diff --git a/.gitignore b/.gitignore index e01e8f1..b383e4e 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,5 @@ ciso_assistant/build.json *.sqlite3 db/django_secret_key db/attachments/ +db/data/ +db/pg_password.txt diff --git a/Contributor License Agreement.md b/Contributor License Agreement.md new file mode 100644 index 0000000..f881a97 --- /dev/null +++ b/Contributor License Agreement.md @@ -0,0 +1,63 @@ +# intuitem Contributor License Agreement (CLA) + +## Human-Friendly Summary + +This is a human-readable summary of (and not a substitute for) the full agreement. It has no legal value and you should carefully review all the terms of the actual CLA (following section **Legal Notice and Agreement**) before agreeing. + +- Grant of copyright license. You give intuitem permission to use your copyrighted work in open-source and commercial products. +- Grant of patent license. If your contributed work uses a patent, you give intuitem a license to use that patent including within open-source and commercial products. You also agree that you have permission to grant this license. +- No Warranty or Support Obligations. By making a contribution, you are not obligating yourself to provide support for the contribution, and you are not taking on any warranty obligations or providing any assurances about how it will perform. + +The CLA does not change the terms of the underlying license used by our software such as the AGPLv3 License. You are still free to use our projects within your own projects or businesses, republish modified source code, and more subject to the terms of the project license. + +## Why Require a CLA? + +Agreeing to a CLA explicitly states that you are entitled to provide a contribution, that you cannot withdraw permission to use your contribution at a later date, and that intuitem has permission to use your contribution in our open-source and commercial products. + +This removes any ambiguities or uncertainties caused by not having a CLA and allows users and customers to confidently adopt our projects. At the same time, the CLA ensures that all contributions to our open source projects are licensed under the project's respective open source license, such as AGPLv3. + +intuitem is committed to open-source for its non-commercial software. A CLA enables intuitem to safely commercialize its products while promoting open-source, which allows to build a sustainable business. + +Requiring a CLA is a common and well-accepted practice in open source. Major open source projects require CLAs such as Apache, Kubernetes, Docker, Python, Django, and more. + +## Signing the CLA + +When you open a pull request ("PR") to any of our projects for the first time, a bot will comment on the PR asking you to sign the CLA if you haven't already. + +Follow the steps given by the bot to sign the CLA. We will only use this information for CLA tracking; none of your submitted information will be used for marketing purposes. + +You only have to sign the CLA once. Once you've signed the CLA, future contributions to any intuitem project will not require you to sign again. + +## Legal Notice and Agreement + +### Introduction + +The purpose of this contributor agreement ("Agreement") is to clarify and document the rights granted by contributors to Intuitem SARL ("**intuitem**"). + +By contributing to any open-source project maintained by intuitem, you acknowledge and accept these terms and conditions. + +### 1. Definitions + +a. **Contributor:** "You" (or "Your") means the copyright owner or legal entity authorized by the copyright owner entering into this Agreement with intuitem. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered a single Contributor. For the purposes of this definition, "control" means (i) the authority, direct or indirect, to have the direction or management of such an entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +b. **Contribution:** "Contribution" means any original work by the author, including any modifications or additions to an existing work, that is or has already been intentionally submitted by You to intuitem for inclusion or documentation in any of the products owned or operated by intuitem (the "Work"). For the purposes of this definition, the term "submitted" means any form of electronic, verbal, or written communication sent to intuitem or its representatives, including, but not limited to, communication on electronic mailing lists, source control systems, and issue tracking systems that are operated by or on behalf of intuitem for the purpose of discussing and improving the Work, excluding communications that are clearly marked or otherwise designated in writing by You as "not constituting a contribution." + +### 2. Grant of License + +a. **Copyright License:** Subject to the terms and conditions of this Agreement, You hereby grant to intuitem and the recipients of the Material distributed by intuitem a perpetual, worldwide, non-exclusive, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works. + +b. **Patent License:** Subject to the terms and conditions of this Agreement, You hereby grant to intuitem and the recipients of the Material distributed by intuitem a perpetual, worldwide, non-exclusive, royalty-free, irrevocable patent license (except as otherwise provided in this section) to make, have made, use, offer for sale, sell, import, and otherwise transfer the Work. This license applies only to patent claims that may be licensed by You and that are necessarily infringed by Your Contribution(s) alone or by the combination of Your Contribution(s) with the work to which such Contribution(s) has been submitted. If an entity brings a patent lawsuit against You or any other entity (including a counterclaim or counterclaim in a legal action) alleging that Your Contribution, or the Work to which you contributed, constitutes direct or contributory patent infringement, then all patent licenses granted to that entity under this Agreement for such Contribution or Work will take effect on the date on which this dispute is filed. + +### 3. Representations + +You represent that You are legally authorized to grant the above license. If Your employer(s) have rights to the intellectual property that You create that include Your Contributions, You represent that You have received permission to make Contributions on behalf of that employer, that You have received permission from Your current and future employers for all future Contributions, or that Your applicable employer has waived such rights for all of Your current and future Contributions to intuitem. + +You represent that each of Your contributions is Your original creation and that Your Contribution Submissions include full details of any third-party licenses or other restrictions (including, but not limited to, related patents and trademarks) of which You are personally aware and that are associated with any portion of Your Contributions. + +### 4. Support and Warranties + +You are not required to provide support for Your contributions, except to the extent that You wish to provide support. You can provide support for free, paid, or not at all. Unless required by applicable law or agreed to by You in writing, You provide Your Contributions "AS IS," WITHOUT WARRANTY OR CONDITION OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. + +### 5. Reporting + +You agree to inform intuitem of any facts or circumstances of which you become aware that cause such statements to be inaccurate in any respect. diff --git a/README.md b/README.md index 96d496b..c55f5e8 100644 --- a/README.md +++ b/README.md @@ -18,17 +18,20 @@ Read the [full article](https://intuitem.com/blog/we-are-going-open-source/) abo ## Supported frameworks -- ISO 27001 +- ISO 27001:2022 - NIST Cyber Security Framework (CSF) v1.1 - NIS2 +- SOC2 +- PCI DSS 4.0 +- CMMC v2 Checkout the [library](/library/libraries/) for the Domain Specific Language used and how you can define your own. ### Coming soon -- CMMC - GDPR checklist - ANSSI CyberScore - NIST CSF v2 + ## Community Join our [open Discord community](https://discord.gg/qvkaMdQ8da) to interact with the team and other GRC experts. @@ -50,7 +53,7 @@ To install gettext and pango, do `sudo apt update && sudo apt install gettext li ### Quick start 🚀 -There are two methods to run CISO locally: using Python or using Docker. +There are three methods to run CISO locally: using Python, using Docker or using docker-compose. By default, Django secret key is generated randomly at each start of Mira. This is convenient for quick test, but not recommended for production, as it can break the sessions (see this [topic](https://stackoverflow.com/questions/15170637/effects-of-changing-djangos-secret-key) for more information). To set a fixed secret key, use the environment variable DJANGO_SECRET_KEY. @@ -102,12 +105,12 @@ python manage.py collectstatic python manage.py createsuperuser ``` -5. Run CISO +5. Run CISO Assistant ```sh python manage.py runserver ``` -You can then reach CISO using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/) +You can then reach CISO Assistant using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/) #### Using Docker @@ -127,7 +130,7 @@ docker run --rm -it --env CREATE_SUPERUSER=true -p 8000:8000 -v ./db:/code/db c When asked for, enter your email and password for your superuser. -You can then reach CISO using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/) +You can then reach CISO Assistant using your web brower at [http://127.0.0.1:8000/](http://127.0.0.1:8000/) For the following executions, simply run: @@ -137,7 +140,21 @@ docker run --rm -p 8000:8000 -v ./db:/code/db ciso-assistant:$( As said in the quickstart section, CISO generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable. +> As said in the quickstart section, CISO Assistant generates a random Django secret key if not specified. To avoid broken sessions, it is preferable to set a fixed random value using the DJANGO_SECRET_KEY environment variable. **Optional variables** ```sh -# CISO will use SQLite by default, but you can setup PostgreSQL by declaring these variables +# CISO Assistant will use SQLite by default, but you can setup PostgreSQL by declaring these variables export POSTGRES_NAME=ciso-assistant export POSTGRES_USER=ciso-assistantuser export POSTGRES_PASSWORD= +export POSTGRES_PASSWORD_FILE= # alternative way to specify password export DB_HOST=localhost export DB_PORT=5432 # optional, default value is 5432 diff --git a/ciso_assistant/VERSION b/ciso_assistant/VERSION index 2003b63..2bd77c7 100644 --- a/ciso_assistant/VERSION +++ b/ciso_assistant/VERSION @@ -1 +1 @@ -0.9.2 +0.9.4 \ No newline at end of file diff --git a/ciso_assistant/settings.py b/ciso_assistant/settings.py index 3a28687..46f3505 100644 --- a/ciso_assistant/settings.py +++ b/ciso_assistant/settings.py @@ -238,6 +238,9 @@ if 'POSTGRES_NAME' in os.environ: print("Postgresql database engine") + fp = os.environ.get('POSTGRES_PASSWORD_FILE') + if fp: + os.environ['POSTGRES_PASSWORD'] = Path(fp).read_text().strip() DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql_psycopg2', @@ -248,7 +251,6 @@ 'PORT': os.environ.get('DB_PORT', '5432'), } } - print("Postgresql database engine") else: print("sqlite database engine") DATABASES = { diff --git a/core/base_models.py b/core/base_models.py index b0e37e0..54a9286 100644 --- a/core/base_models.py +++ b/core/base_models.py @@ -17,16 +17,7 @@ class Meta: def __str__(self) -> str: return self.name - - def clean(self) -> None: - scope = self.get_scope() - field_errors = {} - _fields_to_check = self.fields_to_check if hasattr(self, 'fields_to_check') else ['name'] - if not self.is_unique_in_scope(scope=scope, fields_to_check=_fields_to_check): - field_errors['name'] = _('This name is already in use.') - super().clean() - if field_errors: - raise ValidationError(field_errors) + class AbstractBaseModel(models.Model): id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) @@ -89,16 +80,13 @@ def get_scope(self): def clean(self) -> None: scope = self.get_scope() field_errors = {} - _fields_to_check = self.fields_to_check if hasattr(self, 'fields_to_check') else [] + _fields_to_check = self.fields_to_check if hasattr(self, 'fields_to_check') else ['name'] if not self.is_unique_in_scope(scope=scope, fields_to_check=_fields_to_check): for field in _fields_to_check: - if not self.is_unique_in_scope(scope=scope, fields_to_check=[field]): - field_errors[field] = ValidationError( - _( - f"{getattr(self, field)} is already in use in this scope. Please choose another value." - ), - code="unique", - ) + field_errors[field] = ValidationError( + _("Value already used in this scope."), + code="unique", + ) super().clean() if field_errors: raise ValidationError(field_errors) diff --git a/core/locale/fr/LC_MESSAGES/django.po b/core/locale/fr/LC_MESSAGES/django.po index 981319c..7a15463 100644 --- a/core/locale/fr/LC_MESSAGES/django.po +++ b/core/locale/fr/LC_MESSAGES/django.po @@ -237,7 +237,7 @@ msgstr "Rechercher une preuve..." #: core/filters.py:490 msgid "Search framework..." -msgstr "Rechercher un cadre..." +msgstr "Rechercher un rĂ©fĂ©rentiel..." #: core/forms.py:32 msgid "Invalid link" @@ -295,7 +295,7 @@ msgstr "Menaces" #: core/models.py:77 msgid "Version of the framework (eg. 1.0, 2.0, etc.)" -msgstr "Version du cadre (eg. 1.0, 2.0, etc.)" +msgstr "Version du rĂ©fĂ©rentiel (eg. 1.0, 2.0, etc.)" #: core/models.py:83 core/models.py:110 core/models.py:128 core/models.py:152 #: core/models.py:331 core/templates/core/assessment_list.html:109 @@ -305,14 +305,14 @@ msgstr "Version du cadre (eg. 1.0, 2.0, etc.)" #: core/templates/core/requirement_list.html:110 #: core/templates/library/library_detail.html:97 msgid "Framework" -msgstr "Cadre" +msgstr "RĂ©fĂ©rentiel" #: core/models.py:84 core/templates/core/framework_list.html:6 #: core/templates/core/security_function_list.html:109 #: core/templates/core/sidebar.html:119 #: core/templates/core/threat_list.html:111 core/views.py:2422 msgid "Frameworks" -msgstr "Cadres" +msgstr "RĂ©fĂ©rentiels" #: core/models.py:116 core/models.py:158 msgid "Parent URN" @@ -987,23 +987,23 @@ msgstr "Aucune mesure pour le moment." #: core/templates/core/framework_list.html:105 msgid "Import framework" -msgstr "Importer un cadre" +msgstr "Importer un rĂ©fĂ©rentiel" #: core/templates/core/framework_list.html:155 msgid "Delete framework?" -msgstr "Supprimer le cadre ?" +msgstr "Supprimer le rĂ©fĂ©rentiel ?" #: core/templates/core/framework_list.html:165 msgid "No framework found." -msgstr "Aucun cadre trouvĂ©." +msgstr "Aucun rĂ©fĂ©rentiel trouvĂ©." #: core/templates/core/framework_update.html:4 msgid "Edit framework" -msgstr "Modifier le cadre" +msgstr "Modifier le rĂ©fĂ©rentiel" #: core/templates/core/framework_update.html:10 msgid "Framework information" -msgstr "Informations du cadre" +msgstr "Informations du rĂ©fĂ©rentiel" #: core/templates/core/group_create.html:4 msgid "New user group" @@ -2520,7 +2520,7 @@ msgstr "" #~ msgstr "Nom de la preuve" #~ msgid "Framework Name" -#~ msgstr "Nom du cadre" +#~ msgstr "Nom du rĂ©fĂ©rentiel" #~ msgid "Library name" #~ msgstr "Nom de la bibliothĂšque" diff --git a/core/migrations/0018_alter_evidence_options.py b/core/migrations/0018_alter_evidence_options.py deleted file mode 100644 index fb0fa01..0000000 --- a/core/migrations/0018_alter_evidence_options.py +++ /dev/null @@ -1,17 +0,0 @@ -# Generated by Django 4.2.5 on 2023-10-02 11:51 - -from django.db import migrations - - -class Migration(migrations.Migration): - - dependencies = [ - ('core', '0017_remove_evidence_ref_url'), - ] - - operations = [ - migrations.AlterModelOptions( - name='evidence', - options={'verbose_name': 'Evidence', 'verbose_name_plural': 'Evidences'}, - ), - ] diff --git a/core/models.py b/core/models.py index 10b1056..e3bcd9f 100644 --- a/core/models.py +++ b/core/models.py @@ -83,6 +83,8 @@ class Meta: verbose_name = _("Framework") verbose_name_plural = _("Frameworks") + fields_to_check = ['urn'] + def get_next_order_id(self, obj_type: models.Model, _parent_urn: str = None) -> int: """ Returns the next order id for a given object type @@ -117,6 +119,7 @@ class RequirementGroup(AbstractBaseModel, I18nMixin, NameDescriptionMixin, Folde ) order_id = models.IntegerField(null=True, blank=True, verbose_name=_("Order ID")) level = models.IntegerField(null=True, blank=True, verbose_name=_("Level")) + fields_to_check = ['urn'] class RequirementLevel(AbstractBaseModel, I18nMixin, FolderMixin): @@ -132,6 +135,7 @@ class RequirementLevel(AbstractBaseModel, I18nMixin, FolderMixin): ) level = models.IntegerField(null=False, blank=False, verbose_name=_("Level")) description = models.TextField(null=True, blank=True, verbose_name=_("Description")) + fields_to_check = ['urn'] class Requirement(AbstractBaseModel, I18nMixin, NameDescriptionMixin, FolderMixin): @@ -165,6 +169,7 @@ class Requirement(AbstractBaseModel, I18nMixin, NameDescriptionMixin, FolderMixi blank=True, verbose_name=_("Informative reference"), ) + fields_to_check = ['urn'] class Meta: verbose_name = _("Requirement") @@ -454,6 +459,8 @@ class Status(models.TextChoices): related_name="requirement_assessments", ) + fields_to_check = [] + def __str__(self) -> str: if self.requirement.name not in ("", "-"): return f"{self.assessment} - {self.requirement.get_requirement_group()}. {self.requirement.get_requirement_group().description}/{self.requirement}" diff --git a/docker-compose-pg.sh b/docker-compose-pg.sh new file mode 100755 index 0000000..147e632 --- /dev/null +++ b/docker-compose-pg.sh @@ -0,0 +1,12 @@ +#! /usr/bin/env bash + +if [ -d db/data ] ; then + echo "the database seems already created" + echo "you should launch docker-compose up -d" +else + uuidgen > ./db/pg_password.txt + docker-compose up -d + echo "initialize your superuser account..." + docker-compose exec ciso-assistant python manage.py createsuperuser + echo "for successive runs you can now use docker compose up" +fi diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..90d18b7 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,49 @@ +version: "3.5" +services: + ciso-assistant: + build: . + image: ciso-assistant:0.9.1 + container_name: "ciso-assistant" + ports: + - "8000:8000" + depends_on: + postgres: + condition: service_healthy + environment: + DJANGO_DEBUG: "True" + CISO_URL: http://127.0.0.1:8000 + POSTGRES_NAME: postgres + POSTGRES_USER: postgres + POSTGRES_PASSWORD_FILE: /run/secrets/pg_password +# CISO_SUPERUSER_EMAIL: ciso@assistant.local + EMAIL_HOST: your.mail.server + EMAIL_PORT: 1025 + EMAIL_HOST_USER: '' + EMAIL_HOST_PASSWORD: '' + EMAIL_USE_TLS: "False" + EMAIL_USE_SSL: "False" + DEFAULT_FROM_EMAIL: ciso@assistant.local + DB_HOST: ciso-postgres + volumes: + - ./db:/code/db + secrets: + - pg_password + + postgres: + image: postgres + container_name: "ciso-postgres" + restart: always + environment: + POSTGRES_PASSWORD_FILE: /run/secrets/pg_password + volumes: + - ./db/data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres"] + interval: 5s + timeout: 5s + retries: 5 + secrets: + - pg_password +secrets: + pg_password: + file: ./db/pg_password.txt diff --git a/iam/models.py b/iam/models.py index 3491b66..178c421 100644 --- a/iam/models.py +++ b/iam/models.py @@ -82,7 +82,7 @@ def _get_root_folder(): return None -class Folder(I18nMixin, NameDescriptionMixin, AbstractBaseModel): +class Folder(AbstractBaseModel, I18nMixin, NameDescriptionMixin): """ A folder is a container for other folders or any object Folders are organized in a tree structure, with a single root folder Folders are the base perimeter for role assignments diff --git a/library/libraries/cmmc-v2.yaml b/library/libraries/cmmc-v2.yaml new file mode 100644 index 0000000..be43dc1 --- /dev/null +++ b/library/libraries/cmmc-v2.yaml @@ -0,0 +1,781 @@ +urn: urn:intuitem:risk:library:cmmc-v2 +locale: en +name: CMMC v2 +description: 'Cybersecurity Maturity Model Certification ' +version: 1 +objects: + framework: + urn: urn:intuitem:risk:framework:cmmc-v2 + provider: DoD + name: CMMC v2 + description: 'Cybersecurity Maturity Model Certification ' + version: '1.1' + requirement_groups: + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + name: AC + description: ACCESS CONTROL + - urn: urn:intuitem:risk:req_groups:cmmc-v2:at + name: AT + description: AWARENESS AND TRAINING + - urn: urn:intuitem:risk:req_groups:cmmc-v2:au + name: AU + description: AUDIT AND ACCOUNTABILITY + - urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + name: CM + description: CONFIGURATION MANAGEMENT + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + name: IA + description: IDENTIFICATION AND AUTHENTICATION + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ir + name: IR + description: INCIDENT RESPONSE + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + name: MA + description: MAINTENANCE + - urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + name: MP + description: MEDIA PROTECTION + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ps + name: PS + description: PERSONNEL SECURITY + - urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + name: PE + description: PHYSICAL PROTECTION + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ra + name: RA + description: RISK ASSESSMENT + - urn: urn:intuitem:risk:req_groups:cmmc-v2:ca + name: CA + description: SECURITY ASSESSMENT + - urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + name: SC + description: SYSTEM AND COMMUNICATIONS PROTECTION + - urn: urn:intuitem:risk:req_groups:cmmc-v2:si + name: SI + description: SYSTEM AND INFORMATION INTEGRITY + requirements: + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:1 + name: AC.L1-3.1.1 Authorized Access Control + description: "Limit information system access to authorized users, processes\ + \ acting on behalf of authorized users, or devices (including other information\ + \ systems).\n\u2022 FAR Clause 52.204-21 b.1.i\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.1.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:2 + name: AC.L1-3.1.2 Transaction & Function Control + description: "Limit information system access to the types of transactions and\ + \ functions that authorized users are permitted to execute. \n\u2022 FAR Clause\ + \ 52.204-21 b.1.ii\n\u2022 NIST SP 800-171 Rev 2 3.1.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:3 + name: AC.L2-3.1.3 Control CUI Flow + description: "Control the flow of CUI in accordance with approved authorizations.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.1.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:4 + name: AC.L2-3.1.4 Separation of Duties + description: "Separate the duties of individuals to reduce the risk of malevolent\ + \ activity without collusion.\n\u2022 NIST SP 800-171 Rev 2 3.1.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:5 + name: AC.L2-3.1.5 Least Privilege + description: "Employ the principle of least privilege, including for specific\ + \ security functions and privileged accounts.\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.1.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:6 + name: AC.L2-3.1.6 Non-Privileged Account Use + description: "Use non-privileged accounts or roles when accessing nonsecurity\ + \ functions.\n\u2022 NIST SP 800-171 Rev 2 3.1.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:7 + name: AC.L2-3.1.7 Privileged Functions + description: "Prevent non-privileged users from executing privileged functions\ + \ and capture the execution of such functions in audit logs.\n\u2022 NIST\ + \ SP 800-171 Rev 2 3.1.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:8 + name: AC.L2-3.1.8 Unsuccessful Logon Attempts + description: "Limit unsuccessful logon attempts. \n\u2022 NIST SP 800-171 Rev\ + \ 2 3.1.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:9 + name: AC.L2-3.1.9 Privacy & Security Notices + description: "Provide privacy and security notices consistent with applicable\ + \ CUI rules.\n\u2022 NIST SP 800-171 Rev 2 3.1.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:10 + name: AC.L2-3.1.10 Session Lock + description: "Use session lock with pattern-hiding displays to prevent access\ + \ and viewing of data after a period of inactivity. \n\u2022 NIST SP 800-171\ + \ Rev 2 3.1.10" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:11 + name: AC.L2-3.1.11 Session Termination + description: "Terminate (automatically) a user session after a defined condition.\n\ + \u2022 NIST SP 800-171 Rev 2 3.1.11" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:12 + name: AC.L2-3.1.12 Control Remote Access + description: "Monitor and control remote access sessions.\n\u2022 NIST SP 800-171\ + \ Rev 2 3.1.12" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:13 + name: AC.L2-3.1.13 Remote Access Confidentiality + description: "Employ cryptographic mechanisms to protect the confidentiality\ + \ of remote access sessions.\n\u2022 NIST SP 800-171 Rev 2 3.1.13" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:14 + name: AC.L2-3.1.14 Remote Access Routing + description: "Route remote access via managed access control points. \n\u2022\ + \ NIST SP 800-171 Rev 2 3.1.14" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:15 + name: AC.L2-3.1.15 Privileged Remote Access + description: "Authorize remote execution of privileged commands and remote access\ + \ to security-relevant information. \n\u2022 NIST SP 800-171 Rev 2 3.1.15" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:16 + name: AC.L2-3.1.16 Wireless Access Authorization + description: "Authorize wireless access prior to allowing such connections.\n\ + \u2022 NIST SP 800-171 Rev 2 3.1.16" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:17 + name: AC.L2-3.1.17 Wireless Access Protection + description: "Protect wireless access using authentication and encryption. \n\ + \u2022 NIST SP 800-171 Rev 2 3.1.17" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:18 + name: AC.L2-3.1.18 Mobile Device Connection + description: "Control connection of mobile devices.\n\u2022 NIST SP 800-171\ + \ Rev 2 3.1.18" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:19 + name: AC.L2-3.1.19 Encrypt CUI on Mobile + description: "Encrypt CUI on mobile devices and mobile computing platforms.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.1.19" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:20 + name: AC.L1-3.1.20 External Connections + description: "Verify and control/limit connections to and use of external information\ + \ systems. \n\u2022 FAR Clause 52.204-21 b.1.iii\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.1.20" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:21 + name: AC.L2-3.1.21 Portable Storage Use + description: "Limit use of portable storage devices on external systems.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.1.21" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ac:22 + name: AC.L1-3.1.22 Control Public Information + description: "Control information posted or processed on publicly accessible\ + \ information systems.\n\u2022 FAR Clause 52.204-21 b.1.iv\n\u2022 NIST SP\ + \ 800-171 Rev 2 3.1.22" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ac + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:at:1 + name: AT.L2-3.2.1 Role-Based Risk Awareness + description: "Ensure that managers, systems administrators, and users of organizational\ + \ systems are made aware of the security risks associated with their activities\ + \ and of the applicable policies, standards, and procedures related to the\ + \ security of those systems.\n\u2022 NIST SP 800-171 Rev 2 3.2.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:at + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:at:2 + name: AT.L2-3.2.2 Role-Based Training + description: "Ensure that personnel are trained to carry out their assigned\ + \ information security-related duties and responsibilities. \n\u2022 NIST\ + \ SP 800-171 Rev 2 3.2.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:at + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:at:3 + name: AT.L2-3.2.3 Insider Threat Awareness + description: "Provide security awareness training on recognizing and reporting\ + \ potential indicators of insider threat.\n\u2022 NIST SP 800-171 Rev 2 3.2.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:at + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:1 + name: AU.L2-3.3.1 System Auditing + description: "Create and retain system audit logs and records to the extent\ + \ needed to enable the monitoring, analysis, investigation, and reporting\ + \ of unlawful or unauthorized system activity. \n\u2022 NIST SP 800-171 Rev\ + \ 2 3.3.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:2 + name: AU.L2-3.3.2 User Accountability + description: "Ensure that the actions of individual system users can be uniquely\ + \ traced to those users, so they can be held accountable for their actions.\n\ + \u2022 NIST SP 800-171 Rev 2 3.3.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:3 + name: AU.L2-3.3.3 Event Review + description: "Review and update logged events.\n\u2022 NIST SP 800-171 Rev 2\ + \ 3.3.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:4 + name: AU.L2-3.3.4 Audit Failure Alerting + description: "Alert in the event of an audit logging process failure. \n\u2022\ + \ NIST SP 800-171 Rev 2 3.3.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:5 + name: AU.L2-3.3.5 Audit Correlation + description: "Correlate audit record review, analysis, and reporting processes\ + \ for investigation and response to indications of unlawful, unauthorized,\ + \ suspicious, or unusual activity.\n\u2022 NIST SP 800-171 Rev 2 3.3.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:6 + name: AU.L2-3.3.6 Reduction & Reporting + description: "Provide audit record reduction and report generation to support\ + \ on-demand analysis and reporting.\n\u2022 NIST SP 800-171 Rev 2 3.3.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:7 + name: AU.L2-3.3.7 Authoritative Time Source + description: "Provide a system capability that compares and synchronizes internal\ + \ system clocks with an authoritative source to generate time stamps for audit\ + \ records.\n\u2022 NIST SP 800-171 Rev 2 3.3.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:8 + name: AU.L2-3.3.8 Audit Protection + description: "Protect audit information\_and audit logging tools from unauthorized\ + \ access, modification, and deletion.\n\u2022 NIST SP 800-171 Rev 2 3.3.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:au:9 + name: AU.L2-3.3.9 Audit Management + description: "Limit management of audit logging functionality to a subset of\ + \ privileged users.\_\n\u2022 NIST SP 800-171 Rev 2 3.3.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:au + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:1 + name: CM.L2-3.4.1 System Baselining + description: "Establish and maintain baseline configurations and inventories\ + \ of organizational systems (including hardware, software, firmware, and documentation)\ + \ throughout the respective system development life cycles.\n\u2022 NIST SP\ + \ 800-171 Rev 2 3.4.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:2 + name: CM.L2-3.4.2 Security Configuration Enforcement + description: "Establish and enforce security configuration settings for information\ + \ technology products employed in organizational systems.\n\u2022 NIST SP\ + \ 800-171 Rev 2 3.4.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:3 + name: CM.L2-3.4.3 System Change Management + description: "Track, review, approve or disapprove, and log changes to organizational\ + \ systems. \n\u2022 NIST SP 800-171 Rev 2 3.4.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:4 + name: CM.L2-3.4.4 Security Impact Analysis + description: "Analyze the security impact of changes prior to implementation.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.4.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:5 + name: CM.L2-3.4.5 Access Restrictions for Change + description: "Define, document, approve, and enforce physical and logical access\ + \ restrictions associated with changes to organizational systems.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.4.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:6 + name: CM.L2-3.4.6 Least Functionality + description: "Employ the principle of least functionality by configuring organizational\ + \ systems to provide only essential capabilities. \n\u2022 NIST SP 800-171\ + \ Rev 2 3.4.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:7 + name: CM.L2-3.4.7 Nonessential Functionality + description: "Restrict, disable, or prevent the use of nonessential programs,\ + \ functions, ports, protocols, and services. \n\u2022 NIST SP 800-171 Rev\ + \ 2 3.4.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:8 + name: CM.L2-3.4.8 Application Execution Policy + description: "Apply deny-by-exception (blacklisting) policy to prevent the use\ + \ of unauthorized software or deny-all, permit-by-exception (whitelisting)\ + \ policy to allow the execution of authorized software. \n\u2022 NIST SP 800-171\ + \ Rev 2 3.4.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:cm:9 + name: CM.L2-3.4.9 User-Installed Software + description: "Control and monitor user-installed software.\n\u2022 NIST SP 800-171\ + \ Rev 2 3.4.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:cm + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:1 + name: IA.L1-3.5.1 Identification + description: "Identify information system users, processes acting on behalf\ + \ of users, or devices.\n\u2022 FAR Clause 52.204-21 b.1.v\n\u2022 NIST SP\ + \ 800-171 Rev 2 3.5.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:2 + name: IA.L1-3.5.2 Authentication + description: "Authenticate (or verify) the identities of those users, processes,\ + \ or devices, as a prerequisite to allowing access to organizational information\ + \ systems.\n\u2022 FAR Clause 52.204-21 b.1.vi\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.5.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:3 + name: IA.L2-3.5.3 Multifactor Authentication + description: "Use multifactor authentication for local and network access to\ + \ privileged accounts and for network access to non-privileged accounts. \n\ + \u2022 NIST SP 800-171 Rev 2 3.5.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:4 + name: IA.L2-3.5.4 Replay-Resistant Authentication + description: "Employ replay-resistant authentication mechanisms for network\ + \ access to privileged and non-privileged accounts.\n\u2022 NIST SP 800-171\ + \ Rev 2 3.5.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:5 + name: IA.L2-3.5.5 Identifier Reuse + description: "Prevent reuse of identifiers for a defined period. \n\u2022 NIST\ + \ SP 800-171 Rev 2 3.5.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:6 + name: IA.L2-3.5.6 Identifier Handling + description: "Disable identifiers after a defined period of inactivity. \n\u2022\ + \ NIST SP 800-171 Rev 2 3.5.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:7 + name: IA.L2-3.5.7 Password Complexity + description: "Enforce a minimum password complexity and change of characters\ + \ when new passwords are created.\n\u2022 NIST SP 800-171 Rev 2 3.5.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:8 + name: IA.L2-3.5.8 Password Reuse + description: "Prohibit password reuse for a specified number of generations.\n\ + \u2022 NIST SP 800-171 Rev 2 3.5.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:9 + name: IA.L2-3.5.9 Temporary Passwords + description: "Allow temporary password use for system logons with an immediate\ + \ change to a permanent password. \n\u2022 NIST SP 800-171 Rev 2 3.5.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:10 + name: IA.L2-3.5.10 Cryptographically-Protected Passwords + description: "Store and transmit only cryptographically-protected passwords.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.5.10" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ia:11 + name: IA.L2-3.5.11 Obscure Feedback + description: "Obscure feedback of authentication information. \n\u2022 NIST\ + \ SP 800-171 Rev 2 3.5.11" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ia + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ir:1 + name: IR.L2-3.6.1 Incident Handling + description: "Establish an operational incident-handling capability for organizational\ + \ systems that includes preparation, detection, analysis, containment, recovery,\ + \ and user response activities.\n\u2022 NIST SP 800-171 Rev 2 3.6.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ir + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ir:2 + name: IR.L2-3.6.2 Incident Reporting + description: "Track, document, and report incidents to designated officials\ + \ and/or authorities both internal and external to the organization.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.6.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ir + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ir:3 + name: IR.L2-3.6.3 Incident Response Testing + description: "Test the organizational incident response capability.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.6.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ir + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:1 + name: MA.L2-3.7.1 Perform Maintenance + description: "Perform maintenance on organizational systems.\n\u2022 NIST SP\ + \ 800-171 Rev 2 3.7.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:2 + name: MA.L2-3.7.2 System Maintenance Control + description: "Provide controls on the tools, techniques, mechanisms, and personnel\ + \ used to conduct system maintenance.\n\u2022 NIST SP 800-171 Rev 2 3.7.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:3 + name: MA.L2-3.7.3 Equipment Sanitization + description: "Ensure equipment removed for off-site maintenance is sanitized\ + \ of any CUI. \n\u2022 NIST SP 800-171 Rev 2 3.7.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:4 + name: MA.L2-3.7.4 Media Inspection + description: "Check media containing diagnostic and test programs for malicious\ + \ code before the media are used in organizational systems. \n\u2022 NIST\ + \ SP 800-171 Rev 2 3.7.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:5 + name: MA.L2-3.7.5 Nonlocal Maintenance + description: "Require multifactor authentication to establish nonlocal maintenance\ + \ sessions via external network connections and terminate such connections\ + \ when nonlocal maintenance is complete.\n\u2022 NIST SP 800-171 Rev 2 3.7.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ma:6 + name: MA.L2-3.7.6 Maintenance Personnel + description: "Supervise the maintenance activities of maintenance personnel\ + \ without required access authorization. \n\u2022 NIST SP 800-171 Rev 2 3.7.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ma + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:1 + name: MP.L2-3.8.1 Media Protection + description: "Protect (i.e., physically control and securely store) system media\ + \ containing CUI, both paper and digital. \n\u2022 NIST SP 800-171 Rev 2 3.8.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:2 + name: MP.L2-3.8.2 Media Access + description: "Limit access to CUI on system media to authorized users.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.8.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:3 + name: MP.L1-3.8.3 Media Disposal + description: "Sanitize or destroy information system media containing Federal\ + \ Contract Information before disposal or release for reuse.\n\u2022 FAR Clause\ + \ 52.204-21 b.1.vii\n\u2022 NIST SP 800-171 Rev 2 3.8.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:4 + name: MP.L2-3.8.4 Media Markings + description: "Mark media with necessary CUI markings and distribution limitations.\n\ + \u2022 NIST SP 800-171 Rev 2 3.8.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:5 + name: MP.L2-3.8.5 Media Accountability + description: "Control access to media containing CUI and maintain accountability\ + \ for media during transport outside of controlled areas. \n\u2022 NIST SP\ + \ 800-171 Rev 2 3.8.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:6 + name: MP.L2-3.8.6 Portable Storage Encryption + description: "Implement cryptographic mechanisms to protect the confidentiality\ + \ of CUI stored on digital media during transport unless otherwise protected\ + \ by alternative physical safeguards. \n\u2022 NIST SP 800-171 Rev 2 3.8.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:7 + name: MP.L2-3.8.7 Removable Media + description: "Control the use of removable media on system components.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.8.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:8 + name: MP.L2-3.8.8 Shared Media + description: "Prohibit the use of portable storage devices when such devices\ + \ have no identifiable owner.\n\u2022 NIST SP 800-171 Rev 2 3.8.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:mp:9 + name: MP.L2-3.8.9 Protect Backups + description: "Protect the confidentiality of backup CUI at storage locations.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.8.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:mp + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ps:1 + name: PS.L2-3.9.1 Screen Individuals + description: "Screen individuals prior to authorizing access to organizational\ + \ systems containing CUI.\n\u2022 NIST SP 800-171 Rev 2 3.9.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ps + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ps:2 + name: PS.L2-3.9.2 Personnel Actions + description: "Ensure that organizational systems containing CUI are protected\ + \ during and after personnel actions such as terminations and transfers.\n\ + \u2022 NIST SP 800-171 Rev 2 3.9.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ps + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:1 + name: PE.L1-3.10.1 Limit Physical Access + description: "Limit physical access to organizational information systems, equipment,\ + \ and the respective operating environments to authorized individuals. \n\u2022\ + \ FAR Clause 52.204-21 b.1.viii\n\u2022 NIST SP 800-171 Rev 2 3.10.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:2 + name: PE.L2-3.10.2 Monitor Facility + description: "Protect and monitor the physical facility and support infrastructure\ + \ for organizational systems.\n\u2022 NIST SP 800-171 Rev 2 3.10.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:3 + name: PE.L1-3.10.3 Escort Visitors + description: "Escort visitors and monitor visitor activity. \n\u2022 FAR Clause\ + \ 52.204-21 Partial b.1.ix \n\u2022 NIST SP 800-171 Rev 2 3.10.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:4 + name: PE.L1-3.10.4 Physical Access Logs + description: "Maintain audit logs of physical access.\n\u2022 FAR Clause 52.204-21\ + \ Partial b.1.ix \n\u2022 NIST SP 800-171 Rev 2 3.10.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:5 + name: PE.L1-3.10.5 Manage Physical Access + description: "Control and manage physical access devices.\n\u2022 FAR Clause\ + \ 52.204-21 Partial b.1.ix \n\u2022 NIST SP 800-171 Rev 2 3.10.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:pe:6 + name: PE.L2-3.10.6 Alternative Work Sites + description: "Enforce safeguarding measures for CUI at alternate work sites.\n\ + \u2022 NIST SP 800-171 Rev 2 3.10.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:pe + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ra:1 + name: RA.L2-3.11.1 Risk Assessments + description: "Periodically assess the risk to organizational operations (including\ + \ mission, functions, image, or reputation), organizational assets, and individuals,\ + \ resulting from the operation of organizational systems and the associated\ + \ processing, storage, or transmission of CUI.\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.11.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ra + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ra:2 + name: RA.L2-3.11.2 Vulnerability Scan + description: "Scan for vulnerabilities in organizational systems and applications\ + \ periodically and when new vulnerabilities affecting those systems and applications\ + \ are identified.\_\n\u2022 NIST SP 800-171 Rev 2 3.11.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ra + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ra:3 + name: RA.L2-3.11.3 Vulnerability Remediation + description: "Remediate vulnerabilities in accordance with risk assessments.\n\ + \u2022 NIST SP 800-171 Rev 2 3.11.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ra + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ca:1 + name: CA.L2-3.12.1 Security Control Assessment + description: "Periodically assess the security controls in organizational systems\ + \ to determine if the controls are effective in their application.\_\n\u2022\ + \ NIST SP 800-171 Rev 2 3.12.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ca + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ca:2 + name: CA.L2-3.12.2 Plan of Action + description: "Develop and implement plans of action designed to correct deficiencies\ + \ and reduce or eliminate vulnerabilities in organizational systems.\n\u2022\ + \ NIST SP 800-171 Rev 2 3.12.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ca + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ca:3 + name: CA.L2-3.12.3 Security Control Monitoring + description: "Monitor security controls on an ongoing basis to ensure the continued\ + \ effectiveness of the controls.\_\n\u2022 NIST SP 800-171 Rev 2 3.12.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ca + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:ca:4 + name: CA.L2-3.12.4 System Security Plan + description: "Develop, document, and periodically update system security plans\ + \ that describe system boundaries, system environments of operation, how security\ + \ requirements are implemented, and the relationships with or connections\ + \ to other systems. \n\u2022 NIST SP 800-171 Rev 2 3.12.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:ca + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:1 + name: SC.L1-3.13.1 Boundary Protection + description: "Monitor, control, and protect organizational communications (i.e.,\ + \ information transmitted or received by organizational information systems)\ + \ at the external boundaries and key internal boundaries of the information\ + \ systems.\n\u2022 FAR Clause 52.204-21 b.1.x\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.13.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:2 + name: SC.L2-3.13.2 Security Engineering + description: "Employ architectural designs, software development techniques,\ + \ and systems engineering principles that promote effective information security\ + \ within organizational systems.\n\u2022 NIST SP 800-171 Rev 2 3.13.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:3 + name: SC.L2-3.13.3 Role Separation + description: "Separate user functionality from system management functionality.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.13.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:4 + name: SC.L2-3.13.4 Shared Resource Control + description: "Prevent unauthorized and unintended information transfer via shared\ + \ system resources. \n\u2022 NIST SP 800-171 Rev 2 3.13.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:5 + name: SC.L1-3.13.5 Public-Access System Separation + description: "Implement subnetworks for publicly accessible system components\ + \ that are physically or logically separated from internal networks.\n\u2022\ + \ FAR Clause 52.204-21 b.1.xi\n\u2022 NIST SP 800-171 Rev 2 3.13.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:6 + name: SC.L2-3.13.6 Network Communication by Exception + description: "Deny network communications traffic by default and allow network\ + \ communications traffic by exception (i.e., deny all, permit by exception).\n\ + \u2022 NIST SP 800-171 Rev 2 3.13.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:7 + name: SC.L2-3.13.7 Split Tunneling + description: "Prevent remote devices from simultaneously establishing non-remote\ + \ connections with organizational systems and communicating via some other\ + \ connection to resources in external networks (i.e., split tunneling). \n\ + \u2022 NIST SP 800-171 Rev 2 3.13.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:8 + name: SC.L2-3.13.8 Data in Transit + description: "Implement cryptographic mechanisms to prevent unauthorized disclosure\ + \ of CUI during transmission unless otherwise protected by alternative physical\ + \ safeguards.\n\u2022 NIST SP 800-171 Rev 2 3.13.8" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:9 + name: SC.L2-3.13.9 Connections Termination + description: "Terminate network connections associated with communications sessions\ + \ at the end of the sessions or after a defined period of inactivity. \n\u2022\ + \ NIST SP 800-171 Rev 2 3.13.9" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:10 + name: SC.L2-3.13.10 Key Management + description: "Establish and manage cryptographic keys for cryptography employed\ + \ in organizational systems. \n\u2022 NIST SP 800-171 Rev 2 3.13.10" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:11 + name: SC.L2-3.13.11 CUI Encryption + description: "Employ FIPS-validated cryptography when used to protect the confidentiality\ + \ of CUI. \n\u2022 NIST SP 800-171 Rev 2 3.13.11" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:12 + name: SC.L2-3.13.12 Collaborative Device Control + description: "Prohibit remote activation of collaborative computing devices\ + \ and provide indication of devices in use to users present at the device.\ + \ \n\u2022 NIST SP 800-171 Rev 2 3.13.12" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:13 + name: SC.L2-3.13.13 Mobile Code + description: "Control and monitor the use of mobile code. \n\u2022 NIST SP 800-171\ + \ Rev 2 3.13.13" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:14 + name: SC.L2-3.13.14 Voice over Internet Protocol + description: "Control and monitor the use of Voice over Internet Protocol (VoIP)\ + \ technologies.\n\u2022 NIST SP 800-171 Rev 2 3.13.14" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:15 + name: SC.L2-3.13.15 Communications Authenticity + description: "Protect the authenticity of communications sessions.\n\u2022 NIST\ + \ SP 800-171 Rev 2 3.13.15" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:sc:16 + name: SC.L2-3.13.16 Data at Rest + description: "Protect the confidentiality of CUI at rest.\n\u2022 NIST SP 800-171\ + \ Rev 2 3.13.16" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:sc + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:1 + name: SI.L1-3.14.1 Flaw Remediation + description: "Identify, report, and correct information and information system\ + \ flaws in a timely manner.\n\u2022 FAR Clause 52.204-21 b.1.xii\n\u2022 NIST\ + \ SP 800-171 Rev 2 3.14.1" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:2 + name: SI.L1-3.14.2 Malicious Code Protection + description: "Provide protection from malicious code at appropriate locations\ + \ within organizational information systems.\n\u2022 FAR Clause 52.204-21\ + \ b.1.xiii\n\u2022 NIST SP 800-171 Rev 2 3.14.2" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:3 + name: SI.L2-3.14.3 Security Alerts & Advisories + description: "Monitor system security alerts and advisories and take action\ + \ in response.\n\u2022 NIST SP 800-171 Rev 2 3.14.3" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:4 + name: SI.L1-3.14.4 Update Malicious Code Protection + description: "Update malicious code protection mechanisms when new releases\ + \ are available.\n\u2022 FAR Clause 52.204-21 b.1.xiv\n\u2022 NIST SP 800-171\ + \ Rev 2 3.14.4" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:5 + name: SI.L1-3.14.5 System & File Scanning + description: "Perform periodic scans of the information system and real-time\ + \ scans of files from external sources as files are downloaded, opened, or\ + \ executed.\n\u2022 FAR Clause 52.204-21 b.1.xv\n\u2022 NIST SP 800-171 Rev\ + \ 2 3.14.5" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 1 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:6 + name: SI.L2-3.14.6 Monitor Communications for Attacks + description: "Monitor organizational systems, including inbound and outbound\ + \ communications traffic, to detect attacks and indicators of potential attacks.\n\ + \u2022 NIST SP 800-171 Rev 2 3.14.6" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 2 + - urn: urn:intuitem:risk:reqs:cmmc-v2:si:7 + name: SI.L2-3.14.7 Identify Unauthorized Use + description: "Identify unauthorized use of organizational systems. \n\u2022\ + \ NIST SP 800-171 Rev 2 3.14.7" + parent_urn: urn:intuitem:risk:req_groups:cmmc-v2:si + maturity: 2 + security_functions: [] + threats: [] diff --git a/library/libraries/pcidss.yaml b/library/libraries/pcidss.yaml new file mode 100644 index 0000000..78b3c89 --- /dev/null +++ b/library/libraries/pcidss.yaml @@ -0,0 +1,3067 @@ +urn: urn:intuitem:risk:library:pcidss-4.0 +locale: en +name: PCI DSS 4.0 +description: PCI DSS 4.0 +version: 1 +objects: + framework: + urn: urn:intuitem:risk:framework:pcidss-4.0 + provider: PCI Security Standards Council + name: PCI DSS 4.0 + description: PCI DSS 4.0 + version: '1.0' + requirement_groups: + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + name: Build and Maintain a Secure Network and Systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + name: Requirement 1 + description: Install and Maintain Network Security Controls + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + name: '1.1' + description: Processes and mechanisms for installing and maintaining network + security controls are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + name: '1.2' + description: Network security controls (NSCs) are configured and maintained. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + name: '1.3' + description: Network access to and from the cardholder data environment is restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + name: '1.4' + description: Network connections between trusted and untrusted networks are + controlled. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5 + name: '1.5' + description: Risks to the CDE from computing devices that are able to connect + to both untrusted networks and the CDE are mitigated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + name: Requirement 2 + description: Apply Secure Configurations to All System Components + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + name: '2.1' + description: Processes and mechanisms for applying secure configurations to + all system components are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + name: '2.2' + description: System components are configured and managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + name: '2.3' + description: Wireless environments are configured and managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + name: Protect Account Data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + name: Requirement 3 + description: Protect Stored Account Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + name: '3.1' + description: Processes and mechanisms for protecting stored account data are + defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.2 + name: '3.2' + description: Storage of account data is kept to a minimum. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + name: '3.3' + description: Sensitive authentication data (SAD) is not stored after authorization. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + name: '3.4' + description: Access to displays of full PAN and ability to copy cardholder data + are restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + name: '3.5' + description: Primary account number (PAN) is secured wherever it is stored. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + name: '3.6' + description: Cryptographic keys used to protect stored account data are secured. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + name: '3.7' + description: Where cryptography is used to protect stored account data, key + management processes and procedures covering all aspects of the key + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + name: Requirement 4 + description: Protect Cardholder Data with Strong Cryptography During Transmission + Over Open, Public Networks + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + name: '4.1' + description: Processes and mechanisms for protecting cardholder data with strong + cryptography during transmission over open, public networks are defined and + documented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + name: '4.2' + description: PAN is protected with strong cryptography during transmission. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + name: Maintain a Vulnerability Management Program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + name: Requirement 5 + description: Protect All Systems and Networks from Malicious Software + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + name: '5.1' + description: Processes and mechanisms for protecting all systems and networks + from malicious software are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + name: '5.2' + description: Malicious software (malware) is prevented, or detected and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + name: '5.3' + description: Anti-malware mechanisms and processes are active, maintained, and + monitored. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4 + name: '5.4' + description: Anti-phishing mechanisms protect users against phishing attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + name: Requirement 6 + description: Develop and Maintain Secure Systems and Software + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + name: '6.1' + description: Processes and mechanisms for developing and maintaining secure + systems and software are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + name: '6.2' + description: Bespoke and custom software are developed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + name: '6.3' + description: Security vulnerabilities are identified and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + name: '6.4' + description: Public-facing web applications are protected against attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + name: '6.5' + description: Changes to all system components are managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + name: Implement Strong Access Control Measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + name: Requirement 7 + description: Restrict Access to System Components and Cardholder Data by Business + Need to Know + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + name: '7.1' + description: Processes and mechanisms for restricting access to system components + and cardholder data by business need to know are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + name: '7.2' + description: Access to system components and data is appropriately defined and + assigned. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + name: '7.3' + description: Access to system components and data is managed via an access control + system(s). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + name: Requirement 8 + description: Identify Users and Authenticate Access to System Components + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + name: '8.1' + description: Processes and mechanisms for identifying users and authenticating + access to system components are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + name: '8.2' + description: "User identification and related accounts for users and administrators\ + \ are strictly managed throughout an account\u2019s lifecycle." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + name: '8.3' + description: Strong authentication for users and administrators is established + and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + name: '8.4' + description: Multi-factor authentication (MFA) is implemented to secure access + into the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5 + name: '8.5' + description: Multi-factor authentication (MFA) systems are configured to prevent + misuse. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + name: '8.6' + description: Use of application and system accounts and associated authentication + factors is strictly managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + name: Requirement 9 + description: Restrict Physical Access to Cardholder Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + name: '9.1' + description: Processes and mechanisms for restricting physical access to cardholder + data are defined and undood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + name: '9.2' + description: Physical access controls manage entry into facilities and systems + containing cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + name: '9.3' + description: Physical access for personnel and visitors is authorized and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + name: '9.4' + description: Media with cardholder data is securely stored, accessed, distributed, + and destroyed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + name: '9.5' + description: Point of interaction (POI) devices are protected from tampering + and unauthorized substitution. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + name: Regularly Monitor and Test Networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + name: Requirement 10 + description: Log and Monitor All Access to System Components and Cardholder + Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + name: '10.1' + description: Processes and mechanisms for logging and monitoring all access + to system components and cardholder data are defined and documented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + name: '10.2' + description: Audit logs are implemented to support the detection of anomalies + and suspicious activity, and the forensic analysis of events. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + name: '10.3' + description: Audit logs are protected from destruction and unauthorized modifications. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + name: '10.4' + description: Audit logs are reviewed to identify anomalies or suspicious activity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5 + name: '10.5' + description: Audit log history is retained and available for analysis. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + name: '10.6' + description: Time-synchronization mechanisms support consistent time settings + across all systems. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + name: '10.7' + description: Failures of critical security control systems are detected, reported, + and responded to promptly. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + name: Requirement 11 + description: Test Security of Systems and Networks Regularly + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + name: '11.1' + description: Processes and mechanisms for regularly testing security of systems + and networks are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + name: '11.2' + description: Wireless access points are identified and monitored, and unauthorized + wireless access points are addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + name: '11.3' + description: External and internal vulnerabilities are regularly identified, + prioritized, and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + name: '11.4' + description: External and internal penetration testing is regularly performed, + and exploitable vulnerabilities and security weaknesses are corrected. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + name: '11.5' + description: Network intrusions and unexpected file changes are detected and + responded to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6 + name: '11.6' + description: Unauthorized changes on payment pages are detected and responded + to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy + name: Maintain an Information Security Policy + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + name: Requirement 12 + description: Support Information Security with Organizational Policies and Programs + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + name: '12.1' + description: "A comprehensive information security policy that governs and provides\ + \ direction for protection of the entity\u2019s information assets is known\ + \ and current." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2 + name: '12.2' + description: Acceptable use policies for end-user technologies are defined and + implemented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + name: '12.3' + description: Risks to the cardholder data environment are formally identified, + evaluated, and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + name: '12.4' + description: PCI DSS compliance is managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + name: '12.5' + description: PCI DSS scope is documented and validated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + name: '12.6' + description: Security awareness education is an ongoing activity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7 + name: '12.7' + description: Personnel are screened to reduce risks from insider threats. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + name: '12.8' + description: Risk to information assets associated with third-party service + provider (TPSP) relationships is managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + name: '12.9' + description: "Third-party service providers (TPSPs) support their customers\u2019\ + \ PCI DSS compliance." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + name: '12.10' + description: Suspected and confirmed security incidents that could impact the + CDE are responded to immediately. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + name: Appendix A + description: Additional PCI DSS Requirements + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + name: Appendix A1 + description: Additional PCI DSS Requirements for Multi-Tenant Service Providers + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + name: A1.1 + description: Multi-tenant service providers protect and separate all customer + environments and data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + name: A1.2 + description: Multi-tenant service providers facilitate logging and incident + response for all customers. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2 + name: Appendix A2 + description: Additional PCI DSS Requirements for Entities Using SSL/Early TLS + for Card-Present POS POI Terminal Connections + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + name: A2.1 + description: POI terminals using SSL and/or early TLS are confirmed as not susceptible + to known SSL/TLS exploits. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + name: Appendix A3 + description: Designated Entities Supplemental Validation (DESV) + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + name: A3.1 + description: A PCI DSS compliance program is implemented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + name: A3.2 + description: PCI DSS scope is documented and validated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + name: A3.3 + description: PCI DSS is incorporated into business-as-usual (BAU) activities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.4 + name: A3.4 + description: Logical access to the cardholder data environment is controlled + and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.5 + name: A3.5 + description: Suspicious events are identified and responded to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + requirements: + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1:1 + name: 1.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 1 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1:2 + name: 1.1.2 + description: Roles and responsibilities for performing activities in Requirement + 1 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:1 + name: 1.2.1 + description: 'Configuration standards for NSC rulesets are + + - Defined. + + - Implemented + + - Maintained.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:2 + name: 1.2.2 + description: All changes to network connections and to configurations of NSCs + are approved and managed in accordance with the change control process defined + at Requirement 6.5.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:3 + name: 1.2.3 + description: An accurate network diagram(s) is maintained that shows all connections + between the CDE and other networks, including any wireless networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:4 + name: 1.2.4 + description: 'An accurate data-flow diagram(s) is maintained that meets the + following: + + - Shows all account data flows across systems and networks. + + - Updated as needed upon changes to the environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:5 + name: 1.2.5 + description: All services, protocols, and ports allowed are identified, approved, + and have a defined business need. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:6 + name: 1.2.6 + description: Security features are defined and implemented for all services, + protocols, and ports that are in use and considered to be insecure, such that + the risk is mitigated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:7 + name: 1.2.7 + description: Configurations of NSCs are reviewed at least once every six months + to confirm they are relevant and effective. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:8 + name: 1.2.8 + description: 'Configuration files for NSCs are: + + - Secured from unauthorized access. + + - Kept consistent with active network configurations.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:1 + name: 1.3.1 + description: "Inbound traffic to the CDE is restricted as follows: \n- To only\ + \ traffic that is necessary. \n- All other traffic is specifically denied." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:2 + name: 1.3.2 + description: 'Outbound traffic from the CDE is restricted as follows: + + - To only traffic that is necessary. + + - All other traffic is specifically denied.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:3 + name: 1.3.3 + description: "NSCs are installed between all wireless networks and the CDE,\ + \ regardless of whether the wireless network is a CDE, such that: \n- All\ + \ wireless traffic from wireless networks into the CDE is denied by default.\n\ + - Only wireless traffic with an authorized business purpose is allowed into\ + \ the CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:1 + name: 1.4.1 + description: NSCs are implemented between trusted and untrusted networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:2 + name: 1.4.2 + description: 'Inbound traffic from untrusted networks to trusted networks is + restricted to: + + - Communications with system components that are authorized to provide publicly + accessible services, protocols, and ports. + + - Stateful responses to communications initiated by system components in a + trusted network. + + - All other traffic is denied.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:3 + name: 1.4.3 + description: Anti-spoofing measures are implemented to detect and block forged + source IP addresses from entering the trusted network. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:4 + name: 1.4.4 + description: System components that store cardholder data are not directly accessible + from untrusted networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:5 + name: 1.4.5 + description: The disclosure of internal IP addresses and routing information + is limited to only authorized parties. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5:1 + name: 1.5.1 + description: "Security controls are implemented on any computing devices, including\ + \ company- and employee-owned devices, that connect to both untrusted networks\ + \ (including the Internet) and the CDE as follows:\n- Specific configuration\ + \ settings are defined to prevent threats being introduced into the entity\u2019\ + s network.\n- Security controls are actively running.\n- Security controls\ + \ are not alterable by users of the computing devices unless specifically\ + \ documented and authorized by Management on a case-by-case basis for a limited\ + \ period." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1:1 + name: 2.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 2 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1:2 + name: 2.1.2 + description: Roles and responsibilities for performing activities in Requirement + 2 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:1 + name: 2.2.1 + description: 'Configuration standards are developed, implemented, and maintained + to: + + - Cover all system components. + + - Be consistent with industry-accepted system hardening standards or vendor + hardening recommendations. + + - Be updated as new vulnerability issues are identified, as defined in Requirement + 6.3.1. + + - Be applied when new systems are configured and verified as in place before + or immediately after a system component is connected to a production environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:2 + name: 2.2.2 + description: 'Vendor default accounts are managed as follows: + + - If the vendor default account(s) will be used, the default password is changed + per Requirement 8.3.6. + + - If the vendor default account(s) will not be used, the account is removed + or disabled.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:3 + name: 2.2.3 + description: "Primary functions requiring different security levels are managed\ + \ as follows: \n- Only one primary function exists on a system component.\n\ + OR \n- Primary functions with differing security levels that exist on the\ + \ same system component are isolated from each other.\nOR\n- Primary functions\ + \ with differing security levels on the same system component are all secured\ + \ to the level required by the function with the highest security need." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:4 + name: 2.2.4 + description: Only necessary services, protocols, daemons, and functions are + enabled, and all unnecessary functionality is removed or disabled. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:5 + name: 2.2.5 + description: 'If any insecure services, protocols, or daemons are present: + + - business justification is documented. + + - additional security features are documented and implemented that reduce + the risk of using insecure services, protocols, or daemons.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:6 + name: 2.2.6 + description: System security parameters are configured to prevent misuse. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:7 + name: 2.2.7 + description: All non-console administrative access is encrypted using strong + cryptography. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3:1 + name: 2.3.1 + description: "For wireless environments connected to the CDE or transmitting\ + \ account data, all wireless vendor defaults are changed at installation or\ + \ are confirmed to be secure, including but not limited to: \_\n- Default\ + \ wireless encryption keys.\n- Default wireless encryption keys.\n- Passwords\ + \ on wireless access points.\n- SNMP defaults.\n- Any other security-related\ + \ wireless vendor defaults." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3:2 + name: 2.3.2 + description: 'For wireless environments connected to the CDE or transmitting + account data, wireless encryption keys are changed as follows: + + - Whenever personnel with knowledge of the key leave the company or the role + for which the knowledge was necessary. + + - Whenever a key is suspected of or known to be compromised.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.1:1 + name: 3.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 3 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.1:2 + name: 3.1.2 + description: Roles and responsibilities for performing activities in Requirement + 3 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.2:1 + name: 3.2.1 + description: 'Account data storage is kept to a minimum through implementation + of data retention and disposal policies, procedures, and processes that include + at least the following: + + - Coverage for all locations of stored account data. + + - Coverage for any sensitive authentication data (SAD) stored prior to completion + of authorization. This bullet is a best practice until its effective date; + refer to Applicability Notes below for details. + + - Limiting data storage amount and retention time to that which is required + for legal or regulatory, and/or business requirements. + + - Specific retention requirements for stored account data that defines length + of retention period and includes a documented business justification. + + - Processes for secure deletion or rendering account data unrecoverable when + no longer + + needed per the retention policy. + + - A process for verifying, at least once every three months, that stored account + data exceeding the defined retention period has been securely deleted or rendered + unrecoverable.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:1 + name: 3.3.1 + description: SAD is not retained after authorization, even if encrypted. All + sensitive authentication data received is rendered unrecoverable upon completion + of the authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:2 + name: 3.3.1.1 + description: The full contents of any track are not retained upon completion + of the authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:3 + name: 3.3.1.2 + description: The card verification code is not retained upon completion of the + authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:4 + name: 3.3.1.3 + description: The personal identification number (PIN) and the PIN block are + not retained upon completion of the authorization process + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:5 + name: 3.3.2 + description: 'SAD that is stored electronically prior to completion of authorization + is encrypted using + + strong cryptography.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:6 + name: 3.3.3 + description: 'Additional requirement for issuers and companies that support + issuing services and store sensitive authentication data: Any storage of sensitive + authentication data is: + + - Limited to that which is needed for a legitimate issuing business need and + is secured. + + - Encrypted using strong cryptography. This bullet is a best practice until + its effective date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.4:1 + name: 3.4.1 + description: 'PAN is masked when displayed (the BIN and last four digits are + the maximum number of digits + + to be displayed), such that only personnel with a legitimate business need + can see more than the BIN and last four digits of the PAN.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.4:2 + name: 3.4.2 + description: 'When using remote-access technologies, technical controls prevent + copy and/or relocation of + + PAN for all personnel, except for those with documented, explicit authorization + and a legitimate, defined business need.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:1 + name: 3.5.1 + description: "PAN is rendered unreadable anywhere it is stored by using any\ + \ of the following approaches:\n- One-way hashes based on strong cryptography\ + \ of the entire PAN.\n- Truncation (hashing cannot be used to replace the\ + \ truncated segment of PAN).\n\u2013 If hashed and truncated versions of the\ + \ same PAN, or different truncation formats of the same PAN, are present in\ + \ an environment, additional controls are in place such that the different\ + \ versions cannot be correlated to reconstruct the original PAN.\n- Index\ + \ tokens.\n- Strong cryptography with associated key-management processes\ + \ and procedures." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:2 + name: 3.5.1.1 + description: Hashes used to render PAN unreadable (per the first bullet of Requirement + 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management + processes and procedures in accordance with Requirements 3.6 and 3.7. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:3 + name: 3.5.1.2 + description: 'If disk-level or partition-level encryption rather than file-, + column-, or field-level database encryption) is used to render PAN unreadable, + it is implemented only as follows: + + - On removable electronic media. + + OR + + - If used for non-removable electronic media, PAN is also rendered unreadable + via another mechanism that meets Requirement 3.5.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:4 + name: 3.5.1.3 + description: 'If disk-level or partition-level encryption is used (rather than + file-, column-, or field--level database encryption) to render PAN unreadable, + it is managed as follows: + + - Logical access is managed separately and independently of native operating + system authentication and access control mechanisms. + + - Decryption keys are not associated with user accounts. + + - Authentication factors (passwords, passphrases, or cryptographic keys) that + allow access to - nencrypted data are stored securely.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:1 + name: 3.6.1 + description: 'Procedures are defined and implemented to protect cryptographic + keys used to protect stored account data against disclosure and misuse that + include: + + - Access to keys is restricted to the fewest number of custodians necessary. + + - Key-encrypting keys are at least as strong as the data-encrypting keys they + protect. + + - Key-encrypting keys are stored separately from data-encrypting keys. + + - Keys are stored securely in the fewest possible locations and forms.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:2 + name: 3.6.1.1 + description: 'Additional requirement for service providers only: A documented + description of the cryptographic architecture is maintained that includes: + + - Details of all algorithms, protocols, and keys used for the protection of + stored account data, including key strength and expiry date. + + - Preventing the use of the same cryptographic keys in production and test + environments. This bullet is a best practice until its effective date. + + - Description of the key usage for each key. + + - Inventory of any hardware security modules (HSMs), key management systems + (KMS), and other secure cryptographic devices (SCDs) used for key management, + including type and location of devices, as outlined in Requirement 12.3.4.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:3 + name: 3.6.1.2 + description: 'Secret and private keys used to encrypt/decrypt stored account + data are stored in one (or more) of the following forms at all times: + + - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting + key, and that is stored separately from the data-encrypting key. + + - Within a secure cryptographic device (SCD), such as a hardware security + module (HSM) or PTS-approved point-of-interaction device. + + - As at least two full-length key components or key shares, in accordance + with an industry-accepted method' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:4 + name: 3.6.1.3 + description: Access to cleartext cryptographic key components is restricted + to the fewest number of custodians necessary. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:5 + name: 3.6.1.4 + description: Cryptographic keys are stored in the fewest possible location. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:1 + name: 3.7.1 + description: Key-management policies and procedures are implemented to include + generation of strong cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:2 + name: 3.7.2 + description: Key-management policies and procedures are implemented to include + secure distribution of cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:3 + name: 3.7.3 + description: Key-management policies and procedures are implemented to include + secure storage of cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:4 + name: 3.7.4 + description: 'Key management policies and procedures are implemented for cryptographic + key changes for keys that have reached the end of their cryptoperiod, as defined + by the associated application vendor or key owner, and based on industry best + practices and guidelines, including the following: + + - A defined cryptoperiod for each key type in use. + + - A process for key changes at the end of the defined cryptoperiod.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:5 + name: 3.7.5 + description: 'Key management policies procedures are implemented to include + the retirement, replacement, or destruction of keys used to protect stored + account data, as deemed necessary when: + + - The key has reached the end of its defined cryptoperiod. + + - The integrity of the key has been weakened, including when personnel with + knowledge of a cleartext key component leaves the company, or the role for + which the key component was known. + + - The key is suspected of or known to be compromised. + + - Retired or replaced keys are not used for encryption operations.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:6 + name: 3.7.6 + description: Where manual cleartext cryptographic key-management operations + are performed by personnel, key-management policies and procedures are implemented + include managing these operations using split knowledge and dual control. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:7 + name: 3.7.7 + description: Key management policies and procedures are implemented to include + the prevention of unauthorized substitution of cryptographic keys. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:8 + name: 3.7.8 + description: Key management policies and procedures are implemented to include + that cryptographic key custodians formally acknowledge (in writing or electronically) + that they understand and accept their key-custodian responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:9 + name: 3.7.9 + description: "Additional testing procedure for service provider assessments\ + \ only: If the service provider shares cryptographic keys with its customers\ + \ for transmission or storage of account data, examine the documentation that\ + \ the service provider provides to its customers to verify it includes guidance\ + \ on how to securely transmit, store, and update customers\u2019 keys in accordance\ + \ with all elements specified in Requirements 3.7.1 through 3.7.8 above." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.1:1 + name: 4.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 4 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.1:2 + name: 4.1.2 + description: Roles and responsibilities for performing activities in Requirement + 4 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:1 + name: 4.2.1 + description: 'Strong cryptography and security protocols are implemented as + follows to safeguard PAN during transmission over open, public networks: + + - Only trusted keys and certificates are accepted. + + - Certificates used to safeguard PAN during transmission over open, public + networks are confirmed as valid and are not expired or revoked. This bullet + is a best practice until its effective date; refer to applicability notes + below for details. + + - The protocol in use supports only secure versions or configurations and + does not support fallback to, or use of insecure versions, algorithms, key + sizes, or implementations. + + - The encryption strength is appropriate for the encryption methodology in + use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:2 + name: 4.2.1.1 + description: "An inventory of the entity\u2019s trusted keys and certificates\ + \ used to protect PAN during transmission is maintained." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:3 + name: 4.2.1.2 + description: Wireless networks transmitting PAN or connected to the CDE use + industry best practices to implement strong cryptography for authentication + and transmission. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:4 + name: 4.2.2 + description: PAN is secured with strong cryptography whenever it is sent via + end-user messaging technologies. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1:1 + name: 5.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 5 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1:2 + name: 5.1.2 + description: Roles and responsibilities for performing activities in Requirement + 5 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:1 + name: 5.2.1 + description: An anti-malware solution(s) is deployed on all system components, + except for those system components identified in periodic evaluations per + Requirement 5.2.3 that concludes the system components are not at risk from + malware. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:2 + name: 5.2.2 + description: 'The deployed anti-malware solution(s): + + - Detects all known types of malware. + + - Removes, blocks, or contains all known types of malware.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:3 + name: 5.2.3 + description: 'Any system components that are not at risk for malware are evaluated + periodically to include the following: + + - A documented list of all system components not at risk for malware. + + - Identification and evaluation of evolving malware threats for those system + components. + + - Confirmation whether such system components continue to not require anti-malware + protection.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:4 + name: 5.2.3.1 + description: "The frequency of periodic evaluations of system components identified\ + \ as not at risk for malware is defined in the entity\u2019s targeted risk\ + \ analysis, which is performed according to all elements specified in Requirement\ + \ 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:1 + name: 5.3.1 + description: The anti-malware solution(s) is kept current via automatic updates. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:2 + name: 5.3.2 + description: "The anti-malware solution(s):\n- Performs periodic scans and active\ + \ or real-time scans. \nOR\n- Performs continuous behavioral analysis of systems\ + \ or processes." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:3 + name: 5.3.2.1 + description: "If periodic malware scans are performed to meet Requirement 5.3.2,\ + \ the frequency of scans is defined in the entity\u2019s targeted risk analysis,\ + \ which is performed according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:4 + name: 5.3.3 + description: 'For removable electronic media, the anti-malware solution(s): + + - Performs automatic scans of when the media is inserted, connected, or logically + mounted, + + OR + + - Performs continuous behavioral analysis of systems or processes when the + media is inserted, connected, or logically mounted.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:5 + name: 5.3.4 + description: Audit logs for the anti-malware solution(s) are enabled and retained + in accordance with Requirement 10.5.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:6 + name: 5.3.5 + description: Anti-malware mechanisms cannot be disabled or altered by users, + unless specifically documented, and authorized by management on a case-by-case + basis for a limited time period. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4:1 + name: 5.4.1 + description: Processes and automated mechanisms are in place to detect and protect + personnel against phishing attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1:1 + name: 6.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 6 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1:2 + name: 6.1.2 + description: Roles and responsibilities for performing activities in Requirement + 6 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:1 + name: 6.2.1 + description: 'Bespoke and custom software are developed + + securely, as follows: + + - Based on industry standards and/or best practices for secure development. + + - In accordance with PCI DSS (for example, secure authentication and logging). + + - Incorporating consideration of information security issues during each stage + of the software development lifecycle.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:2 + name: 6.2.2 + description: 'Software development personnel working on bespoke and custom software + are trained at least once every 12 months as follows: + + - On software security relevant to their job function and development languages. + + - Including secure software design and secure coding techniques. + + - Including, if security testing tools are used, how to use the tools for + detecting vulnerabilities in software.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:3 + name: 6.2.3 + description: 'Bespoke and custom software is reviewed prior to being released + into production or to customers, to identify and correct potential coding + vulnerabilities, as follows: + + - Code reviews ensure code is developed according to secure coding guidelines. + + - Code reviews look for both existing and emerging software vulnerabilities. + + - Appropriate corrections are implemented prior to release.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:4 + name: 6.2.3.1 + description: 'If manual code reviews are performed for bespoke and custom software + prior to release to production, code changes are: + + - Reviewed by individuals other than the originating code author, and who + are knowledgeable about code-review techniques + + and secure coding practices. + + - Reviewed and approved by management prior to release.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:5 + name: 6.2.4 + description: "Software engineering techniques or other methods are defined and\ + \ in use by software development personnel to prevent or mitigate common software\ + \ attacks and related vulnerabilities in bespoke and custom software, including\ + \ but not limited to the following:\n- Injection attacks, including SQL, LDAP,\ + \ XPath, or other command, parameter, object, fault, or injection-type flaws.\n\ + - Attacks on data and data structures, including attempts to manipulate buffers,\ + \ pointers, input data, or shared data.\n- Attacks on cryptography usage,\ + \ including attempts to exploit weak, insecure, or inappropriate cryptographic\ + \ implementations, algorithms, cipher suites, or modes of operation.\n- Attacks\ + \ on business logic, including attempts to abuse or bypass application features\ + \ and functionalities through the manipulation of APIs, communication protocols\ + \ and channels, client-side functionality, or other system/application functions\ + \ and resources. This includes cross-site scripting (XSS) and cross-site request\ + \ forgery (CSRF).\n- Attacks on access control mechanisms, including attempts\ + \ to bypass or abuse identification, authentication, or authorization mechanisms,\ + \ or attempts to exploit weaknesses in the implementation of such mechanisms.\n\ + - Attacks via any \u201Chigh-risk\u201D vulnerabilities identified in the\ + \ vulnerability identification process, as defined in Requirement 6.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:1 + name: 6.3.1 + description: 'Security vulnerabilities are identified and managed as follows: + + - New security vulnerabilities are identified using industry-recognized sources + for security vulnerability information, including alerts from international + and national computer emergency response teams (CERTs). + + - Vulnerabilities are assigned a risk ranking based on industry best practices + and consideration of potential impact. + + - Risk rankings identify, at a minimum, all vulnerabilities considered to + be a high-risk or critical to the environment. + + - Vulnerabilities for bespoke and custom, and third-party software (for example + operating systems and databases) are covered.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:2 + name: 6.3.2 + description: An inventory of bespoke and custom software, and third-party software + components incorporated into bespoke and custom software is maintained to + facilitate vulnerability and patch management. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:3 + name: 6.3.3 + description: 'All system components are protected from known vulnerabilities + by installing applicable security patches/updates as follows: + + - Critical or high-security patches/updates (identified according to the risk + ranking process at Requirement 6.3.1) are installed within one month of release. + + - All other applicable security patches/updates are installed within an appropriate + time frame as determined by the entity (for example, within three months of + release).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:1 + name: 6.4.1 + description: "For public-facing web applications, new threats and vulnerabilities\ + \ are addressed on an ongoing basis and these applications are protected against\ + \ known attacks as follows:\n- Reviewing public-facing web applications via\ + \ manual or automated application vulnerability security assessment tools\ + \ or methods as follows:\n \u2013 At least once every 12 months and after\ + \ significant changes.\n \u2013 By an entity that specializes in application\ + \ security.\n \u2013 Including, at a minimum, all common software attacks\ + \ in Requirement 6.2.4.\n \u2013 All vulnerabilities are ranked in accordance\ + \ with requirement 6.3.1.\n \u2013 All vulnerabilities are corrected.\n\ + \ \u2013 The application is re-evaluated after the corrections\nOR\n- Installing\ + \ an automated technical solution(s) that continually detects and prevents\ + \ web-based attacks as follows:\n \u2013 Installed in front of public-facing\ + \ web applications to detect and prevent web-based attacks.\n \u2013 Actively\ + \ running and up to date as applicable.\n \u2013 Generating audit logs.\n\ + \ \u2013 Configured to either block web-based attacks or generate an alert\ + \ that is immediately investigated." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:2 + name: 6.4.2 + description: 'For public-facing web applications, an automated technical solution + is deployed that continually detects and prevents web-based attacks, with + at least the following: + + - Is installed in front of public-facing web applications and is configured + to detect and prevent web-based attacks. + + - Actively running and up to date as applicable. + + - Generating audit logs. + + - Configured to either block web-based attacks or generate an alert that is + immediately investigated.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:3 + name: 6.4.3 + description: "All payment page scripts that are loaded and executed in the consumer\u2019\ + s browser are managed as follows:\n\u2022 A method is implemented to confirm\ + \ that each script is authorized.\n\u2022 A method is implemented to assure\ + \ the integrity of each script.\n\u2022 An inventory of all scripts is maintained\ + \ with written justification as to why each is necessary." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:1 + name: 6.5.1 + description: 'Changes to all system components in the production environment + are made according to established procedures that include: + + - Reason for, and description of, the change. + + - Documentation of security impact. + + - Documented change approval by authorized parties. + + - Testing to verify that the change does not adversely impact system security. + + - For bespoke and custom software changes, all updates are tested for compliance + with Requirement 6.2.4 before being deployed into production. + + - Procedures to address failures and return to a secure state.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:2 + name: 6.5.2 + description: Upon completion of a significant change, all applicable PCI DSS + requirements are confirmed to be in place on all new or changed systems and + networks, and documentation is updated as applicable. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:3 + name: 6.5.3 + description: Pre-production environments are separated from production environments + and the separation is enforced with access controls. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:4 + name: 6.5.4 + description: Roles and functions are separated between production and pre-production + environments to provide accountability such that only reviewed and approved + changes are deployed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:5 + name: 6.5.5 + description: Live PANs are not used in pre-production environments, except where + those environments are included in the CDE and protected in accordance with + all applicable PCI DSS requirements. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:6 + name: 6.5.6 + description: Test data and test accounts are removed from system components + before the system goes into production. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1:1 + name: 7.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 7 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1:2 + name: 7.1.2 + description: Roles and responsibilities for performing activities in Requirement + 7 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:1 + name: 7.2.1 + description: "An access control model is defined and includes granting access\ + \ as follows:\n- Appropriate access depending on the entity\u2019s business\ + \ and access needs.\n- Access to system components and data resources that\ + \ is based on users\u2019 job classification and functions.\n- The least privileges\ + \ required (for example, user, administrator) to perform a job function." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:2 + name: 7.2.2 + description: 'Access is assigned to users, including privileged users, based + on: + + - Job classification and function. + + - Least privileges necessary to perform job responsibilities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:3 + name: 7.2.3 + description: Required privileges are approved by authorized personnel. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:4 + name: 7.2.4 + description: 'All user accounts and related access privileges, including third-party/vendor + accounts, are reviewed as follows: + + - At least once every six months. + + - To ensure user accounts and access remain appropriate based on job function. + + - Any inappropriate access is addressed. + + - Management acknowledges that access remains appropriate.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:5 + name: 7.2.5 + description: 'All application and system accounts and related access privileges + are assigned and managed as follows: + + - Based on the least privileges necessary for the operability of the system + or application. + + - Access is limited to the systems, applications, or processes that specifically + require their use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:6 + name: 7.2.5.1 + description: "All access by application and system accounts and related access\ + \ privileges are reviewed as follows:\n- Periodically (at the frequency defined\ + \ in the entity\u2019s targeted risk analysis, which is performed according\ + \ to all elements specified in Requirement 12.3.1).\n- The application/system\ + \ access remains appropriate for the function being performed.\n- Any inappropriate\ + \ access is addressed.\n- Management acknowledges that access remains appropriate." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:7 + name: 7.2.6 + description: 'All user access to query repositories of stored cardholder data + is restricted as follows: + + - Via applications or other programmatic methods, with access and allowed + actions based on user roles and least privileges. + + - Only the responsible administrator(s) can directly access or query repositories + of stored CHD.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:1 + name: 7.3.1 + description: "An access control system(s) is in place that restricts access\ + \ based on a user\u2019s need to know and covers all system components." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:2 + name: 7.3.2 + description: The access control system(s) is configured to enforce permissions + assigned to individuals, applications, and systems based on job classification + and function. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:3 + name: 7.3.3 + description: "The access control system(s) is set to \u201Cdeny all\u201D by\ + \ default." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1:1 + name: 8.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 8 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1:2 + name: 8.1.2 + description: Roles and responsibilities for performing activities in Requirement + 8 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:1 + name: 8.2.1 + description: All users are assigned a unique ID before access to system components + or cardholder data is allowed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:2 + name: 8.2.2 + description: 'Group, shared, or generic accounts, or other shared authentication + credentials are only used when necessary on an exception basis, and are managed + as follows: + + - Account use is prevented unless needed for an exceptional circumstance. + + - Use is limited to the time needed for the exceptional circumstance. + + - Business justification for use is documented. + + - Use is explicitly approved by management. + + - Individual user identity is confirmed before access to an account is granted. + + - Every action taken is attributable to an individual user.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:3 + name: 8.2.3 + description: 'Additional requirement for service providers only: Service providers + with remote access to customer premises use unique authentication factors + for each customer premises.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:4 + name: 8.2.4 + description: 'Addition, deletion, and modification of user IDs, authentication + factors, and other identifier objects are managed as follows: + + - Authorized with the appropriate approval. + + - Implemented with only the privileges specified on the documented approval.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:5 + name: 8.2.5 + description: Access for terminated users is immediately revoked. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:6 + name: 8.2.6 + description: Inactive user accounts are removed or disabled within 90 days of + inactivity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:7 + name: 8.2.7 + description: 'Accounts used by third parties to access, support, or maintain + system components via remote access are managed as follows: + + - Enabled only during the time period needed and disabled when not in use. + + - Use is monitored for unexpected activity.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:8 + name: 8.2.8 + description: If a user session has been idle for more than 15 minutes, the user + is required to re-authenticate to re-activate the terminal or session. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:1 + name: 8.3.1 + description: "All user access to system components for users and administrators\ + \ is authenticated via at least one of the following authentication factors:\n\ + \u2022 Something you know, such as a password or passphrase.\n\u2022 Something\ + \ you have, such as a token device or smart card.\n\u2022 Something you are,\ + \ such as a biometric element." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:2 + name: 8.3.2 + description: Strong cryptography is used to render all authentication factors + unreadable during transmission and storage on all system components. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:3 + name: 8.3.3 + description: User identity is verified before modifying any authentication factor. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:4 + name: 8.3.4 + description: "Invalid authentication attempts are limited by:\n- Locking out\ + \ the user ID after not more than 10 attempts.\n- Setting the lockout duration\ + \ to a minimum of 30 minutes or until the user\u2019s identity is confirmed." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:5 + name: 8.3.5 + description: 'If passwords/passphrases are used as authentication factors to + meet Requirement 8.3.1, they are set and reset for each user as follows: + + - Set to a unique value for first-time use and upon reset. + + - Forced to be changed immediately after the first use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:6 + name: 8.3.6 + description: 'If passwords/passphrases are used as authentication factors to + meet Requirement 8.3.1, they meet the following minimum level of complexity: + + - A minimum length of 12 characters (or IF the system does not support 12 + characters, a minimum length of eight characters). + + - Contain both numeric and alphabetic characters.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:7 + name: 8.3.7 + description: Individuals are not allowed to submit a new password/passphrase + that is the same as any of the last four passwords/passphrases used. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:8 + name: 8.3.8 + description: 'Authentication policies and procedures are documented and communicated + to all users including: + + - Guidance on selecting strong authentication factors. + + - Guidance for how users should protect their authentication factors. + + - Instructions not to reuse previously used passwords/passphrases. + + - Instructions to change passwords/passphrases if there is any suspicion or + knowledge that the password/passphrases have been compromised and how to report + the incident.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:9 + name: 8.3.9 + description: "If passwords/passphrases are used as the only authentication factor\ + \ for user access (i.e., in any single-factor authentication implementation)\ + \ then either:\n\u2022 Passwords/passphrases are changed at least once every\ + \ 90 days,\nOR\n\u2022 The security posture of accounts is dynamically analyzed,\ + \ and real-time access to resources is automatically determined accordingly." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:10 + name: 8.3.10 + description: 'Additional requirement for service providers only: If passwords/passphrases + are used as the only authentication factor for customer user access to cardholder + data (i.e., in any single- factor authentication implementation), then guidance + is provided to customer users including: + + - Guidance for customers to change their user passwords/passphrases periodically. + + - Guidance as to when, and under what circumstances, passwords/passphrases + are to be changed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:11 + name: 8.3.10.1 + description: "Additional requirement for service providers only: If passwords/passphrases\ + \ are used as the only authentication factor for customer user access (i.e.,\ + \ in any single-factor authentication implementation) then either:\n\u2022\ + \ Passwords/passphrases are changed at least once every 90 days,\nOR\n\u2022\ + \ The security posture of accounts is dynamically analyzed, and real-time\ + \ access to resources is automatically determined accordingly." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:12 + name: 8.3.11 + description: 'Where authentication factors such as physical or logical security + tokens, smart cards, or certificates are used: + + - Factors are assigned to an individual user and not shared among multiple + users. + + - Physical and/or logical controls ensure only the intended user can use that + factor to gain access.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:1 + name: 8.4.1 + description: MFA is implemented for all non-console access into the CDE for + personnel with administrative access. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:2 + name: 8.4.2 + description: MFA is implemented for all access into the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:3 + name: 8.4.3 + description: "MFA is implemented for all remote network access originating from\ + \ outside the entity\u2019s network that could access or impact the CDE as\ + \ follows:\n- All remote access by all personnel, both users and administrators,\ + \ originating from outside the entity\u2019s network.\n- All remote access\ + \ by third parties and vendors." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5:1 + name: 8.5.1 + description: 'MFA systems are implemented as follows: + + - The MFA system is not susceptible to replay attacks. + + - MFA systems cannot be bypassed by any users, including administrative users + unless specifically documented, and authorized by management on an exception + basis, for a limited time period. + + - At least two different types of authentication factors are used. + + - Success of all authentication factors is required before access is granted.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:1 + name: 8.6.1 + description: 'If accounts used by systems or applications can be used for interactive + login, they are managed as follows: + + - Interactive use is prevented unless needed for an exceptional circumstance. + + - Interactive use is limited to the time needed for the exceptional circumstance. + + - Business justification for interactive use is documented. + + - Interactive use is explicitly approved by management. + + - Individual user identity is confirmed before access to account is granted. + + - Every action taken is attributable to an individual user.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:2 + name: 8.6.2 + description: Passwords/passphrases for any application and system accounts that + can be used for interactive login are not hard coded in scripts, configuration/property + files, or bespoke and custom source code. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:3 + name: 8.6.3 + description: "Passwords/passphrases for any application and system accounts\ + \ are protected against misuse as follows:\n- Passwords/passphrases are changed\ + \ periodically (at the frequency defined in the entity\u2019s targeted risk\ + \ analysis, which is performed according to all elements specified in Requirement\ + \ 12.3.1) and upon suspicion or confirmation of compromise.\n- Passwords/passphrases\ + \ are constructed with sufficient complexity appropriate for how frequently\ + \ the entity changes the passwords/passphrases." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1:1 + name: 9.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 9 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1:2 + name: 9.1.2 + description: Roles and responsibilities for performing activities in Requirement + 9 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:1 + name: 9.2.1 + description: Appropriate facility entry controls are in place to restrict physical + access to systems in the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:2 + name: 9.2.1.1 + description: 'Individual physical access to sensitive areas within the CDE is + monitored with either video cameras or physical access control mechanisms + (or both) as follows: + + - Entry and exit points to/from sensitive areas within the CDE are monitored. + + - Monitoring devices or mechanisms are protected from tampering or disabling. + + - Collected data is reviewed and correlated with other entries. + + - Collected data is stored for at least three months, unless otherwise restricted + by law.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:3 + name: 9.2.2 + description: Physical and/or logical controls are implemented to restrict use + of publicly accessible network jacks within the facility. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:4 + name: 9.2.3 + description: Physical access to wireless access points, gateways, networking/communications + hardware, and telecommunication lines within the facility is restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:5 + name: 9.2.4 + description: Access to consoles in sensitive areas is restricted via locking + when not in use. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:1 + name: 9.3.1 + description: "Procedures are implemented for authorizing and managing physical\ + \ access of personnel to the CDE, including:\n- Identifying personnel.\n-\ + \ Managing changes to an individual\u2019s physical access requirements.\n\ + - Revoking or terminating personnel identification.\n- Limiting access to\ + \ the identification process or system to authorized personnel" + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:2 + name: 9.3.1.1 + description: 'Physical access to sensitive areas within the CDE for personnel + is controlled as follows: + + - Access is authorized and based on individual job function. + + - Access is revoked immediately upon termination. + + - All physical access mechanisms, such as keys, access cards, etc., are returned + or disabled upon termination.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:3 + name: 9.3.2 + description: 'Procedures are implemented for authorizing and managing visitor + access to the CDE, including: + + - Visitors are authorized before entering. + + - Visitors are escorted at all times. + + - Visitors are clearly identified and given a badge or other identification + that expires. + + - Visitor badges or other identification visibly distinguishes visitors from + personnel.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:4 + name: 9.3.3 + description: Visitor badges or identification are surrendered or deactivated + before visitors leave the facility or at the date of expiration. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:5 + name: 9.3.4 + description: "A visitor log is used to maintain a physical record of visitor\ + \ activity within the facility and within sensitive areas, including:\n- The\ + \ visitor\u2019s name and the organization represented.\n- The date and time\ + \ of the visit.\n- The name of the personnel authorizing physical access.\n\ + - Retaining the log for at least three months, unless otherwise restricted\ + \ by law." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:1 + name: 9.4.1 + description: All media with cardholder data is physically secured. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:2 + name: 9.4.1.1 + description: Offline media backups with cardholder data are stored in a secure + location. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:3 + name: 9.4.1.2 + description: The security of the offline media backup location(s) with cardholder + data is reviewed at least once every 12 months. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:4 + name: 9.4.2 + description: All media with cardholder data is classified in accordance with + the sensitivity of the data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:5 + name: 9.4.3 + description: 'Media with cardholder data sent outside the facility is secured + as follows: + + - Media sent outside the facility is logged. + + - Media is sent by secured courier or other delivery method that can be accurately + tracked. + + - Offsite tracking logs include details about media location.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:6 + name: 9.4.4 + description: Management approves all media with cardholder data that is moved + outside the facility (including when media is distributed to individuals). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:7 + name: 9.4.5 + description: Inventory logs of all electronic media with cardholder data are + maintained. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:8 + name: 9.4.5.1 + description: Inventories of electronic media with cardholder data are conducted + at least once every 12 months. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:9 + name: 9.4.6 + description: "Hard-copy materials with cardholder data are destroyed when no\ + \ longer needed for business or legal reasons, as follows:\n\u2022 Materials\ + \ are cross-cut shredded, incinerated, or pulped so that cardholder data cannot\ + \ be reconstructed.\n\u2022 Materials are stored in secure storage containers\ + \ prior to destruction." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:10 + name: 9.4.7 + description: 'Electronic media with cardholder data is destroyed when no longer + needed for business or legal reasons via one of the following: + + - The electronic media is destroyed. + + - The cardholder data is rendered unrecoverable so that it cannot be reconstructed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:1 + name: 9.5.1 + description: 'POI devices that capture payment card data via direct physical + interaction with the payment card form factor are protected from tampering + and unauthorized substitution, including the following: + + - Maintaining a list of POI devices. + + - Periodically inspecting POI devices to look for tampering or unauthorized + substitution. + + - Training personnel to be aware of suspicious behavior and to report tampering + or unauthorized substitution of devices.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:2 + name: 9.5.1.1 + description: 'An up-to-date list of POI devices is maintained, including: + + - Make and model of the device. + + - Location of device. + + - Device serial number or other methods of unique identification.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:3 + name: 9.5.1.2 + description: POI device surfaces are periodically inspected to detect tampering + and unauthorized substitution. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:4 + name: 9.5.1.2.1 + description: "The frequency of periodic POI device inspections and the type\ + \ of inspections performed is defined in the entity\u2019s targeted risk analysis,\ + \ which is performed according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:5 + name: 9.5.1.3 + description: 'Training is provided for personnel in POI environments to be aware + of attempted tampering or replacement of POI devices, and includes: + + - Verifying the identity of any third-party persons claiming to be repair + or maintenance personnel, before granting them access to modify or troubleshoot + devices. + + - Procedures to ensure devices are not installed, replaced, or returned without + verification. + + - Being aware of suspicious behavior around devices. + + - Reporting suspicious behavior and indications of device tampering or substitution + to appropriate personnel.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1:1 + name: 10.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 10 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1:2 + name: 10.1.2 + description: Roles and responsibilities for performing activities in Requirement + 10 are documented, assigned, and understood + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:1 + name: 10.2.1 + description: Audit logs are enabled and active for all system components and + cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:2 + name: 10.2.1.1 + description: Audit logs capture all individual user access to cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:3 + name: 10.2.1.2 + description: Audit logs capture all actions taken by any individual with administrative + access, including any interactive use of application or system accounts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:4 + name: 10.2.1.3 + description: Audit logs capture all access to audit logs. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:5 + name: 10.2.1.4 + description: Audit logs capture all invalid logical access attempts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:6 + name: 10.2.1.5 + description: 'Audit logs capture all changes to identification and authentication + credentials including, but not limited to: + + - Creation of new accounts. + + - Elevation of privileges. + + - All changes, additions, or deletions to accounts with administrative access.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:7 + name: 10.2.1.6 + description: 'Audit logs capture the following: + + - All initialization of new audit logs, and + + - All starting, stopping, or pausing of the existing audit logs.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:8 + name: 10.2.1.7 + description: Audit logs capture all creation and deletion of system-level objects. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:9 + name: 10.2.2 + description: 'Audit logs record the following details for each auditable event: + + - User identification. + + - Type of event. + + - Date and time. + + - Success and failure indication. + + - Origination of event. + + - Identity or name of affected data, system component, resource, or service + (for example, name and protocol).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:1 + name: 10.3.1 + description: Read access to audit logs files is limited to those with a job-related + need. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:2 + name: 10.3.2 + description: Audit log files are protected to prevent modifications by individuals. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:3 + name: 10.3.3 + description: Audit log files, including those for external-facing technologies, + are promptly backed up to a secure, central, internal log server(s) or other + media that is difficult to modify. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:4 + name: 10.3.4 + description: File integrity monitoring or change-detection mechanisms is used + on audit logs to ensure that existing log data cannot be changed without generating + alerts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:1 + name: 10.4.1 + description: 'The following audit logs are reviewed at least once daily: + + - All security events. + + - Logs of all system components that store, process, or transmit CHD and/or + SAD. + + - Logs of all critical system components. + + - Logs of all servers and system components that perform security functions + (for example, network security controls, intrusion-detection systems/intrusion-prevention + systems (IDS/IPS), authentication servers).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:2 + name: 10.4.1.1 + description: Automated mechanisms are used to perform audit log reviews. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:3 + name: 10.4.2 + description: Logs of all other system components (those not specified in Requirement + 10.4.1) are reviewed periodically. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:4 + name: 10.4.2.1 + description: "The frequency of periodic log reviews for all other system components\ + \ (not defined in Requirement 10.4.1) is defined in the entity\u2019s targeted\ + \ risk analysis, which is performed according to all elements specified in\ + \ Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:5 + name: 10.4.3 + description: Exceptions and anomalies identified during the review process are + addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5:1 + name: 10.5.1 + description: Retain audit log history for at least 12 months, with at least + the most recent three months immediately available for analysis. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:1 + name: 10.6.1 + description: System clocks and time are synchronized using time-synchronization + technology. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:2 + name: 10.6.2 + description: 'Systems are configured to the correct and consistent time as follows: + + - One or more designated time servers are in use. + + - Only the designated central time server(s) receives time from external sources. + + - Time received from external sources is based on International Atomic Time + or Coordinated Universal Time (UTC). + + - The designated time server(s) accept time updates only from specific industry-accepted + external sources. + + - Where there is more than one designated time server, the time servers peer + with one another to keep accurate time. + + - Internal systems receive time information only from designated central time + server(s).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:3 + name: 10.6.3 + description: 'Time synchronization settings and data are protected as follows: + + - Access to time data is restricted to only personnel with a business need. + + - Any changes to time settings on critical systems are logged, monitored, + and reviewed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:1 + name: 10.7.1 + description: 'Additional requirement for service providers only: Failures of + critical security control systems are detected, alerted, and addressed promptly, + including but not limited to failure of the following critical security control + systems: + + - Network security controls. + + - IDS/IPS. + + - FIM. + + - Anti-malware solutions. + + - Physical access controls. + + - Logical access controls. + + - Audit logging mechanisms. + + - Segmentation controls (if used).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:2 + name: 10.7.2 + description: 'Failures of critical security control systems are detected, alerted, + and addressed promptly, including but not limited to failure of the following + critical security control systems: + + - Network security controls. + + - IDS/IPS. + + - Change-detection mechanisms. + + - Anti-malware solutions. + + - Physical access controls. + + - Logical access controls. + + - Audit logging mechanisms. + + - Segmentation controls (if used). + + - Audit log review mechanisms. + + - Automated security testing tools (if used).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:3 + name: 10.7.3 + description: 'Failures of any critical security controls systems are responded + to promptly, including but not limited to: + + - Restoring security functions. + + - Identifying and documenting the duration (date and time from start to end) + of the security failure. + + - Identifying and documenting the cause(s) of failure and documenting required + remediation. + + - Identifying and addressing any security issues that arose during the failure. + + - Determining whether further actions are required as a result of the security + failure. + + - Implementing controls to prevent the cause of failure from reoccurring. + + - Resuming monitoring of security controls.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1:1 + name: 11.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 11 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1:2 + name: 11.1.2 + description: Roles and responsibilities for performing activities in Requirement + 11 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2:1 + name: 11.2.1 + description: 'Authorized and unauthorized wireless access points are managed + as follows: + + - The presence of wireless (Wi-Fi) access points is tested for, + + - All authorized and unauthorized wireless access points are detected and + identified, + + - Testing, detection, and identification occurs at least once every three + months. + + - If automated monitoring is used, personnel are notified via generated alerts.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2:2 + name: 11.2.2 + description: An inventory of authorized wireless access points is maintained, + including a documented business justification. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:1 + name: 11.3.1 + description: "Internal vulnerability scans are performed as follows:\n- At least\ + \ once every three months.\n- High-risk and critical vulnerabilities (per\ + \ the entity\u2019s vulnerability risk rankings defined at Requirement 6.3.1)\ + \ are resolved.\n- Rescans are performed that confirm all high- risk and critical\ + \ vulnerabilities (as noted above) have been resolved.\n- Scan tool is kept\ + \ up to date with latest vulnerability information.\n- Scans are performed\ + \ by qualified personnel and organizational independence of the tester exists." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:2 + name: 11.3.1.1 + description: "All other applicable vulnerabilities (those not ranked as high-risk\ + \ or critical per the entity\u2019s vulnerability risk rankings defined at\ + \ Requirement 6.3.1) are managed as follows:\n- Addressed based on the risk\ + \ defined in the entity\u2019s targeted risk analysis, which is performed\ + \ according to all elements specified in Requirement 12.3.1.\n- Rescans are\ + \ conducted as needed." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:3 + name: 11.3.1.2 + description: 'Internal vulnerability scans are performed via authenticated scanning + as follows: + + - Systems that are unable to accept credentials for authenticated scanning + are documented. + + - Sufficient privileges are used for those systems that accept credentials + for scanning. + + - If accounts used for authenticated scanning can be used for interactive + login, they are managed in accordance with Requirement 8.2.2.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:4 + name: 11.3.1.3 + description: "Internal vulnerability scans are performed after any significant\ + \ change as follows:\n- High-risk and critical vulnerabilities (per the entity\u2019\ + s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.\n\ + - Rescans are conducted as needed.\n- Scans are performed by qualified personnel\ + \ and organizational independence of the tester exists (not required to be\ + \ a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:5 + name: 11.3.2 + description: "External vulnerability scans are performed as follows:\n\u2022\ + \ At least once every three months.\n\u2022 By a PCI SSC Approved Scanning\ + \ Vendor (ASV).\n\u2022 Vulnerabilities are resolved and ASV Program Guide\ + \ requirements for a passing scan are met.\n\u2022 Rescans are performed as\ + \ needed to confirm that vulnerabilities are resolved per the ASV Program\ + \ Guide requirements for a passing scan." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:6 + name: 11.3.2.1 + description: 'External vulnerability scans are performed after any significant + change as follows: + + - Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved. + + - Rescans are conducted as needed. + + - Scans are performed by qualified personnel and organizational independence + of the tester exists (not required to be a QSA or ASV).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:1 + name: 11.4.1 + description: 'A penetration testing methodology is defined, documented, and + implemented by the entity, and includes: + + - Industry-accepted penetration testing approaches. + + - Coverage for the entire CDE perimeter and critical systems. + + - Testing from both inside and outside the network. + + - Testing to validate any segmentation and scope- reduction controls. + + - Application-layer penetration testing to identify, at a minimum, the vulnerabilities + listed in Requirement 6.2.4. + + - Network-layer penetration tests that encompass all components that support + network functions as well as operating systems. + + - Review and consideration of threats and vulnerabilities experienced in the + last 12 months. + + - Documented approach to assessing and addressing the risk posed by exploitable + vulnerabilities and security weaknesses found during penetration testing. + + - Retention of penetration testing results and remediation activities results + for at least 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:2 + name: 11.4.2 + description: "Internal penetration testing is performed:\n- Per the entity\u2019\ + s defined methodology.\n- At least once every 12 months.\n- After any significant\ + \ infrastructure or application upgrade or change.\n- By a qualified internal\ + \ resource or qualified external third-party.\n- Organizational independence\ + \ of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:3 + name: 11.4.3 + description: "External penetration testing is performed:\n- Per the entity\u2019\ + s defined methodology.\n- At least once every 12 months.\n- After any significant\ + \ infrastructure or application upgrade or change.\n- By a qualified internal\ + \ resource or qualified external third party.\n- Organizational independence\ + \ of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:4 + name: 11.4.4 + description: "Exploitable vulnerabilities and security weaknesses found during\ + \ penetration testing are corrected as follows:\n- In accordance with the\ + \ entity\u2019s assessment of the risk posed by the security issue as defined\ + \ in Requirement 6.3.1.\n- Penetration testing is repeated to verify the corrections." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:5 + name: 11.4.5 + description: "If segmentation is used to isolate the CDE from other networks,\ + \ penetration tests are performed on segmentation controls as follows:\n-\ + \ At least once every 12 months and after any changes to segmentation controls/methods.\n\ + - Covering all segmentation controls/methods in use.\n- According to the entity\u2019\ + s defined penetration testing methodology.\n- Confirming that the segmentation\ + \ controls/methods are operational and effective, and isolate the CDE from\ + \ all out-of-scope systems.\n- Confirming effectiveness of any use of isolation\ + \ to separate systems with differing security levels (see Requirement 2.2.3).\n\ + - Performed by a qualified internal resource or qualified external third party.\n\ + - Organizational independence of the tester exists (not required to be a QSA\ + \ or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:6 + name: 11.4.6 + description: "Additional requirement for service providers only: If segmentation\ + \ is used to isolate the CDE from other networks, penetration tests are performed\ + \ on segmentation controls as follows:\n- At least once every six months and\ + \ after any changes to segmentation controls/methods.\n- Covering all segmentation\ + \ controls/methods in use.\n- According to the entity\u2019s defined penetration\ + \ testing methodology.\n- Confirming that the segmentation controls/methods\ + \ are operational and effective, and isolate the CDE from all out-of-scope\ + \ systems.\n- Confirming effectiveness of any use of isolation to separate\ + \ systems with differing security levels (see Requirement 2.2.3).\n- Performed\ + \ by a qualified internal resource or qualified external third party.\n- Organizational\ + \ independence of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:7 + name: 11.4.7 + description: 'Additional requirement for multi-tenant service providers only: + Multi-tenant service providers support their customers for external penetration + testing per Requirement 11.4.3 and 11.4.4.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:1 + name: 11.5.1 + description: 'Intrusion-detection and/or intrusion- prevention techniques are + used to detect and/or prevent intrusions into the network as follows: + + - All traffic is monitored at the perimeter of the CDE. + + - All traffic is monitored at critical points in the CDE. + + - Personnel are alerted to suspected compromises. + + - All intrusion-detection and prevention engines, baselines, and signatures + are kept up to date' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:2 + name: 11.5.1.1 + description: 'Additional requirement for service providers only: Intrusion-detection + and/or intrusion-prevention techniques detect, alert + + on/prevent, and address covert malware communication channels.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:3 + name: 11.5.2 + description: 'A change-detection mechanism (for example, file integrity monitoring + tools) is deployed as follows: + + - To alert personnel to unauthorized modification (including changes, additions, + and deletions) of critical files. + + - To perform critical file comparisons at least once weekly.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6:1 + name: 11.6.1 + description: "A change- and tamper-detection mechanism is deployed as follows:\n\ + - To alert personnel to unauthorized modification (including indicators of\ + \ compromise, changes, additions, and deletions) to the HTTP headers and the\ + \ contents of payment pages as received by the consumer browser.\n- The mechanism\ + \ is configured to evaluate the received HTTP header and payment page.\n-\ + \ The mechanism functions are performed as follows:\n \u2013 At least once\ + \ every seven days.\n OR\n \u2013 Periodically (at the frequency defined\ + \ in the entity\u2019s targeted risk analysis, which is performed according\ + \ to all elements specified in Requirement 12.3.1)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:1 + name: 12.1.1 + description: 'An overall information security policy is: + + - Established. + + - Published. + + - Maintained. + + - Disseminated to all relevant personnel, as well as to relevant vendors and + business partners.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:2 + name: 12.1.2 + description: 'The information security policy is: + + - Reviewed at least once every 12 months. + + - Updated as needed to reflect changes to business objectives or risks to + the environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:3 + name: 12.1.3 + description: The security policy clearly defines information security roles + and responsibilities for all personnel, and all personnel are aware of and + acknowledge their information security responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:4 + name: 12.1.4 + description: Responsibility for information security is formally assigned to + a Chief Information Security Officer or other information security knowledgeable + member of executive management. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2:1 + name: 12.2.1 + description: 'Acceptable use policies for end-user technologies are documented + and implemented, including: + + - Explicit approval by authorized parties. + + - Acceptable uses of the technology. + + - List of products approved by the company for employee use, including hardware + and software.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:1 + name: 12.3.1 + description: 'Each PCI DSS requirement that provides flexibility for how frequently + it is performed (for example, requirements to be performed periodically) is + supported by a targeted risk analysis that is documented and includes: + + - Identification of the assets being protected. + + - Identification of the threat(s) that the requirement is protecting against. + + - Identification of factors that contribute to the likelihood and/or impact + of a threat being realized. + + - Resulting analysis that determines, and includes justification for, how + frequently the requirement must be performed to minimize the likelihood of + the threat being realized. + + - Review of each targeted risk analysis at least once every 12 months to determine + whether the results are still valid or if an updated risk analysis is needed. + + - Performance of updated risk analyses when needed, as determined by the annual + review.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:2 + name: 12.3.2 + description: 'A targeted risk analysis is performed for each PCI DSS requirement + that the entity meets with the customized approach, to include: + + - Documented evidence detailing each element specified in Appendix D: Customized + Approach (including, at a minimum, a controls matrix and risk analysis). + + - Approval of documented evidence by senior management. + + - Performance of the targeted analysis of risk at least once every 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:3 + name: 12.3.3 + description: 'Cryptographic cipher suites and protocols in use are documented + and reviewed at least once every 12 months, including at least the following: + + - An up-to-date inventory of all cryptographic cipher suites and protocols + in use, including purpose and where used. + + - Active monitoring of industry trends regarding continued viability of all + cryptographic cipher suites and protocols in use. + + - A documented strategy to respond to anticipated changes in cryptographic + vulnerabilities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:4 + name: 12.3.4 + description: "Hardware and software technologies in use are reviewed at least\ + \ once every 12 months, including at least the following:\n\u2022 Analysis\ + \ that the technologies continue to receive security fixes from vendors promptly.\n\ + \u2022 Analysis that the technologies continue to support (and do not preclude)\ + \ the entity\u2019s PCI DSS compliance.\n\u2022 Documentation of any industry\ + \ announcements or trends related to a technology, such as when a vendor has\ + \ announced \u201Cend of life\u201D plans for a technology.\n\u2022 Documentation\ + \ of a plan, approved by senior management, to remediate outdated technologies,\ + \ including those for which vendors have announced \u201Cend of life\u201D\ + \ plans." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:1 + name: 12.4.1 + description: 'Additional requirement for service providers only: Responsibility + is established by executive management for the protection of cardholder data + and a PCI DSS compliance program to include: + + - Overall accountability for maintaining PCI DSS compliance. + + - Defining a charter for a PCI DSS compliance program and communication to + executive management.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:2 + name: 12.4.2 + description: "Additional requirement for service providers only: Reviews are\ + \ performed at least once every three months to confirm that personnel are\ + \ performing their tasks in accordance with all security policies and operational\ + \ procedures. \nReviews are performed by personnel other than those responsible\ + \ for performing the given task and include, but are not limited to, the following\ + \ tasks:\n- Daily log reviews.\n- Configuration reviews for network security\ + \ controls.\n- Applying configuration standards to new systems.\n- Responding\ + \ to security alerts.\n- Change-management processes." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:3 + name: 12.4.2.1 + description: 'Additional requirement for service providers only: Reviews conducted + in accordance with Requirement 12.4.2 are documented to include: + + - Results of the reviews. + + - Documented remediation actions taken for any tasks that were found to not + be performed at Requirement 12.4.2. + + - Review and sign-off of results by personnel assigned responsibility for + the PCI DSS compliance program.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:1 + name: 12.5.1 + description: An inventory of system components that are in scope for PCI DSS, + including a description of function/use, is maintained and kept current. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:2 + name: 12.5.2 + description: 'PCI DSS scope is documented and confirmed by the entity at least + once every 12 months and upon significant change to the in-scope environment. + At a minimum, the scoping validation includes: + + - Identifying all data flows for the various payment stages (for example, + authorization, capture settlement, chargebacks, and refunds) and acceptance + channels (for example, card-present, card-not-present, and e-commerce). + + - Updating all data-flow diagrams per Requirement 1.2.4. + + - Identifying all locations where account data is stored, processed, and transmitted, + including but not limited to: 1) any locations outside of the currently defined + CDE, 2) applications that process CHD, 3) transmissions between systems and + networks, and 4) file backups. + + - Identifying all system components in the CDE, connected to the CDE, or that + could impact security of the CDE. + + - Identifying all segmentation controls in use and the environment(s) from + which the CDE is segmented, including justification for environments being + out of scope. + + - Identifying all connections from third-party entities with access to the + CDE. + + - Confirming that all identified data flows, account data, system components, + segmentation controls, and connections from third parties with access to the + CDE are included in scope.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:3 + name: 12.5.2.1 + description: 'Additional requirement for service providers only: PCI DSS scope + is documented and confirmed by the entity at least once every six months and + upon significant change to the in-scope environment. At a minimum, the scoping + validation includes all the elements specified in Requirement 12.5.2.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:4 + name: 12.5.3 + description: 'Additional requirement for service providers only: Significant + changes to organizational structure result in a documented (internal) review + of the impact to PCI DSS scope and applicability of controls, with results + communicated to executive management.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:1 + name: 12.6.1 + description: "A formal security awareness program is implemented to make all\ + \ personnel aware of the entity\u2019s information security policy and procedures,\ + \ and their role in protecting the cardholder data." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:2 + name: 12.6.2 + description: "The security awareness program is:\n- Reviewed at least once every\ + \ 12 months, and\n- Updated as needed to address any new threats and vulnerabilities\ + \ that may impact the security of the entity\u2019s CDE, or the information\ + \ provided to personnel about their role in protecting cardholder data." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:3 + name: 12.6.3 + description: 'Personnel receive security awareness training as follows: + + - Upon hire and at least once every 12 months. + + - Multiple methods of communication are used. + + - Personnel acknowledge at least once every 12 months that they have read + and understood the information security policy and procedures.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:4 + name: 12.6.3.1 + description: 'Security awareness training includes awareness of threats and + vulnerabilities that could impact the security of the CDE, including but not + limited to: + + - Phishing and related attacks. + + - Social engineering.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:5 + name: 12.6.3.2 + description: Security awareness training includes awareness about the acceptable + use of end-user technologies in accordance with Requirement 12.2.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7:1 + name: 12.7.1 + description: Potential personnel who will have access to the CDE are screened, + within the constraints of local laws, prior to hire to minimize the risk of + attacks from internal sources + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:1 + name: 12.8.1 + description: A list of all third-party service providers (TPSPs) with which + account data is shared or that could affect the security of account data is + maintained, including a description for each of the services provided. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:2 + name: 12.8.2 + description: "Written agreements with TPSPs are maintained as follows:\n- Written\ + \ agreements are maintained with all TPSPs with which account data is shared\ + \ or that could affect the security of the CDE.\n- Written agreements include\ + \ acknowledgments from TPSPs that they are responsible for the security of\ + \ account data the TPSPs possess or otherwise store, process, or transmit\ + \ on behalf of the entity, or to the extent that they could impact the security\ + \ of the entity\u2019s CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:3 + name: 12.8.3 + description: An established process is implemented for engaging TPSPs, including + proper due diligence prior to engagement. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:4 + name: 12.8.4 + description: "A program is implemented to monitor TPSPs\u2019 PCI DSS compliance\ + \ status at least once every 12 months." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:5 + name: 12.8.5 + description: Information is maintained about which PCI DSS requirements are + managed by each TPSP, which are managed by the entity, and any that are shared + between the TPSP and the entity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9:1 + name: 12.9.1 + description: "Additional requirement for service providers only: TPSPs acknowledge\ + \ in writing to customers that they are responsible for the security of account\ + \ data the TPSP possesses or otherwise stores, processes, or transmits on\ + \ behalf of the customer, or to the extent that they could impact the security\ + \ of the customer\u2019s CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9:2 + name: 12.9.2 + description: "Additional requirement for service providers only: TPSPs support\ + \ their customers\u2019 requests for information to meet Requirements 12.8.4\ + \ and 12.8.5 by providing the following upon customer request:\n- PCI DSS\ + \ compliance status information for any service the TPSP performs on behalf\ + \ of customers (Requirement 12.8.4).\n- Information about which PCI DSS requirements\ + \ are the responsibility of the TPSP and which are the responsibility of the\ + \ customer, including any shared responsibilities (Requirement 12.8.5)" + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:1 + name: 12.10.1 + description: 'An incident response plan exists and is ready to be activated + in the event of a suspected or confirmed security incident. The plan includes, + but is not limited to: + + - Roles, responsibilities, and communication and contact strategies in the + event of a suspected or confirmed security incident, including notification + of payment brands and acquirers, at a minimum. + + - Incident response procedures with specific containment and mitigation activities + for different types of incidents. + + - Business recovery and continuity procedures. + + - Data backup processes. + + - Analysis of legal requirements for reporting compromises. + + - Coverage and responses of all critical system components. + + - Reference or inclusion of incident response procedures from the payment + brands.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:2 + name: 12.10.2 + description: 'At least once every 12 months, the security incident response + plan is: + + - Reviewed and the content is updated as needed. + + - Tested, including all elements listed in Requirement 12.10.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:3 + name: 12.10.3 + description: Specific personnel are designated to be available on a 24/7 basis + to respond to suspected or confirmed security incidents. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:4 + name: 12.10.4 + description: Personnel responsible for responding to suspected and confirmed + security incidents are appropriately and periodically trained on their incident + response responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:5 + name: 12.10.4.1 + description: "The frequency of periodic training for incident response personnel\ + \ is defined in the entity\u2019s targeted risk analysis, which is performed\ + \ according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:6 + name: 12.10.5 + description: 'The security incident response plan includes monitoring and responding + to alerts from security monitoring systems, including but not limited to: + + - Intrusion-detection and intrusion-prevention systems. + + - Network security controls. + + - Change-detection mechanisms for critical files. + + - The change-and tamper-detection mechanism for payment pages. This bullet + is a best practice until its effective date; refer to Applicability Notes + below for details. + + - Detection of unauthorized wireless access points.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:7 + name: 12.10.6 + description: The security incident response plan is modified and evolved according + to lessons learned and to incorporate industry developments. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:8 + name: 12.10.7 + description: 'Incident response procedures are in place, to be initiated upon + the detection of stored PAN anywhere it is not expected, and include: + + - Determining what to do if PAN is discovered outside the CDE, including its + retrieval, secure deletion, and/or migration into the currently defined CDE, + as applicable. + + - Identifying whether sensitive authentication data is stored with PAN. + + - Determining where the account data came from and how it ended up where it + was not expected. + + - Remediating data leaks or process gaps that resulted in the account data + being where it was not expected.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:1 + name: A1.1.1 + description: "Logical separation is implemented as follows:\n- The provider\ + \ cannot access its customers\u2019 environments without authorization.\n\ + - Customers cannot access the provider\u2019s environment without authorization." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:2 + name: A1.1.2 + description: Controls are implemented such that each customer only has permission + to access its own cardholder data and CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:3 + name: A1.1.3 + description: Controls are implemented such that each customer can only access + resources allocated to them. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:4 + name: A1.1.4 + description: The effectiveness of logical separation controls used to separate + customer environments is confirmed at least once every six months via penetration + testing. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:1 + name: A1.2.1 + description: "Audit log capability is enabled for each customer\u2019s environment\ + \ that is consistent with PCI DSS Requirement 10, including:\n- Logs are enabled\ + \ for common third-party applications.\n- Logs are active by default.\n- Logs\ + \ are available for review only by the owning customer.\n- Log locations are\ + \ clearly communicated to the owning customer.\n- Log data and availability\ + \ is consistent with PCI DSS Requirement 10." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:2 + name: A1.2.2 + description: Processes or mechanisms are implemented to support and/or facilitate + prompt forensic investigations in the event of a suspected or confirmed security + incident for any customer. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:3 + name: A1.2.3 + description: 'Processes or mechanisms are implemented for reporting and addressing + suspected or confirmed security incidents and vulnerabilities, including: + + - Customers can securely report security incidents and vulnerabilities to + the provider. + + - The provider addresses and remediates suspected or confirmed security incidents + and vulnerabilities according to Requirement 6.3.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:1 + name: A2.1.1 + description: Where POS POI terminals at the merchant or payment acceptance location + use SSL and/or early TLS, the entity confirms the devices are not susceptible + to any known exploits for those protocols. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:2 + name: A2.1.2 + description: 'Additional requirement for service providers only: All service + providers with existing connection points to POS POI terminals that use SSL + and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration + Plan in place that includes: + + - Description of usage, including what data is being transmitted, types and + number of systems that use and/or support SSL/early TLS, and type of environment. + + - Risk-assessment results and risk-reduction controls in place. + + - Description of processes to monitor for new vulnerabilities associated with + SSL/early TLS. + + - Description of change control processes that are implemented to ensure SSL/early + TLS is not implemented into new environments. + + - Overview of migration project plan to replace SSL/early TLS at a future + date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:3 + name: A2.1.3 + description: 'Additional requirement for service providers only: All service + providers provide a secure service offering.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:1 + name: A3.1.1 + description: 'Responsibility is established by executive management for the + protection of account data and a PCI DSS compliance program that includes: + + - Overall accountability for maintaining PCI DSS compliance. + + - Defining a charter for a PCI DSS compliance program. + + - Providing updates to executive management and board of directors on PCI + DSS compliance initiatives and issues, including remediation activities, at + least once every 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:2 + name: A3.1.2 + description: 'A formal PCI DSS compliance program is in place that includes: + + - Definition of activities for maintaining and monitoring overall PCI DSS + compliance, including business-as-usual activities. + + - Annual PCI DSS assessment processes. + + - Processes for the continuous validation of PCI DSS requirements (for example, + daily, weekly, every three months, as applicable per the requirement). + + - A process for performing business-impact analysis to determine potential + PCI DSS impacts for strategic business decisions.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:3 + name: A3.1.3 + description: 'PCI DSS compliance roles and responsibilities are specifically + defined and formally assigned to one or more personnel, including: + + - Managing PCI DSS business-as-usual activities. + + - Managing annual PCI DSS assessments. + + - Managing continuous validation of PCI DSS requirements (for example, daily, + weekly, every three months, as applicable per the requirement). + + - Managing business-impact analysis to determine potential PCI DSS impacts + for strategic business decisions.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:4 + name: A3.1.4 + description: Up-to-date PCI DSS and/or information security training is provided + at least once every 12 months to personnel with PCI DSS compliance responsibilities + (as identified in A3.1.3). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:1 + name: A3.2.1 + description: 'PCI DSS scope is documented and confirmed for accuracy at least + once every three months and upon significant changes to the in-scope environment. + At a minimum, the scoping validation includes: + + - Identifying all data flows for the various payment stages (for example, + authorization, capture, settlement, chargebacks, and refunds) and acceptance + channels (for example, card-present, card-not-present, and e-commerce). + + - Updating all data-flow diagrams per Requirement 1.2.4. + + - Identifying all locations where account data is stored, processed, and transmitted, + including but not limited to 1) any locations outside of the currently defined + CDE, 2) applications that process CHD, 3) transmissions between systems and + networks, and 4) file backups. + + - For any account data found outside of the currently defined CDE, either + 1) securely delete it, 2) migrate it into the currently defined CDE, or 3) + expand the currently defined CDE to include it. + + - Identifying all system components in the CDE, connected to the CDE, or that + could impact security of the CDE. + + - Identifying all segmentation controls in use and the environment(s) from + which the CDE is segmented, including justification for environments being + out of scope. + + - Identifying all connections to third-party entities with access to the CDE. + + - Confirming that all identified data flows, account data, system components, + segmentation controls, and connections from third parties with access to the + CDE are included in scope.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:2 + name: A3.2.2 + description: 'PCI DSS scope impact for all changes to systems or networks is + determined, including additions of new systems and new network connections. + Processes include: + + - Performing a formal PCI DSS impact assessment. + + - Identifying applicable PCI DSS requirements to the system or network. + + - Updating PCI DSS scope as appropriate. + + - Documented sign-off of the results of the impact assessment by responsible + personnel (as defined in A3.1.3).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:3 + name: A3.2.2.1 + description: Upon completion of a change, all relevant PCI DSS requirements + are confirmed to be implemented on all new or changed systems and networks, + and documentation is updated as applicable. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:4 + name: A3.2.3 + description: Changes to organizational structure result in a formal (internal) + review of the impact to PCI DSS scope and applicability of controls. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:5 + name: A3.2.4 + description: "If segmentation is used, PCI DSS scope is confirmed as follows:\n\ + \u2022 Per the entity\u2019s methodology defined at Requirement 11.4.1.\n\u2022\ + \ Penetration testing is performed on segmentation controls at least once\ + \ every six months and after any changes to segmentation controls/methods.\n\ + \u2022 The penetration testing covers all segmentation controls/methods in\ + \ use.\n\u2022 The penetration testing verifies that segmentation controls/methods\ + \ are operational and effective, and isolate the CDE from all out-of-scope\ + \ systems." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:6 + name: A3.2.5 + description: 'A data-discovery methodology is implemented that: + + - Confirms PCI DSS scope. + + - Locates all sources and locations of cleartext PAN at least once every three + months and upon significant changes to the CDE or processes. + + - Addresses the potential for cleartext PAN to reside on systems and networks + outside the currently defined CDE' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:7 + name: A3.2.5.1 + description: 'Data discovery methods are confirmed as follows: + + - Effectiveness of methods is tested. + + - Methods are able to discover cleartext PAN on all types of system components + and file formats in use. + + - The effectiveness of data-discovery methods is confirmed at least once every + 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:8 + name: A3.2.5.2 + description: 'Response procedures are implemented to be initiated upon the detection + of cleartext PAN outside the CDE to include: + + - Determining what to do if cleartext PAN is discovered outside the CDE, including + its retrieval, secure deletion, and/or migration into the currently defined + CDE, as applicable. + + - Determining how the data ended up outside the CDE. + + - Remediating data leaks or process gaps that resulted in the data being outside + the CDE. + + - Identifying the source of the data. + + - Identifying whether any track data is stored with the PANs.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:9 + name: A3.2.6 + description: 'Mechanisms are implemented for detecting and preventing cleartext + PAN from leaving the CDE via an unauthorized channel, method, or process, + including mechanisms that are: + + - Actively running. + + - Configured to detect and prevent cleartext PAN leaving the CDE via an unauthorized + channel, method, or process. + + - Generating audit logs and alerts upon detection of cleartext PAN leaving + the CDE via an unauthorized channel, method, or process.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:10 + name: A3.2.6.1 + description: 'Response procedures are implemented to be initiated upon the detection + of attempts to remove cleartext PAN from the CDE via an unauthorized channel, + method, or process. Response procedures include: + + - Procedures for the prompt investigation of alerts by responsible personnel. + + - Procedures for remediating data leaks or process gaps, as necessary, to + prevent any data loss.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:1 + name: A3.3.1 + description: 'Failures of critical security control systems are detected, alerted, + and addressed promptly, including but not limited to failure of: + + - Network security controls + + - IDS/IPS + + - FIM + + - Anti-malware solutions + + - Physical access controls + + - Logical access controls + + - Audit logging mechanisms + + - Segmentation controls (if used) + + - Automated audit log review mechanisms. This bullet is a best practice until + its effective date. + + - Automated code review tools (if used). This bullet is a best practice until + its effective date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:2 + name: A3.3.1.2 + description: 'Failures of any critical security control systems are responded + to promptly. Processes for responding to failures in security control systems + include: + + - Restoring security functions. + + - Identifying and documenting the duration (date and time from start to end) + of the security failure. + + - Identifying and documenting the cause(s) of failure, including root cause, + and documenting remediation required to address the root cause. + + - Identifying and addressing any security issues that arose during the failure. + + - Determining whether further actions are required as a result of the security + failure. + + - Implementing controls to prevent the cause of failure from reoccurring. + + - Resuming monitoring of security controls.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:3 + name: A3.3.2 + description: "Hardware and software technologies are reviewed at least once\ + \ every 12 months to confirm whether they continue to meet the organization\u2019\ + s PCI DSS requirements." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:4 + name: A3.3.3 + description: 'Reviews are performed at least once every three months to verify + BAU activities are being followed. Reviews are performed by personnel assigned + to the PCI DSS compliance program (as identified in A3.1.3), and include: + + - Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1, + are being performed. + + - Confirmation that personnel are following security policies and operational + procedures (for example, daily log reviews, ruleset reviews for network security + controls, configuration standards for new systems). + + - Documenting how the reviews were completed, including how all BAU activities + were verified as being in place. + + - Collection of documented evidence as required for the annual PCI DSS assessment. + + - Review and sign-off of results by personnel assigned responsibility for + the PCI DSS compliance program, as identified in A3.1.3. + + - Retention of records and documentation for at least 12 months, covering + all BAU activities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.4:1 + name: A3.4.1 + description: User accounts and access privileges to in-scope system components + are reviewed at least once every six months to ensure user accounts and access + privileges remain appropriate based on job function, and that all access is + authorized. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.5:1 + name: A3.5.1 + description: 'A methodology is implemented for the prompt identification of + attack patterns and undesirable behavior across systems that includes: + + - Identification of anomalies or suspicious activity as it occurs. + + - Issuance of prompt alerts upon detection of suspicious activity or anomaly + to responsible personnel. + + - Response to alerts in accordance with documented response procedures.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.5 + security_functions: [] + threats: [] diff --git a/library/libraries/soc2.yaml b/library/libraries/soc2.yaml new file mode 100644 index 0000000..c8b45f5 --- /dev/null +++ b/library/libraries/soc2.yaml @@ -0,0 +1,2338 @@ +urn: urn:intuitem:risk:library:soc2-2017 +locale: en +name: SOC2-2017 +description: 'SOC2-2017 Trust Services Criteria ' +version: 1 +objects: + framework: + urn: urn:intuitem:risk:framework:soc2-2017 + provider: AICPA + name: SOC2-2017 + description: 'SOC2-2017 Trust Services Criteria ' + version: '1.0' + requirement_groups: + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + name: Control Environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + name: CC1.1 + description: "COSO Principle 1\n The entity demonstrates a commitment to integrity\ + \ and ethical values." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.2 + name: CC1.2 + description: "COSO Principle 2\n The board of directors demonstrates independence\ + \ from management and exercises oversight of the development and performance\ + \ of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + name: CC1.3 + description: "COSO Principle 3\n Management establishes, with board oversight,\ + \ structures, reporting lines, and appropriate authorities and responsibilities\ + \ in the pursuit of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + name: CC1.4 + description: "COSO Principle 4\n The entity demonstrates a commitment to attract,\ + \ develop, and retain competent individuals in alignment with objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + name: CC1.5 + description: "COSO Principle 5\n The entity holds individuals accountable for\ + \ their internal control responsibilities in the pursuit of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment + - urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information + name: Communication and Information + - urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.1 + name: CC2.1 + description: "COSO Principle 13\n The entity obtains or generates and uses relevant,\ + \ quality information to support the functioning of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information + - urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + name: CC2.2 + description: "COSO Principle 14\n The entity internally communicates information,\ + \ including objectives and responsibilities for internal control, necessary\ + \ to support the functioning of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information + - urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + name: CC2.3 + description: "COSO Principle 15\n The entity communicates with external parties\ + \ regarding matters affecting the functioning of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment + name: Risk Assessment + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + name: CC3.1 + description: "COSO Principle 6\n The entity specifies objectives with sufficient\ + \ clarity to enable the identification and assessment of risks relating to\ + \ objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + name: CC3.2 + description: "COSO Principle 7\n The entity identifies risks to the achievement\ + \ of its objectives across the entity and analyzes risks as a basis for determining\ + \ how the risks should be managed." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + name: CC3.3 + description: "COSO Principle 8\n The entity considers the potential for fraud\ + \ in assessing risks to the achievement of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + name: CC3.4 + description: "COSO Principle 9\n The entity identifies and assesses changes\ + \ that could significantly impact the system of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment + - urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities + name: Monitoring Activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + name: CC4.1 + description: "COSO Principle 16\n The entity selects, develops, and performs\ + \ ongoing and/or separate evaluations to ascertain whether the components\ + \ of internal control are present and functioning." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.2 + name: CC4.2 + description: "COSO Principle 17\n The entity evaluates and communicates internal\ + \ control deficiencies in a timely manner to those parties responsible for\ + \ taking corrective action, including senior management and the board of directors,\ + \ as appropriate." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities + name: Control Activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + name: CC5.1 + description: "COSO Principle 10\n The entity selects and develops control activities\ + \ that contribute to the mitigation of risks to the achievement of objectives\ + \ to acceptable levels." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.2 + name: CC5.2 + description: "COSO Principle 11\n The entity also selects and develops general\ + \ control activities over technology to support the achievement of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + name: CC5.3 + description: "COSO Principle 12\n The entity deploys control activities through\ + \ policies that establish what is expected and in procedures that put policies\ + \ into action." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + name: Logical and Physical Access Controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + name: CC6.1 + description: The entity implements logical access security software, infrastructure, + and architectures over protected information assets to protect them from security + events to meet the entity's objectives. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.2 + name: CC6.2 + description: Prior to issuing system credentials and granting system access, + the entity registers and authorizes new internal and external users whose + access is administered by the entity. For those users whose access is administered + by the entity, user system credentials are removed when user access is no + longer authorized. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.3 + name: CC6.3 + description: "The entity authorizes, modifies, or removes access to data, software,\ + \ functions, and other protected information assets based on roles, responsibilities,\ + \ or the system design and changes, giving consideration to the concepts of\ + \ least privilege and segregation of duties, to meet the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.4 + name: CC6.4 + description: "The entity restricts physical access to facilities and protected\ + \ information assets (for example, data center facilities, back-up media storage,\ + \ and other sensitive locations) to authorized personnel to meet the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.5 + name: CC6.5 + description: "The entity discontinues logical and physical protections over\ + \ physical assets only after the ability to read or recover data and software\ + \ from those assets has been diminished and is no longer required to meet\ + \ the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.6 + name: CC6.6 + description: The entity implements logical access security measures to protect + against threats from sources outside its system boundaries. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.7 + name: CC6.7 + description: "The entity restricts the transmission, movement, and removal of\ + \ information to authorized internal and external users and processes, and\ + \ protects it during transmission, movement, or removal to meet the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + name: CC6.8 + description: "The entity implements controls to prevent or detect and act upon\ + \ the introduction of unauthorized or malicious software to meet the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + name: System Operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + name: CC7.1 + description: To meet its objectives, the entity uses detection and monitoring + procedures to identify (1) changes to configurations that result in the introduction + of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.2 + name: CC7.2 + description: The entity monitors system components and the operation of those + components for anomalies that are indicative of malicious acts, natural disasters, + and errors affecting the entity's ability to meet its objectives; anomalies + are analyzed to determine whether they represent security events. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + name: CC7.3 + description: The entity evaluates security events to determine whether they + could or have resulted in a failure of the entity to meet its objectives (security + incidents) and, if so, takes actions to prevent or address such failures. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + name: CC7.4 + description: The entity responds to identified security incidents by executing + a defined incident response program to understand, contain, remediate, and + communicate security incidents, as appropriate. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + name: CC7.5 + description: The entity identifies, develops, and implements activities to recover + from identified security incidents. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations + - urn: urn:intuitem:risk:req_groups:soc2-2017:change-management + name: Change Management + - urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + name: CC8.1 + description: The entity authorizes, designs, develops or acquires, configures, + documents, tests, approves, and implements changes to infrastructure, data, + software, and procedures to meet its objectives. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation + name: Risk Mitigation + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.1 + name: CC9.1 + description: The entity identifies, selects, and develops risk mitigation activities + for risks arising from potential business disruptions. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation + - urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + name: CC9.2 + description: The entity assesses and manages risks associated with vendors and + business partners. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability + name: Additional Criteria for Availability + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.1 + name: A1.1 + description: The entity maintains, monitors, and evaluates current processing + capacity and use of system components (infrastructure, data, and software) + to manage capacity demand and to enable the implementation of additional capacity + to help meet its objectives. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + name: A1.2 + description: The entity authorizes, designs, develops or acquires, implements, + operates, approves, maintains, and monitors environmental protections, software, + data back-up processes, and recovery infrastructure to meet its objectives. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.3 + name: A1.3 + description: The entity tests recovery plan procedures supporting system recovery + to meet its objectives. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality + name: Additional Criteria for Confidentiality + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.1 + name: C1.1 + description: "The entity identifies and maintains confidential information to\ + \ meet the entity\u2019s objectives related to confidentiality." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.2 + name: C1.2 + description: "The entity disposes of confidential information to meet the entity\u2019\ + s objectives related to confidentiality." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + name: Additional Criteria for Processing Integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.1 + name: PI1.1 + description: The entity obtains or generates, uses, and communicates relevant, + quality information regarding the objectives related to processing, including + definitions of data processed and product and service specifications, to support + the use of products and services. + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.2 + name: PI1.2 + description: "The entity implements policies and procedures over system inputs,\ + \ including controls over completeness and accuracy, to result in products,\ + \ services, and reporting to meet the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + name: PI1.3 + description: "The entity implements policies and procedures over system processing\ + \ to result in products, services, and reporting to meet the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.4 + name: PI1.4 + description: "The entity implements policies and procedures to make available\ + \ or deliver output completely, accurately, and timely in accordance with\ + \ specifications to meet the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.5 + name: PI1.5 + description: "The entity implements policies and procedures to store inputs,\ + \ items in processing, and outputs completely, accurately, and timely in accordance\ + \ with system specifications to meet the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + name: Additional Criteria for Privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p1.1 + name: P1.1 + description: "The entity provides notice to data subjects about its privacy\ + \ practices to meet the entity\u2019s objectives related to privacy. The notice\ + \ is updated and communicated to data subjects in a timely manner for changes\ + \ to the entity\u2019s privacy practices, including changes in the use of\ + \ personal information, to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + name: P2.1 + description: "The entity communicates choices available regarding the collection,\ + \ use, retention, disclosure, and disposal of personal information to the\ + \ data subjects and the consequences, if any, of each choice. Explicit consent\ + \ for the collection, use, retention, disclosure, and disposal of personal\ + \ information is obtained from data subjects or other authorized persons,\ + \ if required. Such consent is obtained only for the intended purpose of the\ + \ information to meet the entity\u2019s objectives related to privacy. The\ + \ entity\u2019s basis for determining implicit consent for the collection,\ + \ use, retention, disclosure, and disposal of personal information is documented." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.1 + name: P3.1 + description: "Personal information is collected consistent with the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.2 + name: P3.2 + description: "For information requiring explicit consent, the entity communicates\ + \ the need for such consent, as well as the consequences of a failure to provide\ + \ consent for the request for personal information, and obtains the consent\ + \ prior to the collection of the information to meet the entity\u2019s objectives\ + \ related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.1 + name: P4.1 + description: "The entity limits the use of personal information to the purposes\ + \ identified in the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.2 + name: P4.2 + description: "The entity retains personal information consistent with the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.3 + name: P4.3 + description: "The entity securely disposes of personal information to meet the\ + \ entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.1 + name: P5.1 + description: "The entity grants identified and authenticated data subjects the\ + \ ability to access their stored personal information for review and, upon\ + \ request, provides physical or electronic copies of that information to data\ + \ subjects to meet the entity\u2019s objectives related to privacy. If access\ + \ is denied, data subjects are informed of the denial and reason for such\ + \ denial, as required, to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.2 + name: P5.2 + description: "The entity corrects, amends, or appends personal information based\ + \ on information provided by data subjects and communicates such information\ + \ to third parties, as committed or required, to meet the entity\u2019s objectives\ + \ related to privacy. If a request for correction is denied, data subjects\ + \ are informed of the denial and reason for such denial to meet the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.1 + name: P6.1 + description: "The entity discloses personal information to third parties with\ + \ the explicit consent of data subjects, and such consent is obtained prior\ + \ to disclosure to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.2 + name: P6.2 + description: "The entity creates and retains a complete, accurate, and timely\ + \ record of authorized disclosures of personal information to meet the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.3 + name: P6.3 + description: "The entity creates and retains a complete, accurate, and timely\ + \ record of detected or reported unauthorized disclosures (including breaches)\ + \ of personal information to meet the entity\u2019s objectives related to\ + \ privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.4 + name: P6.4 + description: "The entity obtains privacy commitments from vendors and other\ + \ third parties who have access to personal information to meet the entity\u2019\ + s objectives related to privacy. The entity assesses those parties\u2019 compliance\ + \ on a periodic and as-needed basis and takes corrective action, if necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.5 + name: P6.5 + description: "The entity obtains commitments from vendors and other third parties\ + \ with access to personal information to notify the entity in the event of\ + \ actual or suspected unauthorized disclosures of personal information. Such\ + \ notifications are reported to appropriate personnel and acted on in accordance\ + \ with established incident response procedures to meet the entity\u2019s\ + \ objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.6 + name: P6.6 + description: "The entity provides notification of breaches and incidents to\ + \ affected data subjects, regulators, and others to meet the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.7 + name: P6.7 + description: "The entity provides data subjects with an accounting of the personal\ + \ information held and disclosure of the data subjects\u2019 personal information,\ + \ upon the data subjects\u2019 request, to meet the entity\u2019s objectives\ + \ related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p7.1 + name: P7.1 + description: "The entity collects and maintains accurate, up-to-date, complete,\ + \ and relevant personal information to meet the entity\u2019s objectives related\ + \ to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + - urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + name: P8.1 + description: "The entity implements a process for receiving, addressing, resolving,\ + \ and communicating the resolution of inquiries, complaints, and disputes\ + \ from data subjects and others and periodically monitors compliance to meet\ + \ the entity\u2019s objectives related to privacy. Corrections and other necessary\ + \ actions related to identified deficiencies are made or taken in a timely\ + \ manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy + requirements: + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.1:1 + name: CC1.1.1 + description: "Sets the Tone at the Top\n The board of directors and management,\ + \ at all levels, demonstrate through their directives, actions, and behavior\ + \ the importance of integrity and ethical values to support the functioning\ + \ of the system of internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.1:2 + name: CC1.1.2 + description: "Establishes Standards of Conduct\n The expectations of the board\ + \ of directors and senior management concerning integrity and ethical values\ + \ are defined in the entity\u2019s standards of conduct and understood at\ + \ all levels of the entity and by outsourced service providers and business\ + \ partners." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.1:3 + name: CC1.1.3 + description: "Evaluates Adherence to Standards of Conduct\n Processes are in\ + \ place to evaluate the performance of individuals and teams against the entity\u2019\ + s expected standards of conduct." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.1:4 + name: CC1.1.4 + description: "Addresses Deviations in a Timely Manner\n Deviations from the\ + \ entity\u2019s expected standards of conduct are identified and remedied\ + \ in a timely and consistent manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.1:5 + name: CC1.1.5 + description: "Considers Contractors and Vendor Employees in Demonstrating Its\ + \ Commitment\n Management and the board of directors consider the use of contractors\ + \ and vendor employees in its processes for establishing standards of conduct,\ + \ evaluating adherence to those standards, and addressing deviations in a\ + \ timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.2:1 + name: CC1.2.1 + description: "Establishes Oversight Responsibilities\n The board of directors\ + \ identifies and accepts its oversight responsibilities in relation to established\ + \ requirements and expectations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.2:2 + name: CC1.2.2 + description: "Applies Relevant Expertise\n The board of directors defines, maintains,\ + \ and periodically evaluates the skills and expertise needed among its members\ + \ to enable them to ask probing questions of senior management and take commensurate\ + \ action." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.2:3 + name: CC1.2.3 + description: "Operates Independently\n The board of directors has sufficient\ + \ members who are independent from management and objective in evaluations\ + \ and decision making." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.2:4 + name: CC1.2.4 + description: "Supplements Board Expertise\n The board of directors supplements\ + \ its expertise relevant to security, availability, processing integrity,\ + \ confidentiality, and privacy, as needed, through the use of a subcommittee\ + \ or consultants." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.3:1 + name: CC1.3.1 + description: "Considers All Structures of the Entity\n Management and the board\ + \ of directors consider the multiple structures used (including operating\ + \ units, legal entities, geographic distribution, and outsourced service providers)\ + \ to support the achievement of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.3:2 + name: CC1.3.2 + description: "Establishes Reporting Lines\n Management designs and evaluates\ + \ lines of reporting for each entity structure to enable execution of authorities\ + \ and responsibilities and flow of information to manage the activities of\ + \ the entity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.3:3 + name: CC1.3.3 + description: "Defines, Assigns, and Limits Authorities and Responsibilities\n\ + \ Management and the board of directors delegate authority, define responsibilities,\ + \ and use appropriate processes and technology to assign responsibility and\ + \ segregate duties as necessary at the various levels of the organization." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.3:4 + name: CC1.3.4 + description: "Addresses Specific Requirements When Defining Authorities and\ + \ Responsibilities\n Management and the board of directors consider requirements\ + \ relevant to security, availability, processing integrity, confidentiality,\ + \ and privacy when defining authorities and responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.3:5 + name: CC1.3.5 + description: "Considers Interactions With External Parties When Establishing\ + \ Structures, Reporting Lines, Authorities, and Responsibilities\n Management\ + \ and the board of directors consider the need for the entity to interact\ + \ with and monitor the activities of external parties when establishing structures,\ + \ reporting lines, authorities, and responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:1 + name: CC1.4.1 + description: "Establishes Policies and Practices\n Policies and practices reflect\ + \ expectations of competence necessary to support the achievement of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:2 + name: CC1.4.2 + description: "Evaluates Competence and Addresses Shortcomings\n The board of\ + \ directors and management evaluate competence across the entity and in outsourced\ + \ service providers in relation to established policies and practices and\ + \ act as necessary to address shortcomings." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:3 + name: CC1.4.3 + description: "Attracts, Develops, and Retains Individuals\n The entity provides\ + \ the mentoring and training needed to attract, develop, and retain sufficient\ + \ and competent personnel and outsourced service providers to support the\ + \ achievement of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:4 + name: CC1.4.4 + description: "Plans and Prepares for Succession\n Senior management and the\ + \ board of directors develop contingency plans for assignments of responsibility\ + \ important for internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:5 + name: CC1.4.5 + description: "Considers the Background of Individuals\n The entity considers\ + \ the background of potential and existing personnel, contractors, and vendor\ + \ employees when determining whether to employ and retain the individuals." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:6 + name: CC1.4.6 + description: "Considers the Technical Competency of Individuals\n The entity\ + \ considers the technical competency of potential and existing personnel,\ + \ contractors, and vendor employees when determining whether to employ and\ + \ retain the individuals." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.4:7 + name: CC1.4.7 + description: "Provides Training to Maintain Technical Competencies\n The entity\ + \ provides training programs, including continuing education and training,\ + \ to ensure skill sets and technical competency of existing personnel, contractors,\ + \ and vendor employees are developed and maintained." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.5:1 + name: CC1.5.1 + description: "Enforces Accountability Through Structures, Authorities, and Responsibilities\n\ + \ Management and the board of directors establish the mechanisms to communicate\ + \ and hold individuals accountable for performance of internal control responsibilities\ + \ across the entity and implement corrective action as necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.5:2 + name: CC1.5.2 + description: "Establishes Performance Measures, Incentives, and Rewards\n Management\ + \ and the board of directors establish performance measures, incentives, and\ + \ other rewards appropriate for responsibilities at all levels of the entity,\ + \ reflecting appropriate dimensions of performance and expected standards\ + \ of conduct, and considering the achievement of both short-term and longer-term\ + \ objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.5:3 + name: CC1.5.3 + description: "Evaluates Performance Measures, Incentives, and Rewards for Ongoing\ + \ Relevance\n Management and the board of directors align incentives and rewards\ + \ with the fulfillment of internal control responsibilities in the achievement\ + \ of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.5:4 + name: CC1.5.4 + description: "Considers Excessive Pressures\n Management and the board of directors\ + \ evaluate and adjust pressures associated with the achievement of objectives\ + \ as they assign responsibilities, develop performance measures, and evaluate\ + \ performance." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-environment:cc1.5:5 + name: CC1.5.5 + description: "Evaluates Performance and Rewards or Disciplines Individuals\n\ + \ Management and the board of directors evaluate performance of internal control\ + \ responsibilities, including adherence to standards of conduct and expected\ + \ levels of competence, and provide rewards or exercise disciplinary action,\ + \ as appropriate." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-environment:cc1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.1:1 + name: CC2.1.1 + description: "Identifies Information Requirements\n A process is in place to\ + \ identify the information required and expected to support the functioning\ + \ of the other components of internal control and the achievement of the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.1:2 + name: CC2.1.2 + description: "Captures Internal and External Sources of Data\n Information systems\ + \ capture internal and external sources of data." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.1:3 + name: CC2.1.3 + description: "Processes Relevant Data Into Information\n Information systems\ + \ process and transform relevant data into information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.1:4 + name: CC2.1.4 + description: "Maintains Quality Throughout Processing\n Information systems\ + \ produce information that is timely, current, accurate, complete, accessible,\ + \ protected, verifiable, and retained. Information is reviewed to assess its\ + \ relevance in supporting the internal control components." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:1 + name: CC2.2.1 + description: "Communicates Internal Control Information\n A process is in place\ + \ to communicate required information to enable all personnel to understand\ + \ and carry out their internal control responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:2 + name: CC2.2.2 + description: "Communicates With the Board of Directors\n Communication exists\ + \ between management and the board of directors so that both have information\ + \ needed to fulfill their roles with respect to the entity\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:3 + name: CC2.2.3 + description: "Provides Separate Communication Lines\n Separate communication\ + \ channels, such as whistle-blower hotlines, are in place and serve as fail-safe\ + \ mechanisms to enable anonymous or confidential communication when normal\ + \ channels are inoperative or ineffective." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:4 + name: CC2.2.4 + description: "Selects Relevant Method of Communication\n The method of communication\ + \ considers the timing, audience, and nature of the information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:5 + name: CC2.2.5 + description: "Communicates Responsibilities\n Entity personnel with responsibility\ + \ for designing, developing, implementing, operating, maintaining, or monitoring\ + \ system controls receive communications about their responsibilities, including\ + \ changes in their responsibilities, and have the information necessary to\ + \ carry out those responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:6 + name: CC2.2.6 + description: "Communicates Information on Reporting Failures, Incidents, Concerns,\ + \ and Other Matters\n Entity personnel are provided with information on how\ + \ to report systems failures, incidents, concerns, and other complaints to\ + \ personnel." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:7 + name: CC2.2.7 + description: "Communicates Objectives and Changes to Objectives\n The entity\ + \ communicates its objectives and changes to those objectives to personnel\ + \ in a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:8 + name: CC2.2.8 + description: "Communicates Information to Improve Security Knowledge and Awareness\n\ + \ The entity communicates information to improve security knowledge and awareness\ + \ and to model appropriate security behaviors to personnel through a security\ + \ awareness training program." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:9 + name: CC2.2.9 + description: "Communicates Information About System Operation and Boundaries\n\ + \ The entity prepares and communicates information about the design and operation\ + \ of the system and its boundaries to authorized personnel to enable them\ + \ to understand their role in the system and the results of system operation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:10 + name: CC2.2.10 + description: "Communicates System Objectives\n The entity communicates its objectives\ + \ to personnel to enable them to carry out their responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.2:11 + name: CC2.2.11 + description: "Communicates System Changes\n System changes that affect responsibilities\ + \ or the achievement of the entity's objectives are communicated in a timely\ + \ manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:1 + name: CC2.3.1 + description: "Communicates to External Parties\n Processes are in place to communicate\ + \ relevant and timely information to external parties, including shareholders,\ + \ partners, owners, regulators, customers, financial analysts, and other external\ + \ parties." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:2 + name: CC2.3.2 + description: "Enables Inbound Communications\n Open communication channels allow\ + \ input from customers, consumers, suppliers, external auditors, regulators,\ + \ financial analysts, and others, providing management and the board of directors\ + \ with relevant information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:3 + name: CC2.3.3 + description: "Communicates With the Board of Directors\n Relevant information\ + \ resulting from assessments conducted by external parties is communicated\ + \ to the board of directors." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:4 + name: CC2.3.4 + description: "Provides Separate Communication Lines\n Separate communication\ + \ channels, such as whistle-blower hotlines, are in place and serve as fail-safe\ + \ mechanisms to enable anonymous or confidential communication when normal\ + \ channels are inoperative or ineffective." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:5 + name: CC2.3.5 + description: "Selects Relevant Method of Communication\n The method of communication\ + \ considers the timing, audience, and nature of the communication and legal,\ + \ regulatory, and fiduciary requirements and expectations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:6 + name: CC2.3.6 + description: "Communicates Objectives Related to Confidentiality and Changes\ + \ to Objectives\n The entity communicates, to external users, vendors, business\ + \ partners and others whose products and services are part of the system,\ + \ objectives and changes to objectives related to confidentiality." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:7 + name: CC2.3.7 + description: "Communicates Objectives Related to Privacy and Changes to Objectives\n\ + \ The entity communicates, to external users, vendors, business partners and\ + \ others whose products and services are part of the system, objectives related\ + \ to privacy and changes to those objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:8 + name: CC2.3.8 + description: "Communicates Information About System Operation and Boundaries\u2014\ + The entity prepares and communicates information about the design and operation\ + \ of the system and its boundaries to authorized external users to permit\ + \ users to understand their role in the system and the results of system operation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:9 + name: CC2.3.9 + description: "Communicates System Objectives\n The entity communicates its system\ + \ objectives to appropriate external users." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:10 + name: CC2.3.10 + description: "Communicates System Responsibilities\n External users with responsibility\ + \ for designing, developing, implementing, operating, maintaining, and monitoring\ + \ system controls receive communications about their responsibilities and\ + \ have the information necessary to carry out those responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:communication-and-information:cc2.3:11 + name: CC2.3.11 + description: "Communicates Information on Reporting System Failures, Incidents,\ + \ Concerns, and Other Matters\n External users are provided with information\ + \ on how to report systems failures, incidents, concerns, and other complaints\ + \ to appropriate personnel." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:communication-and-information:cc2.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:1 + name: CC3.1.1 + description: "Operations Objectives\n \n\n Reflects Management's Choices\n Operations\ + \ objectives reflect management's choices about structure, industry considerations,\ + \ and performance of the entity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:2 + name: CC3.1.2 + description: "Considers Tolerances for Risk\n Management considers the acceptable\ + \ levels of variation relative to the achievement of operations objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:3 + name: CC3.1.3 + description: "Includes Operations and Financial Performance Goals\n The organization\ + \ reflects the desired level of operations and financial performance for the\ + \ entity within operations objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:4 + name: CC3.1.4 + description: "Forms a Basis for Committing of Resources\n Management uses operations\ + \ objectives as a basis for allocating resources needed to attain desired\ + \ operations and financial performance." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:5 + name: CC3.1.5 + description: "External Financial Reporting Objectives\n \n\n Complies With Applicable\ + \ Accounting Standards\n Financial reporting objectives are consistent with\ + \ accounting principles suitable and available for that entity. The accounting\ + \ principles selected are appropriate in the circumstances." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:6 + name: CC3.1.6 + description: "Considers Materiality\n Management considers materiality in financial\ + \ statement presentation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:7 + name: CC3.1.7 + description: "Reflects Entity Activities\n External reporting reflects the underlying\ + \ transactions and events to show qualitative characteristics and assertions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:8 + name: CC3.1.8 + description: "External Nonfinancial Reporting Objectives\n \n\n Complies With\ + \ Externally Established Frameworks\n Management establishes objectives consistent\ + \ with laws and regulations or standards and frameworks of recognized external\ + \ organizations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:9 + name: CC3.1.9 + description: "Considers the Required Level of Precision\n Management reflects\ + \ the required level of precision and accuracy suitable for user needs and\ + \ based on criteria established by third parties in nonfinancial reporting." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:10 + name: CC3.1.10 + description: "Reflects Entity Activities\n External reporting reflects the underlying\ + \ transactions and events within a range of acceptable limits." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:11 + name: CC3.1.11 + description: "Internal Reporting Objectives\n \n\n Reflects Management's Choices\n\ + \ Internal reporting provides management with accurate and complete information\ + \ regarding management's choices and information needed in managing the entity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:12 + name: CC3.1.12 + description: "Considers the Required Level of Precision\n Management reflects\ + \ the required level of precision and accuracy suitable for user needs in\ + \ nonfinancial reporting objectives and materiality within financial reporting\ + \ objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:13 + name: CC3.1.13 + description: "Reflects Entity Activities\n Internal reporting reflects the underlying\ + \ transactions and events within a range of acceptable limits." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:14 + name: CC3.1.14 + description: "Compliance Objectives\n \n\n Reflects External Laws and Regulations\n\ + \ Laws and regulations establish minimum standards of conduct, which the entity\ + \ integrates into compliance objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:15 + name: CC3.1.15 + description: "Considers Tolerances for Risk\n Management considers the acceptable\ + \ levels of variation relative to the achievement of operations objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.1:16 + name: CC3.1.16 + description: "Establishes Sub-objectives to Support Objectives\n Management\ + \ identifies sub-objectives related to security, availability, processing\ + \ integrity, confidentiality, and privacy to support the achievement of the\ + \ entity\u2019s objectives related to reporting, operations, and compliance." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:1 + name: CC3.2.1 + description: "Includes Entity, Subsidiary, Division, Operating Unit, and Functional\ + \ Levels\n The entity identifies and assesses risk at the entity, subsidiary,\ + \ division, operating unit, and functional levels relevant to the achievement\ + \ of objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:2 + name: CC3.2.2 + description: "Analyzes Internal and External Factors\n Risk identification considers\ + \ both internal and external factors and their impact on the achievement of\ + \ objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:3 + name: CC3.2.3 + description: "Involves Appropriate Levels of Management\n The entity puts into\ + \ place effective risk assessment mechanisms that involve appropriate levels\ + \ of management." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:4 + name: CC3.2.4 + description: "Estimates Significance of Risks Identified\n Identified risks\ + \ are analyzed through a process that includes estimating the potential significance\ + \ of the risk." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:5 + name: CC3.2.5 + description: "Determines How to Respond to Risks\n Risk assessment includes\ + \ considering how the risk should be managed and whether to accept, avoid,\ + \ reduce, or share the risk." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:6 + name: CC3.2.6 + description: "Identifies and Assesses Criticality of Information Assets and\ + \ Identifies Threats and Vulnerabilities\n The entity's risk identification\ + \ and assessment process includes (1) identifying information assets, including\ + \ physical devices and systems, virtual devices, software, data and data flows,\ + \ external information systems, and organizational roles; (2) assessing the\ + \ criticality of those information assets; (3) identifying the threats to\ + \ the assets from intentional (including malicious) and unintentional acts\ + \ and environmental events; and (4) identifying the vulnerabilities of the\ + \ identified assets." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:7 + name: CC3.2.7 + description: "Analyzes Threats and Vulnerabilities From Vendors, Business Partners,\ + \ and Other Parties\n The entity's risk assessment process includes the analysis\ + \ of potential threats and vulnerabilities arising from vendors providing\ + \ goods and services, as well as threats and vulnerabilities arising from\ + \ business partners, customers, and others with access to the entity's information\ + \ systems." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.2:8 + name: CC3.2.8 + description: "Considers the Significance of the Risk\n The entity\u2019s consideration\ + \ of the potential significance of the identified risks includes (1) determining\ + \ the criticality of identified assets in meeting objectives; (2) assessing\ + \ the impact of identified threats and vulnerabilities in meeting objectives;\ + \ (3) assessing the likelihood of identified threats; and (4) determining\ + \ the risk associated with assets based on asset criticality, threat impact,\ + \ and likelihood." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.3:1 + name: CC3.3.1 + description: "Considers Various Types of Fraud\n The assessment of fraud considers\ + \ fraudulent reporting, possible loss of assets, and corruption resulting\ + \ from the various ways that fraud and misconduct can occur." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.3:2 + name: CC3.3.2 + description: "Assesses Incentives and Pressures\n The assessment of fraud risks\ + \ considers incentives and pressures." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.3:3 + name: CC3.3.3 + description: "Assesses Opportunities\n The assessment of fraud risk considers\ + \ opportunities for unauthorized acquisition, use, or disposal of assets,\ + \ altering the entity\u2019s reporting records, or committing other inappropriate\ + \ acts." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.3:4 + name: CC3.3.4 + description: "Assesses Attitudes and Rationalizations\n The assessment of fraud\ + \ risk considers how management and other personnel might engage in or justify\ + \ inappropriate actions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.3:5 + name: CC3.3.5 + description: "Considers the Risks Related to the Use of IT and Access to Information\n\ + \ The assessment of fraud risks includes consideration of threats and vulnerabilities\ + \ that arise specifically from the use of IT and access to information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.4:1 + name: CC3.4.1 + description: "Assesses Changes in the External Environment\u2014The risk identification\ + \ process considers changes to the regulatory, economic, and physical environment\ + \ in which the entity operates." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.4:2 + name: CC3.4.2 + description: "Assesses Changes in the Business Model\u2014The entity considers\ + \ the potential impacts of new business lines, dramatically altered compositions\ + \ of existing business lines, acquired or divested business operations on\ + \ the system of internal control, rapid growth, changing reliance on foreign\ + \ geographies, and new technologies." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.4:3 + name: CC3.4.3 + description: "Assesses Changes in Leadership\u2014The entity considers changes\ + \ in management and respective attitudes and philosophies on the system of\ + \ internal control." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.4:4 + name: CC3.4.4 + description: "Assess Changes in Systems and Technology\u2014The risk identification\ + \ process considers changes arising from changes in the entity\u2019s systems\ + \ and changes in the technology environment." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-assessment:cc3.4:5 + name: CC3.4.5 + description: "Assess Changes in Vendor and Business Partner Relationships\u2014\ + The risk identification process considers changes in vendor and business partner\ + \ relationships." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-assessment:cc3.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:1 + name: CC4.1.1 + description: "Considers a Mix of Ongoing and Separate Evaluations\n Management\ + \ includes a balance of ongoing and separate evaluations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:2 + name: CC4.1.2 + description: "Considers Rate of Change\n Management considers the rate of change\ + \ in business and business processes when selecting and developing ongoing\ + \ and separate evaluations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:3 + name: CC4.1.3 + description: "Establishes Baseline Understanding\n The design and current state\ + \ of an internal control system are used to establish a baseline for ongoing\ + \ and separate evaluations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:4 + name: CC4.1.4 + description: "Uses Knowledgeable Personnel\n Evaluators performing ongoing and\ + \ separate evaluations have sufficient knowledge to understand what is being\ + \ evaluated." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:5 + name: CC4.1.5 + description: "Integrates With Business Processes\n Ongoing evaluations are built\ + \ into the business processes and adjust to changing conditions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:6 + name: CC4.1.6 + description: "Adjusts Scope and Frequency\n Management varies the scope and\ + \ frequency of separate evaluations depending on risk." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:7 + name: CC4.1.7 + description: "Objectively Evaluates\n Separate evaluations are performed periodically\ + \ to provide objective feedback." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.1:8 + name: CC4.1.8 + description: "Considers Different Types of Ongoing and Separate Evaluations\n\ + \ Management uses a variety of different types of ongoing and separate evaluations,\ + \ including penetration testing, independent certification made against established\ + \ specifications (for example, ISO certifications), and internal audit assessments." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.2:1 + name: CC4.2.1 + description: "Assesses Results\n Management and the board of directors, as appropriate,\ + \ assess results of ongoing and separate evaluations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.2:2 + name: CC4.2.2 + description: "Communicates Deficiencies\n Deficiencies are communicated to parties\ + \ responsible for taking corrective action and to senior management and the\ + \ board of directors, as appropriate." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:monitoring-activities:cc4.2:3 + name: CC4.2.3 + description: "Monitors Corrective Action\n Management tracks whether deficiencies\ + \ are remedied on a timely basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:monitoring-activities:cc4.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:1 + name: CC5.1.1 + description: "Integrates With Risk Assessment\n Control activities help ensure\ + \ that risk responses that address and mitigate risks are carried out." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:2 + name: CC5.1.2 + description: "Considers Entity-Specific Factors\n Management considers how the\ + \ environment, complexity, nature, and scope of its operations, as well as\ + \ the specific characteristics of its organization, affect the selection and\ + \ development of control activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:3 + name: CC5.1.3 + description: "Determines Relevant Business Processes\n Management determines\ + \ which relevant business processes require control activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:4 + name: CC5.1.4 + description: "Evaluates a Mix of Control Activity Types\n Control activities\ + \ include a range and variety of controls and may include a balance of approaches\ + \ to mitigate risks, considering both manual and automated controls, and preventive\ + \ and detective controls." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:5 + name: CC5.1.5 + description: "Considers at What Level Activities Are Applied\n Management considers\ + \ control activities at various levels in the entity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.1:6 + name: CC5.1.6 + description: "Addresses Segregation of Duties\n Management segregates incompatible\ + \ duties, and where such segregation is not practical, management selects\ + \ and develops alternative control activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.2:1 + name: CC5.2.1 + description: "Determines Dependency Between the Use of Technology in Business\ + \ Processes and Technology General Controls\n Management understands and determines\ + \ the dependency and linkage between business processes, automated control\ + \ activities, and technology general controls." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.2:2 + name: CC5.2.2 + description: "Establishes Relevant Technology Infrastructure Control Activities\n\ + \ Management selects and develops control activities over the technology infrastructure,\ + \ which are designed and implemented to help ensure the completeness, accuracy,\ + \ and availability of technology processing." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.2:3 + name: CC5.2.3 + description: "Establishes Relevant Security Management Process Controls Activities\n\ + \ Management selects and develops control activities that are designed and\ + \ implemented to restrict technology access rights to authorized users commensurate\ + \ with their job responsibilities and to protect the entity\u2019s assets\ + \ from external threats." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.2:4 + name: CC5.2.4 + description: "Establishes Relevant Technology Acquisition, Development, and\ + \ Maintenance Process Control Activities\n Management selects and develops\ + \ control activities over the acquisition, development, and maintenance of\ + \ technology and its infrastructure to achieve management\u2019s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:1 + name: CC5.3.1 + description: "Establishes Policies and Procedures to Support Deployment of Management\ + \ \u2018s Directives\u2014Management establishes control activities that are\ + \ built into business processes and employees\u2019 day-to-day activities\ + \ through policies establishing what is expected and relevant procedures specifying\ + \ actions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:2 + name: CC5.3.2 + description: "Establishes Responsibility and Accountability for Executing Policies\ + \ and Procedures\u2014Management establishes responsibility and accountability\ + \ for control activities with management (or other designated personnel) of\ + \ the business unit or function in which the relevant risks reside." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:3 + name: CC5.3.3 + description: "Performs in a Timely Manner\u2014Responsible personnel perform\ + \ control activities in a timely manner as defined by the policies and procedures." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:4 + name: CC5.3.4 + description: "Takes Corrective Action\u2014Responsible personnel investigate\ + \ and act on matters identified as a result of executing control activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:5 + name: CC5.3.5 + description: "Performs Using Competent Personnel\u2014Competent personnel with\ + \ sufficient authority perform control activities with diligence and continuing\ + \ focus." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:control-activities:cc5.3:6 + name: CC5.3.6 + description: "Reassesses Policies and Procedures\u2014Management periodically\ + \ reviews control activities to determine their continued relevance and refreshes\ + \ them when necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:control-activities:cc5.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:1 + name: CC6.1.1 + description: "Identifies and Manages the Inventory of Information Assets\n The\ + \ entity identifies, inventories, classifies, and manages information assets." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:2 + name: CC6.1.2 + description: "Restricts Logical Access\n Logical access to information assets,\ + \ including hardware, data (at-rest, during processing, or in transmission),\ + \ software, administrative authorities, mobile devices, output, and offline\ + \ system components is restricted through the use of access control software\ + \ and rule sets." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:3 + name: CC6.1.3 + description: "Identifies and Authenticates Users\n Persons, infrastructure and\ + \ software are identified and authenticated prior to accessing information\ + \ assets, whether locally or remotely." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:4 + name: CC6.1.4 + description: "Considers Network Segmentation\n Network segmentation permits\ + \ unrelated portions of the entity's information system to be isolated from\ + \ each other." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:5 + name: CC6.1.5 + description: "Manages Points of Access\n Points of access by outside entities\ + \ and the types of data that flow through the points of access are identified,\ + \ inventoried, and managed. The types of individuals and systems using each\ + \ point of access are identified, documented, and managed." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:6 + name: CC6.1.6 + description: "Restricts Access to Information Assets\n Combinations of data\ + \ classification, separate data structures, port restrictions, access protocol\ + \ restrictions, user identification, and digital certificates are used to\ + \ establish access control rules for information assets." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:7 + name: CC6.1.7 + description: "Manages Identification and Authentication\n Identification and\ + \ authentication requirements are established, documented, and managed for\ + \ individuals and systems accessing entity information, infrastructure and\ + \ software." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:8 + name: CC6.1.8 + description: "Manages Credentials for Infrastructure and Software\n New internal\ + \ and external infrastructure and software are registered, authorized, and\ + \ documented prior to being granted access credentials and implemented on\ + \ the network or access point. Credentials are removed and access is disabled\ + \ when access is no longer required or the infrastructure and software are\ + \ no longer in use." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:9 + name: CC6.1.9 + description: "Uses Encryption to Protect Data\n The entity uses encryption to\ + \ supplement other measures used to protect data-at-rest, when such protections\ + \ are deemed appropriate based on assessed risk." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.1:10 + name: CC6.1.10 + description: "Protects Encryption Keys\n Processes are in place to protect encryption\ + \ keys during generation, storage, use, and destruction." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.2:1 + name: CC6.2.1 + description: "Controls Access Credentials to Protected Assets\n Information\ + \ asset access credentials are created based on an authorization from the\ + \ system's asset owner or authorized custodian." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.2:2 + name: CC6.2.2 + description: "Removes Access to Protected Assets When Appropriate\n Processes\ + \ are in place to remove credential access when an individual no longer requires\ + \ such access." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.2:3 + name: CC6.2.3 + description: "Reviews Appropriateness of Access Credentials\n The appropriateness\ + \ of access credentials is reviewed on a periodic basis for unnecessary and\ + \ inappropriate individuals with credentials." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.3:1 + name: CC6.3.1 + description: "Creates or Modifies Access to Protected Information Assets\n Processes\ + \ are in place to create or modify access to protected information assets\ + \ based on authorization from the asset\u2019s owner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.3:2 + name: CC6.3.2 + description: "Removes Access to Protected Information Assets\n Processes are\ + \ in place to remove access to protected information assets when an individual\ + \ no longer requires access." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.3:3 + name: CC6.3.3 + description: "Uses Role-Based Access Controls\n Role-based access control is\ + \ utilized to support segregation of incompatible functions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.4:1 + name: CC6.4.1 + description: "Creates or Modifies Physical Access\n Processes are in place to\ + \ create or modify physical access to facilities such as data centers, office\ + \ spaces, and work areas, based on authorization from the system's asset owner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.4:2 + name: CC6.4.2 + description: "Removes Physical Access\n Processes are in place to remove access\ + \ to physical resources when an individual no longer requires access." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.4:3 + name: CC6.4.3 + description: "Reviews Physical Access\n Processes are in place to periodically\ + \ review physical access to ensure consistency with job responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.5:1 + name: CC6.5.1 + description: "Identifies Data and Software for Disposal\n Procedures are in\ + \ place to identify data and software stored on equipment to be disposed and\ + \ to render such data and software unreadable." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.5:2 + name: CC6.5.2 + description: "Removes Data and Software From Entity Control\n Procedures are\ + \ in place to remove data and software stored on equipment to be removed from\ + \ the physical control of the entity and to render such data and software\ + \ unreadable." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.6:1 + name: CC6.6.1 + description: "Restricts Access\n The types of activities that can occur through\ + \ a communication channel (for example, FTP site, router port) are restricted." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.6:2 + name: CC6.6.2 + description: "Protects Identification and Authentication Credentials\n Identification\ + \ and authentication credentials are protected during transmission outside\ + \ its system boundaries." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.6:3 + name: CC6.6.3 + description: "Requires Additional Authentication or Credentials\n Additional\ + \ authentication information or credentials are required when accessing the\ + \ system from outside its boundaries." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.6:4 + name: CC6.6.4 + description: "Implements Boundary Protection Systems\n Boundary protection systems\ + \ (for example, firewalls, demilitarized zones, and intrusion detection systems)\ + \ are implemented to protect external access points from attempts and unauthorized\ + \ access and are monitored to detect such attempts." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.7:1 + name: CC6.7.1 + description: "Restricts the Ability to Perform Transmission\n Data loss prevention\ + \ processes and technologies are used to restrict ability to authorize and\ + \ execute transmission, movement and removal of information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.7:2 + name: CC6.7.2 + description: "Uses Encryption Technologies or Secure Communication Channels\ + \ to Protect Data\n Encryption technologies or secured communication channels\ + \ are used to protect transmission of data and other communications beyond\ + \ connectivity access points." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.7:3 + name: CC6.7.3 + description: "Protects Removal Media\n Encryption technologies and physical\ + \ asset protections are used for removable media (such as USB drives and back-up\ + \ tapes), as appropriate." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.7:4 + name: CC6.7.4 + description: "Protects Mobile Devices\n Processes are in place to protect mobile\ + \ devices (such as laptops, smart phones and tablets) that serve as information\ + \ assets." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.8:1 + name: CC6.8.1 + description: "Restricts Application and Software Installation\n The ability\ + \ to install applications and software is restricted to authorized individuals." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.8:2 + name: CC6.8.2 + description: "Detects Unauthorized Changes to Software and Configuration Parameters\n\ + \ Processes are in place to detect changes to software and configuration parameters\ + \ that may be indicative of unauthorized or malicious software." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.8:3 + name: CC6.8.3 + description: "Uses a Defined Change Control Process\n A management-defined change\ + \ control process is used for the implementation of software." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.8:4 + name: CC6.8.4 + description: "Uses Antivirus and Anti-Malware Software\n Antivirus and anti-malware\ + \ software is implemented and maintained to provide for the interception or\ + \ detection and remediation of malware." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + - urn: urn:intuitem:risk:reqs:soc2-2017:logical-and-physical-access-controls:cc6.8:5 + name: CC6.8.5 + description: "Scans Information Assets from Outside the Entity for Malware and\ + \ Other Unauthorized Software\n Procedures are in place to scan information\ + \ assets that have been transferred or returned to the entity\u2019s custody\ + \ for malware and other unauthorized software and to remove any items detected\ + \ prior to its implementation on the network." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:logical-and-physical-access-controls:cc6.8 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.1:1 + name: CC7.1.1 + description: "Uses Defined Configuration Standards\n Management has defined\ + \ configuration standards." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.1:2 + name: CC7.1.2 + description: "Monitors Infrastructure and Software\n The entity monitors infrastructure\ + \ and software for noncompliance with the standards, which could threaten\ + \ the achievement of the entity's objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.1:3 + name: CC7.1.3 + description: "Implements Change-Detection Mechanisms\n The IT system includes\ + \ a change-detection mechanism (for example, file integrity monitoring tools)\ + \ to alert personnel to unauthorized modifications of critical system files,\ + \ configuration files, or content files." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.1:4 + name: CC7.1.4 + description: "Detects Unknown or Unauthorized Components\n Procedures are in\ + \ place to detect the introduction of unknown or unauthorized components." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.1:5 + name: CC7.1.5 + description: "Conducts Vulnerability Scans\n The entity conducts vulnerability\ + \ scans designed to identify potential vulnerabilities or misconfigurations\ + \ on a periodic basis and after any significant change in the environment\ + \ and takes action to remediate identified deficiencies on a timely basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.2:1 + name: CC7.2.1 + description: "Implements Detection Policies, Procedures, and Tools\n Detection\ + \ policies and procedures are defined and implemented, and detection tools\ + \ are implemented on Infrastructure and software to identify anomalies in\ + \ the operation or unusual activity on systems. Procedures may include (1)\ + \ a defined governance process for security event detection and management\ + \ that includes provision of resources; (2) use of intelligence sources to\ + \ identify newly discovered threats and vulnerabilities; and (3) logging of\ + \ unusual system activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.2:2 + name: CC7.2.2 + description: "Designs Detection Measures\n Detection measures are designed to\ + \ identify anomalies that could result from actual or attempted (1) compromise\ + \ of physical barriers; (2) unauthorized actions of authorized personnel;\ + \ (3) use of compromised identification and authentication credentials; (4)\ + \ unauthorized access from outside the system boundaries; (5) compromise of\ + \ authorized external parties; and (6) implementation or connection of unauthorized\ + \ hardware and software." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.2:3 + name: CC7.2.3 + description: "Implements Filters to Analyze Anomalies\n Management has implemented\ + \ procedures to filter, summarize, and analyze anomalies to identify security\ + \ events." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.2:4 + name: CC7.2.4 + description: "Monitors Detection Tools for Effective Operation\n Management\ + \ has implemented processes to monitor the effectiveness of detection tools." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.3:1 + name: CC7.3.1 + description: "Responds to Security Incidents\n Procedures are in place for responding\ + \ to security incidents and evaluating the effectiveness of those policies\ + \ and procedures on a periodic basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.3:2 + name: CC7.3.2 + description: "Communicates and Reviews Detected Security Events\n Detected security\ + \ events are communicated to and reviewed by the individuals responsible for\ + \ the management of the security program and actions are taken, if necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.3:3 + name: CC7.3.3 + description: "Develops and Implements Procedures to Analyze Security Incidents\n\ + \ Procedures are in place to analyze security incidents and determine system\ + \ impact." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.3:4 + name: CC7.3.4 + description: "Assesses the Impact on Personal Information\n Detected security\ + \ events are evaluated to determine whether they could or did result in the\ + \ unauthorized disclosure or use of personal information and whether there\ + \ has been a failure to comply with applicable laws or regulations." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.3:5 + name: CC7.3.5 + description: "Determines Personal Information Used or Disclosed\n When an unauthorized\ + \ use or disclosure of personal information has occurred, the affected information\ + \ is identified." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:1 + name: CC7.4.1 + description: "Assigns Roles and Responsibilities\n Roles and responsibilities\ + \ for the design, implementation, maintenance, and execution of the incident\ + \ response program are assigned, including the use of external resources when\ + \ necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:2 + name: CC7.4.2 + description: "Contains Security Incidents\n Procedures are in place to contain\ + \ security incidents that actively threaten entity objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:3 + name: CC7.4.3 + description: "Mitigates Ongoing Security Incidents\n Procedures are in place\ + \ to mitigate the effects of ongoing security incidents." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:4 + name: CC7.4.4 + description: "Ends Threats Posed by Security Incidents\n Procedures are in place\ + \ to end the threats posed by security incidents through closure of the vulnerability,\ + \ removal of unauthorized access, and other remediation actions." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:5 + name: CC7.4.5 + description: "Restores Operations\n Procedures are in place to restore data\ + \ and business operations to an interim state that permits the achievement\ + \ of entity objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:6 + name: CC7.4.6 + description: "Develops and Implements Communication Protocols for Security Incidents\n\ + \ Protocols for communicating security incidents and actions taken to affected\ + \ parties are developed and implemented to meet the entity's objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:7 + name: CC7.4.7 + description: "Obtains Understanding of Nature of Incident and Determines Containment\ + \ Strategy\n An understanding of the nature (for example, the method by which\ + \ the incident occurred and the affected system resources) and severity of\ + \ the security incident is obtained to determine the appropriate containment\ + \ strategy, including (1) a determination of the appropriate response time\ + \ frame, and (2) the determination and execution of the containment approach." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:8 + name: CC7.4.8 + description: "Remediates Identified Vulnerabilities\n Identified vulnerabilities\ + \ are remediated through the development and execution of remediation activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:9 + name: CC7.4.9 + description: "Communicates Remediation Activities\n Remediation activities are\ + \ documented and communicated in accordance with the incident response program." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:10 + name: CC7.4.10 + description: "Evaluates the Effectiveness of Incident Response\n The design\ + \ of incident response activities is evaluated for effectiveness on a periodic\ + \ basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:11 + name: CC7.4.11 + description: "Periodically Evaluates Incidents\n Periodically, management reviews\ + \ incidents related to security, availability, processing integrity, confidentiality,\ + \ and privacy and identifies the need for system changes based on incident\ + \ patterns and root causes." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:12 + name: CC7.4.12 + description: "Communicates Unauthorized Use and Disclosure\n Events that resulted\ + \ in unauthorized use or disclosure of personal information are communicated\ + \ to the data subjects, legal and regulatory authorities, and others as required." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.4:13 + name: CC7.4.13 + description: "Application of Sanctions\n The conduct of individuals and organizations\ + \ operating under the authority of the entity and involved in the unauthorized\ + \ use or disclosure of personal information is evaluated and, if appropriate,\ + \ sanctioned in accordance with entity policies and legal and regulatory requirements." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:1 + name: CC7.5.1 + description: "Restores the Affected Environment\n The activities restore the\ + \ affected environment to functional operation by rebuilding systems, updating\ + \ software, installing patches, and changing configurations, as needed." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:2 + name: CC7.5.2 + description: "Communicates Information About the Event\n Communications about\ + \ the nature of the incident, recovery actions taken, and activities required\ + \ for the prevention of future security events are made to management and\ + \ others as appropriate (internal and external)." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:3 + name: CC7.5.3 + description: "Determines Root Cause of the Event\n The root cause of the event\ + \ is determined." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:4 + name: CC7.5.4 + description: "Implements Changes to Prevent and Detect Recurrences\n Additional\ + \ architecture or changes to preventive and detective controls, or both, are\ + \ implemented to prevent and detect recurrences on a timely basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:5 + name: CC7.5.5 + description: "Improves Response and Recovery Procedures\n Lessons learned are\ + \ analyzed, and the incident response plan and recovery procedures are improved." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:system-operations:cc7.5:6 + name: CC7.5.6 + description: "Implements Incident Recovery Plan Testing\n Incident recovery\ + \ plan testing is performed on a periodic basis. The testing includes (1)\ + \ development of testing scenarios based on threat likelihood and magnitude;\ + \ (2) consideration of relevant system components from across the entity that\ + \ can impair availability; (3) scenarios that consider the potential for the\ + \ lack of availability of key personnel; and (4) revision of continuity plans\ + \ and systems based on test results." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:system-operations:cc7.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:1 + name: CC8.1.1 + description: "Manages Changes Throughout the System Lifecycle\n A process for\ + \ managing system changes throughout the lifecycle of the system and its components\ + \ (infrastructure, data, software and procedures) is used to support system\ + \ availability and processing integrity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:2 + name: CC8.1.2 + description: "Authorizes Changes\n A process is in place to authorize system\ + \ changes prior to development." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:3 + name: CC8.1.3 + description: "Designs and Develops Changes\n A process is in place to design\ + \ and develop system changes." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:4 + name: CC8.1.4 + description: "Documents Changes\n A process is in place to document system changes\ + \ to support ongoing maintenance of the system and to support system users\ + \ in performing their responsibilities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:5 + name: CC8.1.5 + description: "Tracks System Changes\n A process is in place to track system\ + \ changes prior to implementation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:6 + name: CC8.1.6 + description: "Configures Software\n A process is in place to select and implement\ + \ the configuration parameters used to control the functionality of software." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:7 + name: CC8.1.7 + description: "Tests System Changes\n A process is in place to test system changes\ + \ prior to implementation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:8 + name: CC8.1.8 + description: "Approves System Changes\n A process is in place to approve system\ + \ changes prior to implementation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:9 + name: CC8.1.9 + description: "Deploys System Changes\n A process is in place to implement system\ + \ changes." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:10 + name: CC8.1.10 + description: "Identifies and Evaluates System Changes\n Objectives affected\ + \ by system changes are identified, and the ability of the modified system\ + \ to meet the objectives is evaluated throughout the system development life\ + \ cycle." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:11 + name: CC8.1.11 + description: "Identifies Changes in Infrastructure, Data, Software, and Procedures\ + \ Required to Remediate Incidents\n Changes in infrastructure, data, software,\ + \ and procedures required to remediate incidents to continue to meet objectives\ + \ are identified, and the change process is initiated upon identification." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:12 + name: CC8.1.12 + description: "Creates Baseline Configuration of IT Technology\n A baseline configuration\ + \ of IT and control systems is created and maintained." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:13 + name: CC8.1.13 + description: "Provides for Changes Necessary in Emergency Situations\n A process\ + \ is in place for authorizing, designing, testing, approving and implementing\ + \ changes necessary in emergency situations (that is, changes that need to\ + \ be implemented in an urgent timeframe)." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:14 + name: CC8.1.14 + description: "Protects Confidential Information\n The entity protects confidential\ + \ information during system design, development, testing, implementation,\ + \ and change processes to meet the entity\u2019s objectives related to confidentiality." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:change-management:cc8.1:15 + name: CC8.1.15 + description: "Protects Personal Information\n The entity protects personal information\ + \ during system design, development, testing, implementation, and change processes\ + \ to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:change-management:cc8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.1:1 + name: CC9.1.1 + description: "Considers Mitigation of Risks of Business Disruption\n Risk mitigation\ + \ activities include the development of planned policies, procedures, communications,\ + \ and alternative processing solutions to respond to, mitigate, and recover\ + \ from security events that disrupt business operations. Those policies and\ + \ procedures include monitoring processes and information and communications\ + \ to meet the entity's objectives during response, mitigation, and recovery\ + \ efforts." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.1:2 + name: CC9.1.2 + description: "Considers the Use of Insurance to Mitigate Financial Impact Risks\n\ + \ The risk management activities consider the use of insurance to offset the\ + \ financial impact of loss events that would otherwise impair the ability\ + \ of the entity to meet its objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:1 + name: CC9.2.1 + description: "Establishes Requirements for Vendor and Business Partner Engagements\n\ + \ The entity establishes specific requirements for a vendor and business partner\ + \ engagement that includes (1) scope of services and product specifications,\ + \ (2) roles and responsibilities, (3) compliance requirements, and (4) service\ + \ levels." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:2 + name: CC9.2.2 + description: "Assesses Vendor and Business Partner Risks\n The entity assesses,\ + \ on a periodic basis, the risks that vendors and business partners (and those\ + \ entities\u2019 vendors and business partners) represent to the achievement\ + \ of the entity's objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:3 + name: CC9.2.3 + description: "Assigns Responsibility and Accountability for Managing Vendors\ + \ and Business Partners\n The entity assigns responsibility and accountability\ + \ for the management of risks associated with vendors and business partners." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:4 + name: CC9.2.4 + description: "Establishes Communication Protocols for Vendors and Business Partners\n\ + \ The entity establishes communication and resolution protocols for service\ + \ or product issues related to vendors and business partners." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:5 + name: CC9.2.5 + description: "Establishes Exception Handling Procedures From Vendors and Business\ + \ Partners\n The entity establishes exception handling procedures for service\ + \ or product issues related to vendors and business partners." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:6 + name: CC9.2.6 + description: "Assesses Vendor and Business Partner Performance\n The entity\ + \ periodically assesses the performance of vendors and business partners." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:7 + name: CC9.2.7 + description: "Implements Procedures for Addressing Issues Identified During\ + \ Vendor and Business Partner Assessments\n The entity implements procedures\ + \ for addressing issues identified with vendor and business partner relationships." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:8 + name: CC9.2.8 + description: "Implements Procedures for Terminating Vendor and Business Partner\ + \ Relationships\n The entity implements procedures for terminating vendor\ + \ and business partner relationships." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:9 + name: CC9.2.9 + description: "Obtains Confidentiality Commitments from Vendors and Business\ + \ Partners\n The entity obtains confidentiality commitments that are consistent\ + \ with the entity\u2019s confidentiality commitments and requirements from\ + \ vendors and business partners who have access to confidential information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:10 + name: CC9.2.10 + description: "Assesses Compliance With Confidentiality Commitments of Vendors\ + \ and Business Partners\n On a periodic and as-needed basis, the entity assesses\ + \ compliance by vendors and business partners with the entity\u2019s confidentiality\ + \ commitments and requirements." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:11 + name: CC9.2.11 + description: "Obtains Privacy Commitments from Vendors and Business Partners\n\ + \ The entity obtains privacy commitments, consistent with the entity\u2019\ + s privacy commitments and requirements, from vendors and business partners\ + \ who have access to personal information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:risk-mitigation:cc9.2:12 + name: CC9.2.12 + description: "Assesses Compliance with Privacy Commitments of Vendors and Business\ + \ Partners\n On a periodic and as-needed basis, the entity assesses compliance\ + \ by vendors and business partners with the entity\u2019s privacy commitments\ + \ and requirements and takes corrective action as necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:risk-mitigation:cc9.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.1:1 + name: A1.1.1 + description: "Measures Current Usage\n The use of the system components is measured\ + \ to establish a baseline for capacity management and to use when evaluating\ + \ the risk of impaired availability due to capacity constraints." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.1:2 + name: A1.1.2 + description: "Forecasts Capacity\n The expected average and peak use of system\ + \ components is forecasted and compared to system capacity and associated\ + \ tolerances. Forecasting considers capacity in the event of the failure of\ + \ system components that constrain capacity." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.1:3 + name: A1.1.3 + description: "Makes Changes Based on Forecasts\n The system change management\ + \ process is initiated when forecasted usage exceeds capacity tolerances." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:1 + name: A1.2.1 + description: "Identifies Environmental Threats\n As part of the risk assessment\ + \ process, management identifies environmental threats that could impair the\ + \ availability of the system, including threats resulting from adverse weather,\ + \ failure of environmental control systems, electrical discharge, fire, and\ + \ water." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:2 + name: A1.2.2 + description: "Designs Detection Measures\n Detection measures are implemented\ + \ to identify anomalies that could result from environmental threat events." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:3 + name: A1.2.3 + description: "Implements and Maintains Environmental Protection Mechanisms\n\ + \ Management implements and maintains environmental protection mechanisms\ + \ to prevent and mitigate against environmental events." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:4 + name: A1.2.4 + description: "Implements Alerts to Analyze Anomalies\n Management implements\ + \ alerts that are communicated to personnel for analysis to identify environmental\ + \ threat events." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:5 + name: A1.2.5 + description: "Responds to Environmental Threat Events\n Procedures are in place\ + \ for responding to environmental threat events and for evaluating the effectiveness\ + \ of those policies and procedures on a periodic basis. This includes automatic\ + \ mitigation systems (for example, uninterruptable power system and generator\ + \ back-up subsystem)." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:6 + name: A1.2.6 + description: "Communicates and Reviews Detected Environmental Threat Events\n\ + \ Detected environmental threat events are communicated to and reviewed by\ + \ the individuals responsible for the management of the system, and actions\ + \ are taken, if necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:7 + name: A1.2.7 + description: "Determines Data Requiring Backup\n Data is evaluated to determine\ + \ whether backup is required." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:8 + name: A1.2.8 + description: "Performs Data Backup\n Procedures are in place for backing up\ + \ data, monitoring to detect back-up failures, and initiating corrective action\ + \ when such failures occur." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:9 + name: A1.2.9 + description: "Addresses Offsite Storage\n Back-up data is stored in a location\ + \ at a distance from its principal storage location sufficient that the likelihood\ + \ of a security or environmental threat event affecting both sets of data\ + \ is reduced to an appropriate level." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.2:10 + name: A1.2.10 + description: "Implements Alternate Processing Infrastructure\n Measures are\ + \ implemented for migrating processing to alternate infrastructure in the\ + \ event normal processing infrastructure becomes unavailable." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.3:1 + name: A1.3.1 + description: "Implements Business Continuity Plan Testing\n Business continuity\ + \ plan testing is performed on a periodic basis. The testing includes (1)\ + \ development of testing scenarios based on threat likelihood and magnitude;\ + \ (2) consideration of system components from across the entity that can impair\ + \ the availability; (3) scenarios that consider the potential for the lack\ + \ of availability of key personnel; and (4) revision of continuity plans and\ + \ systems based on test results." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-availability:a1.3:2 + name: A1.3.2 + description: "Tests Integrity and Completeness of Back-Up Data\n The integrity\ + \ and completeness of back-up information is tested on a periodic basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-availability:a1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-confidentiality:c1.1:1 + name: C1.1.1 + description: "Identifies Confidential information\n Procedures are in place\ + \ to identify and designate confidential information when it is received or\ + \ created and to determine the period over which the confidential information\ + \ is to be retained." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-confidentiality:c1.1:2 + name: C1.1.2 + description: "Protects Confidential Information from Destruction\n Procedures\ + \ are in place to protect confidential information from erasure or destruction\ + \ during the specified retention period of the information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-confidentiality:c1.2:1 + name: C1.2.1 + description: "Identifies Confidential Information for Destruction\n Procedures\ + \ are in place to identify confidential information requiring destruction\ + \ when the end of the retention period is reached." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-confidentiality:c1.2:2 + name: C1.2.2 + description: "Destroys Confidential Information\n Procedures are in place to\ + \ erase or otherwise destroy confidential information that has been identified\ + \ for destruction." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-confidentiality:c1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.1:1 + name: PI1.1.1 + description: "Identifies Information Specifications\n The entity identifies\ + \ information specifications required to support the use of products and services." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.1:2 + name: PI1.1.2 + description: "Defines Data Necessary to Support a Product or Service\n When\ + \ data is provided as part of a service or product or as part of a reporting\ + \ obligation related to a product or service:\n 1. The definition of the\ + \ data is available to the users of the data\n 2. The definition of the data\ + \ includes the following information:\n a. The population of events or instances\ + \ included in the data\n b. The nature of each element (for example, field)\ + \ of the data (that is, the event or instance to which the data element relates,\ + \ for example, transaction price of a sale of XYZ Corporation stock for the\ + \ last trade in that stock on a given day)\n c. Source(s) of the data\n \ + \ d. The unit(s) of measurement of data elements (for example, fields)\n \ + \ e. The accuracy/correctness/precision of measurement\n f. The uncertainty\ + \ or confidence interval inherent in each data element and in the population\ + \ of those elements\n g. The date the data was observed or the period of\ + \ time during which the events relevant to the data occurred\n h. The factors\ + \ in addition to the date and period of time used to determine the inclusion\ + \ and exclusion of items in the data elements and population\n 3. The definition\ + \ is complete and accurate.\n 4. The description of the data identifies any\ + \ information that is necessary to understand each data element and the population\ + \ in a manner consistent with its definition and intended purpose (meta-data)\ + \ that has not been included within the data." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.2:1 + name: PI1.2.1 + description: "Defines Characteristics of Processing Inputs\n The characteristics\ + \ of processing inputs that are necessary to meet requirements are defined." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.2:2 + name: PI1.2.2 + description: "Evaluates Processing Inputs\n Processing inputs are evaluated\ + \ for compliance with defined input requirements." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.2:3 + name: PI1.2.3 + description: "Creates and Maintains Records of System Inputs\n Records of system\ + \ input activities are created and maintained completely and accurately in\ + \ a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.3:1 + name: PI1.3.1 + description: "Defines Processing Specifications\n The processing specifications\ + \ that are necessary to meet product or service requirements are defined." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.3:2 + name: PI1.3.2 + description: "Defines Processing Activities\n Processing activities are defined\ + \ to result in products or services that meet specifications." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.3:3 + name: PI1.3.3 + description: "Detects and Corrects Production Errors\n Errors in the production\ + \ process are detected and corrected in a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.3:4 + name: PI1.3.4 + description: "Records System Processing Activities\n System processing activities\ + \ are recorded completely and accurately in a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.3:5 + name: PI1.3.5 + description: "Processes Inputs\n Inputs are processed completely, accurately,\ + \ and timely as authorized in accordance with defined processing activities." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.4:1 + name: PI1.4.1 + description: "Protects Output\n Output is protected when stored or delivered,\ + \ or both, to prevent theft, destruction, corruption, or deterioration that\ + \ would prevent output from meeting specifications." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.4:2 + name: PI1.4.2 + description: "Distributes Output Only to Intended Parties\n Output is distributed\ + \ or made available only to intended parties." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.4:3 + name: PI1.4.3 + description: "Distributes Output Completely and Accurately\n Procedures are\ + \ in place to provide for the completeness, accuracy, and timeliness of distributed\ + \ output." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.4:4 + name: PI1.4.4 + description: "Creates and Maintains Records of System Output Activities\n Records\ + \ of system output activities are created and maintained completely and accurately\ + \ in a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.5:1 + name: PI1.5.1 + description: "Protects Stored Items\n Stored items are protected to prevent\ + \ theft, corruption, destruction, or deterioration that would prevent output\ + \ from meeting specifications." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.5:2 + name: PI1.5.2 + description: "Archives and Protects System Records\n System records are archived,\ + \ and archives are protected against theft, corruption, destruction, or deterioration\ + \ that would prevent them from being used." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.5:3 + name: PI1.5.3 + description: "Stores Data Completely and Accurately\n Procedures are in place\ + \ to provide for the complete, accurate, and timely storage of data." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-processing-integrity:pi1.5:4 + name: PI1.5.4 + description: "Creates and Maintains Records of System Storage Activities\n Records\ + \ of system storage activities are created and maintained completely and accurately\ + \ in a timely manner." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-processing-integrity:pi1.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p1.1:1 + name: P1.1.1 + description: "Communicates to Data Subjects\n Notice is provided to data subjects\ + \ regarding the following:\n \u2014 Purpose for collecting personal information\n\ + \ \u2014 Choice and consent\n \u2014 Types of personal information collected\n\ + \ \u2014 Methods of collection (for example, use of cookies or other tracking\ + \ techniques)\n \u2014 Use, retention, and disposal\n \u2014 Access\n \u2014\ + \ Disclosure to third parties\n \u2014 Security for privacy\n \u2014 Quality,\ + \ including data subjects\u2019 responsibilities for quality\n \u2014 Monitoring\ + \ and enforcement\n If personal information is collected from sources other\ + \ than the individual, such sources are described in the privacy notice." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p1.1:2 + name: P1.1.2 + description: "Provides Notice to Data Subjects\n Notice is provided to data\ + \ subjects (1) at or before the time personal information is collected or\ + \ as soon as practical thereafter, (2) at or before the entity changes its\ + \ privacy notice or as soon as practical thereafter, or (3) before personal\ + \ information is used for new purposes not previously identified." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p1.1:3 + name: P1.1.3 + description: "Covers Entities and Activities in Notice\n An objective description\ + \ of the entities and activities covered is included in the entity\u2019s\ + \ privacy notice." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p1.1:4 + name: P1.1.4 + description: "Uses Clear and Conspicuous Language\n The entity\u2019s privacy\ + \ notice is conspicuous and uses clear language." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p1.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:1 + name: P2.1.1 + description: "Communicates to Data Subjects\n Data subjects are informed (a)\ + \ about the choices available to them with respect to the collection, use,\ + \ and disclosure of personal information and (b) that implicit or explicit\ + \ consent is required to collect, use, and disclose personal information,\ + \ unless a law or regulation specifically requires or allows otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:2 + name: P2.1.2 + description: "Communicates Consequences of Denying or Withdrawing Consent\n\ + \ When personal information is collected, data subjects are informed of the\ + \ consequences of refusing to provide personal information or denying or withdrawing\ + \ consent to use personal information for purposes identified in the notice." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:3 + name: P2.1.3 + description: "Obtains Implicit or Explicit Consent\n Implicit or explicit consent\ + \ is obtained from data subjects at or before the time personal information\ + \ is collected or soon thereafter. The individual\u2019s preferences expressed\ + \ in his or her consent are confirmed and implemented." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:4 + name: P2.1.4 + description: "Documents and Obtains Consent for New Purposes and Uses\n If information\ + \ that was previously collected is to be used for purposes not previously\ + \ identified in the privacy notice, the new purpose is documented, the data\ + \ subject is notified, and implicit or explicit consent is obtained prior\ + \ to such new use or purpose." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:5 + name: P2.1.5 + description: "Obtains Explicit Consent for Sensitive Information\n Explicit\ + \ consent is obtained directly from the data subject when sensitive personal\ + \ information is collected, used, or disclosed, unless a law or regulation\ + \ specifically requires otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p2.1:6 + name: P2.1.6 + description: "Obtains Consent for Data Transfers\n Consent is obtained before\ + \ personal information is transferred to or from an individual\u2019s computer\ + \ or other similar device." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p2.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.1:1 + name: P3.1.1 + description: "Limits the Collection of Personal Information\n The collection\ + \ of personal information is limited to that necessary to meet the entity\u2019\ + s objectives." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.1:2 + name: P3.1.2 + description: "Collects Information by Fair and Lawful Means\n Methods of collecting\ + \ personal information are reviewed by management before they are implemented\ + \ to confirm that personal information is obtained (a) fairly, without intimidation\ + \ or deception, and (b) lawfully, adhering to all relevant rules of law, whether\ + \ derived from statute or common law, relating to the collection of personal\ + \ information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.1:3 + name: P3.1.3 + description: "Collects Information From Reliable Sources\n Management confirms\ + \ that third parties from whom personal information is collected (that is,\ + \ sources other than the individual) are reliable sources that collect information\ + \ fairly and lawfully." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.1:4 + name: P3.1.4 + description: "Informs Data Subjects When Additional Information Is Acquired\n\ + \ Data subjects are informed if the entity develops or acquires additional\ + \ information about them for its use." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.2:1 + name: P3.2.1 + description: "Obtains Explicit Consent for Sensitive Information\n Explicit\ + \ consent is obtained directly from the data subject when sensitive personal\ + \ information is collected, used, or disclosed, unless a law or regulation\ + \ specifically requires otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p3.2:2 + name: P3.2.2 + description: "Documents Explicit Consent to Retain Information\n Documentation\ + \ of explicit consent for the collection, use, or disclosure of sensitive\ + \ personal information is retained in accordance with objectives related to\ + \ privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p3.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.1:1 + name: P4.1.1 + description: "Uses Personal Information for Intended Purposes\n Personal information\ + \ is used only for the intended purposes for which it was collected and only\ + \ when implicit or explicit consent has been obtained unless a law or regulation\ + \ specifically requires otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.2:1 + name: P4.2.1 + description: "Retains Personal Information\n Personal information is retained\ + \ for no longer than necessary to fulfill the stated purposes, unless a law\ + \ or regulation specifically requires otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.2:2 + name: P4.2.2 + description: "Protects Personal Information\n Policies and procedures have been\ + \ implemented to protect personal information from erasure or destruction\ + \ during the specified retention period of the information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.3:1 + name: P4.3.1 + description: "Captures, Identifies, and Flags Requests for Deletion\n Requests\ + \ for deletion of personal information are captured, and information related\ + \ to the requests is identified and flagged for destruction to meet the entity\u2019\ + s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.3:2 + name: P4.3.2 + description: "Disposes of, Destroys, and Redacts Personal Information\n Personal\ + \ information no longer retained is anonymized, disposed of, or destroyed\ + \ in a manner that prevents loss, theft, misuse, or unauthorized access." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p4.3:3 + name: P4.3.3 + description: "Destroys Personal Information\n Policies and procedures are implemented\ + \ to erase or otherwise destroy personal information that has been identified\ + \ for destruction." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p4.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.1:1 + name: P5.1.1 + description: "Authenticates Data Subjects\u2019 Identity\n The identity of data\ + \ subjects who request access to their personal information is authenticated\ + \ before they are given access to that information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.1:2 + name: P5.1.2 + description: "Permits Data Subjects Access to Their Personal Information\n Data\ + \ subjects are able to determine whether the entity maintains personal information\ + \ about them and, upon request, may obtain access to their personal information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.1:3 + name: P5.1.3 + description: "Provides Understandable Personal Information Within Reasonable\ + \ Time\n Personal information is provided to data subjects in an understandable\ + \ form, in a reasonable time frame, and at a reasonable cost, if any." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.1:4 + name: P5.1.4 + description: "Informs Data Subjects If Access Is Denied\n When data subjects\ + \ are denied access to their personal information, the entity informs them\ + \ of the denial and the reason for the denial in a timely manner, unless prohibited\ + \ by law or regulation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.2:1 + name: P5.2.1 + description: "Communicates Denial of Access Requests\n Data subjects are informed,\ + \ in writing, of the reason a request for access to their personal information\ + \ was denied, the source of the entity\u2019s legal right to deny such access,\ + \ if applicable, and the individual\u2019s right, if any, to challenge such\ + \ denial, as specifically permitted or required by law or regulation." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.2:2 + name: P5.2.2 + description: "Permits Data Subjects to Update or Correct Personal Information\n\ + \ Data subjects are able to update or correct personal information held by\ + \ the entity. The entity provides such updated or corrected information to\ + \ third parties that were previously provided with the data subject\u2019\ + s personal information consistent with the entity\u2019s objective related\ + \ to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p5.2:3 + name: P5.2.3 + description: "Communicates Denial of Correction Requests\n Data subjects are\ + \ informed, in writing, about the reason a request for correction of personal\ + \ information was denied and how they may appeal." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p5.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.1:1 + name: P6.1.1 + description: "Communicates Privacy Policies to Third Parties\n Privacy policies\ + \ or other specific instructions or requirements for handling personal information\ + \ are communicated to third parties to whom personal information is disclosed." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.1:2 + name: P6.1.2 + description: "Discloses Personal Information Only When Appropriate\n Personal\ + \ information is disclosed to third parties only for the purposes for which\ + \ it was collected or created and only when implicit or explicit consent has\ + \ been obtained from the data subject, unless a law or regulation specifically\ + \ requires otherwise." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.1:3 + name: P6.1.3 + description: "Discloses Personal Information Only to Appropriate Third Parties\n\ + \ Personal information is disclosed only to third parties who have agreements\ + \ with the entity to protect personal information in a manner consistent with\ + \ the relevant aspects of the entity\u2019s privacy notice or other specific\ + \ instructions or requirements. The entity has procedures in place to evaluate\ + \ that the third parties have effective controls to meet the terms of the\ + \ agreement, instructions, or requirements." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.1:4 + name: P6.1.4 + description: "Discloses Information to Third Parties for New Purposes and Uses\n\ + \ Personal information is disclosed to third parties for new purposes or uses\ + \ only with the prior implicit or explicit consent of data subjects." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.2:1 + name: P6.2.1 + description: "Creates and Retains Record of Authorized Disclosures\n The entity\ + \ creates and maintains a record of authorized disclosures of personal information\ + \ that is complete, accurate, and timely." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.2 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.3:1 + name: P6.3.1 + description: "Creates and Retains Record of Detected or Reported Unauthorized\ + \ Disclosures\n The entity creates and maintains a record of detected or reported\ + \ unauthorized disclosures of personal information that is complete, accurate,\ + \ and timely." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.3 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.4:1 + name: P6.4.1 + description: "Discloses Personal Information Only to Appropriate Third Parties\n\ + \ Personal information is disclosed only to third parties who have agreements\ + \ with the entity to protect personal information in a manner consistent with\ + \ the relevant aspects of the entity\u2019s privacy notice or other specific\ + \ instructions or requirements. The entity has procedures in place to evaluate\ + \ that the third parties have effective controls to meet the terms of the\ + \ agreement, instructions, or requirements." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.4:2 + name: P6.4.2 + description: "Remediates Misuse of Personal Information by a Third Party\n The\ + \ entity takes remedial action in response to misuse of personal information\ + \ by a third party to whom the entity has transferred such information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.4 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.5:1 + name: P6.5.1 + description: "Remediates Misuse of Personal Information by a Third Party\n The\ + \ entity takes remedial action in response to misuse of personal information\ + \ by a third party to whom the entity has transferred such information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.5:2 + name: P6.5.2 + description: "Reports Actual or Suspected Unauthorized Disclosures\n A process\ + \ exists for obtaining commitments from vendors and other third parties to\ + \ report to the entity actual or suspected unauthorized disclosures of personal\ + \ information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.5 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.6:1 + name: P6.6.1 + description: "Remediates Misuse of Personal Information by a Third Party\n The\ + \ entity takes remedial action in response to misuse of personal information\ + \ by a third party to whom the entity has transferred such information." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.6:2 + name: P6.6.2 + description: "Provides Notice of Breaches and Incidents\n The entity has a process\ + \ for providing notice of breaches and incidents to affected data subjects,\ + \ regulators, and others to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.6 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.7:1 + name: P6.7.1 + description: "Identifies Types of Personal Information and Handling Process\n\ + \ The types of personal information and sensitive personal information and\ + \ the related processes, systems, and third parties involved in the handling\ + \ of such information are identified." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p6.7:2 + name: P6.7.2 + description: "Captures, Identifies, and Communicates Requests for Information\n\ + \ Requests for an accounting of personal information held and disclosures\ + \ of the data subjects\u2019 personal information are captured, and information\ + \ related to the requests is identified and communicated to data subjects\ + \ to meet the entity\u2019s objectives related to privacy." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p6.7 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p7.1:1 + name: P7.1.1 + description: "Ensures Accuracy and Completeness of Personal Information\n Personal\ + \ information is accurate and complete for the purposes for which it is to\ + \ be used." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p7.1:2 + name: P7.1.2 + description: "Ensures Relevance of Personal Information\n Personal information\ + \ is relevant to the purposes for which it is to be used." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p7.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:1 + name: P8.1.1 + description: "Communicates to Data Subjects\n Data subjects are informed about\ + \ how to contact the entity with inquiries, complaints, and disputes." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:2 + name: P8.1.2 + description: "Addresses Inquiries, Complaints, and Disputes\n A process is in\ + \ place to address inquiries, complaints, and disputes." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:3 + name: P8.1.3 + description: "Documents and Communicates Dispute Resolution and Recourse\n Each\ + \ complaint is addressed, and the resolution is documented and communicated\ + \ to the individual." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:4 + name: P8.1.4 + description: "Documents and Reports Compliance Review Results\n Compliance with\ + \ objectives related to privacy are reviewed and documented, and the results\ + \ of such reviews are reported to management. If problems are identified,\ + \ remediation plans are developed and implemented." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:5 + name: P8.1.5 + description: "Documents and Reports Instances of Noncompliance\n Instances of\ + \ noncompliance with objectives related to privacy are documented and reported\ + \ and, if needed, corrective and disciplinary measures are taken on a timely\ + \ basis." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + - urn: urn:intuitem:risk:reqs:soc2-2017:additional-criteria-for-privacy:p8.1:6 + name: P8.1.6 + description: "Performs Ongoing Monitoring\n Ongoing procedures are performed\ + \ for monitoring the effectiveness of controls over personal information and\ + \ for taking timely corrective actions when necessary." + parent_urn: urn:intuitem:risk:req_groups:soc2-2017:additional-criteria-for-privacy:p8.1 + security_functions: [] + threats: []