and restrict access - - Ex2: Employ additional physical security controls for areas that contain high-risk - assets - - Ex3: Escort guests, vendors, and other third parties within areas that contain - business-critical assets' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.AT - name: Awareness and Training - description: The organization's personnel are provided with cybersecurity awareness - and training so that they can perform their cybersecurity-related tasks - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - ref_id: PR.AT-01 - description: Personnel are provided with awareness and training so that they - possess the knowledge and skills to perform general tasks with cybersecurity - risks in mind - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node133 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Provide basic cybersecurity awareness and training to employees, contractors, - partners, suppliers, and all other users of the organization''s non-public - resources - - Ex2: Train personnel to recognize social engineering attempts and other common - attacks, report attacks and suspicious activity, comply with acceptable use - policies, and perform basic cyber hygiene tasks (e.g., patching software, - choosing passwords, protecting credentials) - - Ex3: Explain the consequences of cybersecurity policy violations, both to - individual users and the organization as a whole - - Ex4: Periodically assess or test users on their understanding of basic cybersecurity - practices - - Ex5: Require annual refreshers to reinforce existing practices and introduce - new practices' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at - ref_id: PR.AT-02 - description: Individuals in specialized roles are provided with awareness and - training so that they possess the knowledge and skills to perform relevant - tasks with cybersecurity risks in mind - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node135 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.at-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Identify the specialized roles within the organization that require additional - cybersecurity training, such as physical and cybersecurity personnel, finance - personnel, senior leadership, and anyone with access to business-critical - data - - Ex2: Provide role-based cybersecurity awareness and training to all those - in specialized roles, including contractors, partners, suppliers, and other - third parties - - Ex3: Periodically assess or test users on their understanding of cybersecurity - practices for their specialized roles - - Ex4: Require annual refreshers to reinforce existing practices and introduce - new practices' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.DS - name: Data Security - description: Data are managed consistent with the organization's risk strategy - to protect the confidentiality, integrity, and availability of information - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-01 - description: The confidentiality, integrity, and availability of data-at-rest - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node138 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use encryption, digital signatures, and cryptographic hashes to protect - the confidentiality and integrity of stored data in files, databases, virtual - machine disk images, container images, and other resources - - Ex2: Use full disk encryption to protect data stored on user endpoints - - Ex3: Confirm the integrity of software by validating signatures - - Ex4: Restrict the use of removable media to prevent data exfiltration - - Ex5: Physically secure removable media containing unencrypted sensitive information, - such as within locked offices or file cabinets' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-02 - description: The confidentiality, integrity, and availability of data-in-transit - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node140 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use encryption, digital signatures, and cryptographic hashes to protect - the confidentiality and integrity of network communications - - Ex2: Automatically encrypt or block outbound emails and other communications - that contain sensitive data, depending on the data classification - - Ex3: Block access to personal email, file sharing, file storage services, - and other personal communications applications and services from organizational - systems and networks - - Ex4: Prevent reuse of sensitive data from production environments (e.g., customer - records) in development, testing, and other non-production environments' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-10 - description: The confidentiality, integrity, and availability of data-in-use - are protected - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node142 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-10 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Remove data that must remain confidential (e.g., from processors and - memory) as soon as it is no longer needed - - Ex2: Protect data in use from access by other users and processes of the same - platform' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds - ref_id: PR.DS-11 - description: Backups of data are created, protected, maintained, and tested - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node144 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ds-11 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Continuously back up critical data in near-real-time, and back up other - data frequently at agreed-upon schedules - - Ex2: Test backups and restores for all types of data sources at least annually - - Ex3: Securely store some backups offline and offsite so that an incident or - disaster will not damage them - - Ex4: Enforce geographic separation and geolocation restrictions for data backup - storage' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.PS - name: Platform Security - description: The hardware, software (e.g., firmware, operating systems, applications), - and services of physical and virtual platforms are managed consistent with - the organization's risk strategy to protect their confidentiality, integrity, - and availability - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-01 - description: Configuration management practices are established and applied - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node147 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Establish, test, deploy, and maintain hardened baselines that enforce - the organization''s cybersecurity policies and provide only essential capabilities - (i.e., principle of least functionality) - - Ex2: Review all default configuration settings that may potentially impact - cybersecurity when installing or upgrading software - - Ex3: Monitor implemented software for deviations from approved baselines' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-02 - description: Software is maintained, replaced, and removed commensurate with - risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node149 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Perform routine and emergency patching within the timeframes specified - in the vulnerability management plan - - Ex2: Update container images, and deploy new container instances to replace - rather than update existing instances - - Ex3: Replace end-of-life software and service versions with supported, maintained - versions - - Ex4: Uninstall and remove unauthorized software and services that pose undue - risks - - Ex5: Uninstall and remove any unnecessary software components (e.g., operating - system utilities) that attackers might misuse - - Ex6: Define and implement plans for software and service end-of-life maintenance - support and obsolescence' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-03 - description: Hardware is maintained, replaced, and removed commensurate with - risk - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node151 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Replace hardware when it lacks needed security capabilities or when it - cannot support software with needed security capabilities - - Ex2: Define and implement plans for hardware end-of-life maintenance support - and obsolescence - - Ex3: Perform hardware disposal in a secure, responsible, and auditable manner' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-04 - description: Log records are generated and made available for continuous monitoring - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node153 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Configure all operating systems, applications, and services (including - cloud-based services) to generate log records - - Ex2: Configure log generators to securely share their logs with the organization''s - logging infrastructure systems and services - - Ex3: Configure log generators to record the data needed by zero-trust architectures' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-05 - description: Installation and execution of unauthorized software are prevented - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node155 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: When risk warrants it, restrict software execution to permitted products - only or deny the execution of prohibited and unauthorized software - - Ex2: Verify the source of new software and the software''s integrity before - installing it - - Ex3: Configure platforms to use only approved DNS services that block access - to known malicious domains - - Ex4: Configure platforms to allow the installation of organization-approved - software only' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps - ref_id: PR.PS-06 - description: Secure software development practices are integrated, and their - performance is monitored throughout the software development life cycle - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node157 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ps-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Protect all components of organization-developed software from tampering - and unauthorized access - - Ex2: Secure all software produced by the organization, with minimal vulnerabilities - in their releases - - Ex3: Maintain the software used in production environments, and securely dispose - of software once it is no longer needed' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr - ref_id: PR.IR - name: Technology Infrastructure Resilience - description: Security architectures are managed with the organization's risk - strategy to protect asset confidentiality, integrity, and availability, and - organizational resilience - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-01 - description: Networks and environments are protected from unauthorized logical - access and usage - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node160 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-01 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Logically segment organization networks and cloud-based platforms according - to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), - and permit required communications only between segments - - Ex2: Logically segment organization networks from external networks, and permit - only necessary communications to enter the organization''s networks from the - external networks - - Ex3: Implement zero trust architectures to restrict network access to each - resource to the minimum necessary - - Ex4: Check the cyber health of endpoints before allowing them to access and - use production resources' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-02 - description: The organization's technology assets are protected from environmental - threats - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node162 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Protect organizational equipment from known environmental threats, such - as flooding, fire, wind, and excessive heat and humidity - - Ex2: Include protection from environmental threats and provisions for adequate - operating infrastructure in requirements for service providers that operate - systems on the organization''s behalf' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-03 - description: Mechanisms are implemented to achieve resilience requirements in - normal and adverse situations - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node164 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Avoid single points of failure in systems and infrastructure - - Ex2: Use load balancing to increase capacity and improve reliability - - Ex3: Use high-availability components like redundant storage and power supplies - to improve system reliability' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir - ref_id: PR.IR-04 - description: Adequate resource capacity to ensure availability is maintained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node166 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:pr.ir-04 - name: Examples - description: 'Ex1: Monitor usage of storage, power, compute, network bandwidth, - and other resources - - Ex2: Forecast future needs, and scale resources accordingly' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - assessable: false - depth: 1 - ref_id: DE - name: DETECT - description: Possible cybersecurity attacks and compromises are found and analyzed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - ref_id: DE.CM - name: Continuous Monitoring - description: Assets are monitored to find anomalies, indicators of compromise, - and other potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-01 - description: Networks and network services are monitored to find potentially - adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node170 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-01 - name: Examples - description: 'Ex1: Monitor DNS, BGP, and other network services for adverse - events - - Ex2: Monitor wired and wireless networks for connections from unauthorized - endpoints - - Ex3: Monitor facilities for unauthorized or rogue wireless networks - - Ex4: Compare actual network flows against baselines to detect deviations - - Ex5: Monitor network communications to identify changes in security postures - for zero trust purposes - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-02 - description: The physical environment is monitored to find potentially adverse - events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node172 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-02 - name: Examples - description: 'Ex1: Monitor logs from physical access control systems (e.g., - badge readers) to find unusual access patterns (e.g., deviations from the - norm) and failed access attempts - - Ex2: Review and monitor physical access records (e.g., from visitor registration, - sign-in sheets) - - Ex3: Monitor physical access controls (e.g., locks, latches, hinge pins, alarms) - for signs of tampering - - Ex4: Monitor the physical environment using alarm systems, cameras, and security - guards - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-03 - description: Personnel activity and technology usage are monitored to find potentially - adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node174 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-03 - name: Examples - description: 'Ex1: Use behavior analytics software to detect anomalous user - activity to mitigate insider threats - - Ex2: Monitor logs from logical access control systems to find unusual access - patterns and failed access attempts - - Ex3: Continuously monitor deception technology, including user accounts, for - any usage - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-06 - description: External service provider activities and services are monitored - to find potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node176 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-06 - name: Examples - description: 'Ex1: Monitor remote and onsite administration and maintenance - activities that external providers perform on organizational systems - - Ex2: Monitor activity from cloud-based services, internet service providers, - and other service providers for deviations from expected behavior - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm - ref_id: DE.CM-09 - description: Computing hardware and software, runtime environments, and their - data are monitored to find potentially adverse events - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node178 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.cm-09 - name: Examples - description: 'Ex1: Monitor email, web, file sharing, collaboration services, - and other common attack vectors to detect malware, phishing, data leaks and - exfiltration, and other adverse events - - Ex2: Monitor authentication attempts to identify attacks against credentials - and unauthorized credential reuse - - Ex3: Monitor software configurations for deviations from security baselines - - Ex4: Monitor hardware and software for signs of tampering - - Ex5: Use technologies with a presence on endpoints to detect cyber health - issues (e.g., missing patches, malware infections, unauthorized software), - and redirect the endpoints to a remediation environment before access is authorized - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de - ref_id: DE.AE - name: Adverse Event Analysis - description: Anomalies, indicators of compromise, and other potentially adverse - events are analyzed to characterize the events and detect cybersecurity incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-02 - description: Potentially adverse events are analyzed to better understand associated - activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node181 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-02 - name: Examples - description: 'Ex1: Use security information and event management (SIEM) or other - tools to continuously monitor log events for known malicious and suspicious - activity - - Ex2: Utilize up-to-date cyber threat intelligence in log analysis tools to - improve detection accuracy and characterize threat actors, their methods, - and indicators of compromise - - Ex3: Regularly conduct manual reviews of log events for technologies that - cannot be sufficiently monitored through automation - - Ex4: Use log analysis tools to generate reports on their findings - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-03 - description: Information is correlated from multiple sources - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node183 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-03 - name: Examples - description: 'Ex1: Constantly transfer log data generated by other sources to - a relatively small number of log servers - - Ex2: Use event correlation technology (e.g., SIEM) to collect information - captured by multiple sources - - Ex3: Utilize cyber threat intelligence to help correlate events among log - sources - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-04 - description: The estimated impact and scope of adverse events are understood - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node185 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-04 - name: Examples - description: 'Ex1: Use SIEMs or other tools to estimate impact and scope, and - review and refine the estimates - - Ex2: A person creates their own estimates of impact and scope - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-06 - description: Information on adverse events is provided to authorized staff and - tools - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node187 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-06 - name: Examples - description: 'Ex1: Use cybersecurity software to generate alerts and provide - them to the security operations center (SOC), incident responders, and incident - response tools - - Ex2: Incident responders and other authorized personnel can access log analysis - findings at all times - - Ex3: Automatically create and assign tickets in the organization''s ticketing - system when certain types of alerts occur - - Ex4: Manually create and assign tickets in the organization''s ticketing system - when technical staff discover indicators of compromise - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-07 - description: Cyber threat intelligence and other contextual information are - integrated into the analysis - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node189 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-07 - name: Examples - description: 'Ex1: Securely provide cyber threat intelligence feeds to detection - technologies, processes, and personnel - - Ex2: Securely provide information from asset inventories to detection technologies, - processes, and personnel - - Ex3: Rapidly acquire and analyze vulnerability disclosures for the organization''s - technologies from suppliers, vendors, and third-party security advisories - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae - ref_id: DE.AE-08 - description: Incidents are declared when adverse events meet the defined incident - criteria - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node191 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:de.ae-08 - name: Examples - description: 'Ex1: Apply incident criteria to known and assumed characteristics - of activity in order to determine whether an incident should be declared - - Ex2: Take known false positives into account when applying incident criteria - - 1st: 1st Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - assessable: false - depth: 1 - ref_id: RS - name: RESPOND - description: Actions regarding a detected cybersecurity incident are taken - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.MA - name: Incident Management - description: Responses to detected cybersecurity incidents are managed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-01 - description: The incident response plan is executed in coordination with relevant - third parties once an incident is declared - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node195 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-01 - name: Examples - description: 'Ex1: Detection technologies automatically report confirmed incidents - - Ex2: Request incident response assistance from the organization''s incident - response outsourcer - - Ex3: Designate an incident lead for each incident - - Ex4: Initiate execution of additional cybersecurity plans as needed to support - incident response (for example, business continuity and disaster recovery) - - 3rd: 3rd Party Risk' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-02 - description: Incident reports are triaged and validated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node197 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Preliminarily review incident reports to confirm that they are cybersecurity-related - and necessitate incident response activities - - Ex2: Apply criteria to estimate the severity of an incident' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-03 - description: Incidents are categorized and prioritized - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node199 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Further review and categorize incidents based on the type of incident - (e.g., data breach, ransomware, DDoS, account compromise) - - Ex2: Prioritize incidents based on their scope, likely impact, and time-critical - nature - - Ex3: Select incident response strategies for active incidents by balancing - the need to quickly recover from an incident with the need to observe the - attacker or conduct a more thorough investigation' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-04 - description: Incidents are escalated or elevated as needed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node201 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Track and validate the status of all ongoing incidents - - Ex2: Coordinate incident escalation or elevation with designated internal - and external stakeholders' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma - ref_id: RS.MA-05 - description: The criteria for initiating incident recovery are applied - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node203 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.ma-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Apply incident recovery criteria to known and assumed characteristics - of the incident to determine whether incident recovery processes should be - initiated - - Ex2: Take the possible operational disruption of incident recovery activities - into account' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.AN - name: Incident Analysis - description: Investigations are conducted to ensure effective response and support - forensics and recovery activities - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-03 - description: Analysis is performed to establish what has taken place during - an incident and the root cause of the incident - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node206 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Determine the sequence of events that occurred during the incident and - which assets and resources were involved in each event - - Ex2: Attempt to determine what vulnerabilities, threats, and threat actors - were directly or indirectly involved in the incident - - Ex3: Analyze the incident to find the underlying, systemic root causes - - Ex4: Check any cyber deception technology for additional information on attacker - behavior' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-06 - description: Actions performed during an investigation are recorded, and the - records' integrity and provenance are preserved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node208 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Require each incident responder and others (e.g., system administrators, - cybersecurity engineers) who perform incident response tasks to record their - actions and make the record immutable - - Ex2: Require the incident lead to document the incident in detail and be responsible - for preserving the integrity of the documentation and the sources of all information - being reported' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-07 - description: Incident data and metadata are collected, and their integrity and - provenance are preserved - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node210 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-07 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Collect, preserve, and safeguard the integrity of all pertinent incident - data and metadata (e.g., data source, date/time of collection) based on evidence - preservation and chain-of-custody procedures' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an - ref_id: RS.AN-08 - description: An incident's magnitude is estimated and validated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node212 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.an-08 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Review other potential targets of the incident to search for indicators - of compromise and evidence of persistence - - Ex2: Automatically run tools on targets to look for indicators of compromise - and evidence of persistence' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.CO - name: Incident Response Reporting and Communication - description: Response activities are coordinated with internal and external - stakeholders as required by laws, regulations, or policies - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - ref_id: RS.CO-02 - description: Internal and external stakeholders are notified of incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node215 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Follow the organization''s breach notification procedures after discovering - a data breach incident, including notifying affected customers - - Ex2: Notify business partners and customers of incidents in accordance with - contractual requirements - - Ex3: Notify law enforcement agencies and regulatory bodies of incidents based - on criteria in the incident response plan and management approval' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co - ref_id: RS.CO-03 - description: Information is shared with designated internal and external stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node217 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.co-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Securely share information consistent with response plans and information - sharing agreements - - Ex2: Voluntarily share information about an attacker''s observed TTPs, with - all sensitive data removed, with an Information Sharing and Analysis Center - (ISAC) - - Ex3: Notify HR when malicious insider activity occurs - - Ex4: Regularly update senior leadership on the status of major incidents - - Ex5: Follow the rules and protocols defined in contracts for incident information - sharing between the organization and its suppliers - - Ex6: Coordinate crisis communication methods between the organization and - its critical suppliers' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs - ref_id: RS.MI - name: Incident Mitigation - description: Activities are performed to prevent expansion of an event and mitigate - its effects - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - ref_id: RS.MI-01 - description: Incidents are contained - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node220 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-01 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Cybersecurity technologies (e.g., antivirus software) and cybersecurity - features of other technologies (e.g., operating systems, network infrastructure - devices) automatically perform containment actions - - Ex2: Allow incident responders to manually select and perform containment - actions - - Ex3: Allow a third party (e.g., internet service provider, managed security - service provider) to perform containment actions on behalf of the organization - - Ex4: Automatically transfer compromised endpoints to a remediation virtual - local area network (VLAN)' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi - ref_id: RS.MI-02 - description: Incidents are eradicated - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node222 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rs.mi-02 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Cybersecurity technologies and cybersecurity features of other technologies - (e.g., operating systems, network infrastructure devices) automatically perform - eradication actions - - Ex2: Allow incident responders to manually select and perform eradication - actions - - Ex3: Allow a third party (e.g., managed security service provider) to perform - eradication actions on behalf of the organization' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - assessable: false - depth: 1 - ref_id: RC - name: RECOVER - description: Assets and operations affected by a cybersecurity incident are - restored - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - ref_id: RC.RP - name: Incident Recovery Plan Execution - description: Restoration activities are performed to ensure operational availability - of systems and services affected by cybersecurity incidents - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-01 - description: The recovery portion of the incident response plan is executed - once initiated from the incident response process - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node226 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-01 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Begin recovery procedures during or after incident response processes - - Ex2: Make all individuals with recovery responsibilities aware of the plans - for recovery and the authorizations required to implement each aspect of the - plans' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-02 - description: Recovery actions are selected, scoped, prioritized, and performed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node228 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-02 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Select recovery actions based on the criteria defined in the incident - response plan and available resources - - Ex2: Change planned recovery actions based on a reassessment of organizational - needs and resources' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-03 - description: The integrity of backups and other restoration assets is verified - before using them for restoration - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node230 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-03 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Check restoration assets for indicators of compromise, file corruption, - and other integrity issues before use' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-04 - description: Critical mission functions and cybersecurity risk management are - considered to establish post-incident operational norms - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node232 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Use business impact and system categorization records (including service - delivery objectives) to validate that essential services are restored in the - appropriate order - - Ex2: Work with system owners to confirm the successful restoration of systems - and the return to normal operations - - Ex3: Monitor the performance of restored systems to verify the adequacy of - the restoration' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-05 - description: The integrity of restored assets is verified, systems and services - are restored, and normal operating status is confirmed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node234 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-05 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Check restored assets for indicators of compromise and remediation of - root causes of the incident before production use - - Ex2: Verify the correctness and adequacy of the restoration actions taken - before putting a restored system online' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp - ref_id: RC.RP-06 - description: The end of incident recovery is declared based on criteria, and - incident-related documentation is completed - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node236 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.rp-06 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Prepare an after-action report that documents the incident itself, the - response and recovery actions taken, and lessons learned - - Ex2: Declare the end of incident recovery once the criteria are met' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - assessable: false - depth: 2 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc - ref_id: RC.CO - name: Incident Recovery Communication - description: Restoration activities are coordinated with internal and external - parties - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - ref_id: RC.CO-03 - description: Recovery activities and progress in restoring operational capabilities - are communicated to designated internal and external stakeholders - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node239 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-03 - name: Examples - description: '1st: 1st Party Risk - - 3rd: 3rd Party Risk - - Ex1: Securely share recovery information, including restoration progress, - consistent with response plans and information sharing agreements - - Ex2: Regularly update senior leadership on recovery status and restoration - progress for major incidents - - Ex3: Follow the rules and protocols defined in contracts for incident information - sharing between the organization and its suppliers - - Ex4: Coordinate crisis communication between the organization and its critical - suppliers' - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 - assessable: true - depth: 3 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co - ref_id: RC.CO-04 - description: Public updates on incident recovery are shared using approved methods - and messaging - - urn: urn:intuitem:risk:req_node:nist-csf-2.0:node241 - assessable: false - depth: 4 - parent_urn: urn:intuitem:risk:req_node:nist-csf-2.0:rc.co-04 - name: Examples - description: '1st: 1st Party Risk - - Ex1: Follow the organization''s breach notification procedures for recovering - from a data breach incident - - Ex2: Explain the steps being taken to recover from the incident and to prevent - a recurrence' diff --git a/tools/nist/sp-800-66/nist-sp-800-66.py b/tools/nist/sp-800-66/nist-sp-800-66.py index 268e1725c..45e6b7b3c 100644 --- a/tools/nist/sp-800-66/nist-sp-800-66.py +++ b/tools/nist/sp-800-66/nist-sp-800-66.py @@ -1,7 +1,7 @@ -''' +""" Simple script to convert NIST SP-800-66 excel in a CISO Assistant Excel file Source; https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home -''' +""" import openpyxl import sys @@ -10,20 +10,21 @@ from openpyxl.styles import numbers parser = argparse.ArgumentParser( - prog='convert_nist-sp-800-66', - description='convert NIST SP-800-66 controls offical Excel file to CISO Assistant Excel file') + prog="convert_nist-sp-800-66", + description="convert NIST SP-800-66 controls offical Excel file to CISO Assistant Excel file", +) -parser.add_argument('filename', help='name of official NIST SP-800-66 Excel file') +parser.add_argument("filename", help="name of official NIST SP-800-66 Excel file") args = parser.parse_args() input_file_name = args.filename output_file_name = "nist-sp-800-66-rev2.xlsx" -library_copyright = '''With the exception of material marked as copyrighted, information presented on NIST sites are considered public information and may be distributed or copied.''' -packager = 'intuitem' +library_copyright = """With the exception of material marked as copyrighted, information presented on NIST sites are considered public information and may be distributed or copied.""" +packager = "intuitem" -library_description = '''Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 +library_description = """Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, 2.0.0 Source: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home -''' +""" print("parsing", input_file_name) @@ -39,36 +40,46 @@ for row in tab: line += 1 if line > 1: - (security_rule_id, security_rule, std_id, std, key_activity, description, sample_questions) = (r.value for r in row) + ( + security_rule_id, + security_rule, + std_id, + std, + key_activity, + description, + sample_questions, + ) = (r.value for r in row) if security_rule_id: - output_table.append(('', 1, security_rule_id, None, security_rule)) + output_table.append(("", 1, security_rule_id, None, security_rule)) if std_id: - output_table.append(('', 2, std_id, None, std)) - output_table.append(('x', 3, None, key_activity, description)) - output_table.append(('', 4, None, "Sample questions", sample_questions)) + output_table.append(("", 2, std_id, None, std)) + output_table.append(("x", 3, None, key_activity, description)) + output_table.append(("", 4, None, "Sample questions", sample_questions)) print("generating", output_file_name) wb_output = openpyxl.Workbook() ws = wb_output.active -ws.title='library_content' -ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:nist-sp-800-66-rev2']) -ws.append(['library_version', '1']) -ws.append(['library_locale', 'en']) -ws.append(['library_ref_id', 'NIST-SP-800-66-rev2']) -ws.append(['library_name', 'NIST SP-800-66 rev2 (HIPAA)']) -ws.append(['library_description', library_description]) -ws.append(['library_copyright', library_copyright]) -ws.append(['library_provider', 'NIST']) -ws.append(['library_packager', packager]) -ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:nist-sp-800-66-rev2']) -ws.append(['framework_ref_id', 'nist-sp-800-66-rev2']) -ws.append(['framework_name', 'NIST SP-800-66 rev2 (HIPAA)']) -ws.append(['framework_description', library_description]) -ws.append(['tab', 'controls', 'requirements']) +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:nist-sp-800-66-rev2"]) +ws.append(["library_version", "1"]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "NIST-SP-800-66-rev2"]) +ws.append(["library_name", "NIST SP-800-66 rev2 (HIPAA)"]) +ws.append(["library_description", library_description]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "NIST"]) +ws.append(["library_packager", packager]) +ws.append( + ["framework_urn", f"urn:{packager.lower()}:risk:framework:nist-sp-800-66-rev2"] +) +ws.append(["framework_ref_id", "nist-sp-800-66-rev2"]) +ws.append(["framework_name", "NIST SP-800-66 rev2 (HIPAA)"]) +ws.append(["framework_description", library_description]) +ws.append(["tab", "controls", "requirements"]) ws1 = wb_output.create_sheet("controls") -ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description']) +ws1.append(["assessable", "depth", "ref_id", "name", "description"]) for row in output_table: ws1.append(row) print("generate ", output_file_name) diff --git a/tools/tisax/convert_tisax.py b/tools/tisax/convert_tisax.py index 8c2d43ebf..e010fdb87 100644 --- a/tools/tisax/convert_tisax.py +++ b/tools/tisax/convert_tisax.py @@ -1,7 +1,7 @@ -''' +""" Simple script to convert TISAX v6.0.2 excel in a CISO Assistant Excel file Source; https://portal.enx.com/isa6-en.xlsx -''' +""" import openpyxl import sys @@ -10,27 +10,28 @@ from openpyxl.styles import numbers parser = argparse.ArgumentParser( - prog='convert_tisax', - description='convert TISAX controls offical v6.0.2 Excel file to CISO Assistant Excel file') + prog="convert_tisax", + description="convert TISAX controls offical v6.0.2 Excel file to CISO Assistant Excel file", +) -parser.add_argument('filename', help='name of official TISAX Excel file') +parser.add_argument("filename", help="name of official TISAX Excel file") args = parser.parse_args() input_file_name = args.filename output_file_name = "tisax-v6.0.2.xlsx" -library_copyright = '''© 2023 ENX Association, an Association according to the French Law of 1901, registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France. +library_copyright = """© 2023 ENX Association, an Association according to the French Law of 1901, registered under No. w923004198 at the Sous-préfecture of Boulogne-Billancourt, France. This work of ENX's Working Group ISA was provided to the VDA in the present version by the ENX Association for published by the VDA as the VDA ISA. It is made to all interested parties free of charge under the following licensing terms. The release in the VDA is done by the VDA's Working Group Information Security and Economic Protection. Publication takes place with the consent of the rights holder. The VDA is responsible for the publication of the VDA ISA. The Tab ""Data Protection"" is provided, owned and copyrighted by VERBAND DER AUTOMOBILINDUSTRIE e.V. (VDA, German Association of the Automotive Industry); Behrenstr. 35; 10117 Berlin" This work has been licensed under Creative Commons Attribution - No Derivative Works 4.0 International Public License. In addition, You are granted the right to distribute derivatives under certain terms as detailed in section 9 which are not part of the Creative Commons license. The complete and valid text of the license is to be found in line 17ff. -''' -packager = 'intuitem' +""" +packager = "intuitem" -library_description = '''ISA provides the basis for +library_description = """ISA provides the basis for - a self-assessment to determine the state of information security in an organization (e.g. company) - audits performed by internal departments (e.g. Internal Audit, Information Security) - TISAXⓇ Assessments (Trusted Information Security Assessment Exchange, https://enx.com/tisax/) Source: https://portal.enx.com/isa6-en.xlsx -''' +""" print("parsing", input_file_name) @@ -43,57 +44,245 @@ title = tab.title if title in ("Information Security", "Prototype Protection", "Data Protection"): for row in tab: - (_, _, control_number, _, _, _, _, control_question, objective, req_must, req_should, req_high, req_very_high, req_sga, usual_resp, _, _, _, _, _, _, _, - further_info, ex_normal, ex_high, ex_very_high) = (r.value for r in row[0:26]) + req_should = None + req_very_high = None + req_high = None + req_sga = None + req_vehicle = None + further_info = None + ex_normal=None + ex_high=None + ex_very_high=None + if title == "Information Security": + ( + _, + _, + control_number, + _, + _, + _, + _, + control_question, + objective, + req_must, + req_should, + req_high, + req_very_high, + req_sga, + _, + _, + _, + _, + _, + _, + _, + _, + further_info, + ex_normal, + ex_high, + ex_very_high, + ) = (r.value for r in row[0:26]) + elif title == "Prototype Protection": + ( + _, + _, + control_number, + _, + _, + _, + _, + control_question, + objective, + req_must, + req_should, + req_vehicle, + ) = (r.value for r in row[0:12]) + elif title == "Data Protection": + ( + _, + _, + control_number, + _, + _, + _, + _, + control_question, + objective, + req_must, + ) = (r.value for r in row[0:10]) if type(control_number) == int: control_number = str(control_number) - if control_number and re.fullmatch(r'\d', control_number): - level=2 + if control_number and re.fullmatch(r"\d", control_number): + level = 2 print(control_number, control_question) - output_table.append(('', 1, control_number, control_question, '')) - if control_number and re.fullmatch(r'\d\.\d+', control_number): - level=3 + output_table.append(("", 1, control_number, control_question, "")) + if control_number and re.fullmatch(r"\d\.\d+", control_number): + level = 3 print(control_number, control_question) - output_table.append(('', 2, control_number, control_question, '')) - if control_number and re.fullmatch(r'\d\.\d+\.\d+', control_number): - if re.match(r'Superseded by', control_question): + output_table.append(("", 2, control_number, control_question, "")) + if control_number and re.fullmatch(r"\d\.\d+\.\d+", control_number): + if re.match(r"Superseded by", control_question): print("skipping", control_number) - #print(control_number, control_question) - output_table.append(('', level, control_number, control_question, '')) - output_table.append(('x', level+1, '', '(must)', req_must)) - if req_should and req_should != 'None': - output_table.append(('x', level+1, '', '(should)', req_should)) - if req_high and req_high != 'None': - output_table.append(('x', level+1, '', '(for high protection needs)', req_high)) - if req_very_high and req_very_high != 'None': - output_table.append(('x', level+1, '', '(for very high protection needs)', req_very_high)) - if req_sga and req_sga != 'None': - output_table.append(('x', level+1, '', '(for Simplified Group Assessments)', req_sga)) + # print(control_number, control_question) + output_table.append(("", level, control_number, control_question, "")) + output_table.append(("x", level + 1, "", "(must)", req_must, "must")) + if req_should and req_should != "None": + output_table.append(("x", level + 1, "", "(should)", req_should, "should")) + if req_high and req_high != "None": + output_table.append( + ("x", level + 1, "", "(for high protection needs)", req_high, "high") + ) + if req_very_high and req_very_high != "None": + output_table.append( + ( + "x", + level + 1, + "", + "(for very high protection needs)", + req_very_high, + "very_high" + ) + ) + if req_sga and req_sga != "None": + output_table.append( + ( + "x", + level + 1, + "", + "(for Simplified Group Assessments)", + req_sga, + "SGA", + ) + ) + if req_vehicle and req_vehicle != "None": + output_table.append( + ( + "x", + level + 1, + "", + "(for vehicles classified as requiring protection)", + req_vehicle, + "vehicle", + ) + ) if further_info: - output_table.append(('', level+1, '', 'Further information', further_info)) + output_table.append( + ("", level + 1, "", "Further information", further_info) + ) print("generating", output_file_name) wb_output = openpyxl.Workbook() ws = wb_output.active -ws.title='library_content' -ws.append(['library_urn', f'urn:{packager.lower()}:risk:library:tisax-v6.0.2']) -ws.append(['library_version', '1']) -ws.append(['library_locale', 'en']) -ws.append(['library_ref_id', 'TISAX v6.0.2']) -ws.append(['library_name', 'Trusted Information Security Assessment Exchange ']) -ws.append(['library_description', library_description]) -ws.append(['library_copyright', library_copyright]) -ws.append(['library_provider', 'VDA']) -ws.append(['library_packager', packager]) -ws.append(['framework_urn', f'urn:{packager.lower()}:risk:framework:tisax-v6.0.2']) -ws.append(['framework_ref_id', 'TISAX v6.0.2']) -ws.append(['framework_name', 'Trusted Information Security Assessment Exchange']) -ws.append(['framework_description', library_description]) -ws.append(['tab', 'controls', 'requirements']) +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:tisax-v6.0.2"]) +ws.append(["library_version", "1"]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "TISAX v6.0.2"]) +ws.append(["library_name", "Trusted Information Security Assessment Exchange "]) +ws.append(["library_description", library_description]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "VDA"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:tisax-v6.0.2"]) +ws.append(["framework_ref_id", "TISAX v6.0.2"]) +ws.append(["framework_name", "Trusted Information Security Assessment Exchange"]) +ws.append(["framework_description", library_description]) +ws.append(["framework_min_score", 0]) +ws.append(["framework_max_score", 5]) +ws.append(["tab", "controls", "requirements"]) +ws.append(["tab", "scores", "scores"]) +ws.append(["tab", "implementation_groups", "implementation_groups"]) ws1 = wb_output.create_sheet("controls") -ws1.append(['assessable', 'depth', 'ref_id', 'name', 'description']) +ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]) for row in output_table: ws1.append(row) + +ws2 = wb_output.create_sheet("scores") +ws2.append(["score", "name", "description"]) +ws2.append( + [ + 0, + "Incomplete", + "A process is not available, not followed or not suitable for achieving the objective.", + ] +) +ws2.append( + [ + 1, + "Performed", + "An undocumented or incompletely documented process is followed and indicators exist that it achieves its objective.", + ] +) +ws2.append( + [ + 2, + "Managed", + "A process achieving its objectives is followed. Process documentation and process implementation evidence are available.", + ] +) +ws2.append( + [ + 3, + "Established", + "A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used sustainably and actively over an extended period.", + ] +) +ws2.append( + [ + 4, + "Predictable", + "An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment. (Key Performance Indicators)", + ] +) +ws2.append( + [ + 5, + "Optimizing", + "A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by dedicated resources.", + ] +) + +ws3 = wb_output.create_sheet("implementation_groups") +ws3.append(["ref_id", "name", "description"]) +ws3.append( + ["must", "Requirements (must)", "Strict requirements without any exemptions."] +) +ws3.append( + [ + "should", + "Requirements (should)", + "Must be implemented by the organization. In certain circumstances, however, there may be a valid justification for non-compliance with these requirements. In case of any deviation, its effects must be understood by the organization and it must be plausibly justified.", + ] +) +ws3.append( + [ + "high", + "In case of high protection needs", + "Must additionally be met if the tested subject has high protection needs.", + ] +) +ws3.append( + [ + "very_high", + "In case of very high protection needs", + "Must additionally be met if the tested subject has very high protection needs.", + ] +) +ws3.append( + [ + "SGA", + "For Simplified Group Assessments (SGA)", + "A simplified way to audit very large organizations with a high maturity. An example is the TISAX Simplified Group Assessment mechanism that is an option for TISAX Assessments of an assessment scope with a large number of sites.", + ] +) +ws3.append( + [ + "vehicle", + "For vehicles classified as requiring protection", + "Protects physical prototypes which are classified as requiring protection. Prototypes include vehicles, components and parts. The owner of the intellectual property for the prototype is considered the owner of the prototype. The owner's commissioning department is responsible for classifying the protection need of a prototype. For prototypes classified as requiring high or very high protection, the minimum requirements for prototype protection must be applied.", + ] +) + print("generate ", output_file_name) wb_output.save(output_file_name) diff --git a/tools/tisax/tisax-v6.0.2.xlsx b/tools/tisax/tisax-v6.0.2.xlsx index af63e51a6..6d5816e34 100644 Binary files a/tools/tisax/tisax-v6.0.2.xlsx and b/tools/tisax/tisax-v6.0.2.xlsx differ