Upload
others
View
19
Download
0
Embed Size (px)
Citation preview
Function Category Subcategory Subcategory Informative References
SANS Critical
Security
Control
Number
· CCS CSC 1 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8
· CCS CSC 2
2
· COBIT 5 BAI09.01, BAI09.02, BAI09.05
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8
ID.AM-1.1 Ensure that physical devices and systems within the organization are inventoried and
managed.
ID.AM-1.2 Deploy an automated asset inventory discovery tool and use it to build a preliminary
asset inventory of systems connected to an organization’s public and private network(s). Both
active tools that scan through network address ranges and passive tools that identify hosts based
on analyzing their traffic should be employed.
ID.AM-1.3 If the organization is dynamically assigning addresses using DHCP, then deploy
dynamic host configuration protocol (DHCP) server logging, and use this information to improve
the asset inventory and help detect unknown systems.
ID.AM-1.4 Ensure that all equipment acquisitions automatically update the inventory system as
new, approved devices are connected to the network.
ID.AM-1.5 Maintain an asset inventory of all systems connected to the network and the network
devices themselves, recording at least the network addresses, machine name(s), purpose of each
system, an asset owner responsible for each device, and the department associated with each
device. The inventory should include every system that has an Internet protocol (IP) address on
the network, including but not limited to desktops, laptops, servers, network equipment (routers,
switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed
addresses, virtual addresses, etc. The asset inventory created must also include data on whether
the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops,
and other portable electronic devices that store or process data must be identified, regardless of
whether they are attached to the organization’s network.
ID.AM-1.6 Deploy network level authentication via 802.1x to limit and control which devices can
be connected to the network. The 802.1x must be tied into the inventory data to determine
authorized versus unauthorized systems.
ID.AM-1.7 Use client certificates to validate and authenticate systems prior to connecting to the
private network.
ID.AM-2.1 Ensure that software platforms and applications within the organization are
inventoried and managed.
ID.AM-2.2 Devise a list of authorized software and version that is required in the enterprise for
each type of system, including servers, workstations, and laptops of various kinds and uses. This
list should be monitored by file integrity checking tools to validate that the authorized software
has not been modified.
ID.AM-2.3 Deploy application whitelisting technology that allows systems to run software only if
it is included on the whitelist and prevents execution of all other software on the system. The
whitelist may be very extensive (as is available from commercial whitelist vendors), so that users
are not inconvenienced when using common software. Or, for some special-purpose systems
(which require only a small number of programs to achieve their needed business functionality),
the whitelist may be quite narrow. When protecting systems with customized software that may
be seen as difficult to whitelist, use item 8 below (isolating the custom software in a virtual
operating system that does not retain infections.
ID.AM-2.4 Deploy software inventory tools throughout the organization covering each of the
operating system types in use, including servers, workstations, and laptops. The software
inventory system should track the version of the underlying operating system as well as the
applications installed on it. The software inventory systems must be tied into the hardware asset
inventory so all devices and associated software are tracked from a single location.
Asset Management
(ID.AM): The data,
personnel, devices, systems,
and facilities that enable the
organization to achieve
business purposes are
identified and managed
consistent with their relative
importance to business
objectives and the
organization’s risk strategy.
ID.AM-1: Physical devices and systems within the organization are
inventoried
ID.AM-2: Software platforms and applications within the organization
are inventoried
IDENTIFY
(ID)
· CCS CSC 1
1
· COBIT 5 DSS05.02
· ISA 62443-2-1:2009 4.2.3.4
· ISO/IEC 27001:2013 A.13.2.1
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
· COBIT 5 APO02.02
· ISO/IEC 27001:2013 A.11.2.6
· NIST SP 800-53 Rev. 4 AC-20, SA-9
· COBIT 5 APO03.03, APO03.04, BAI09.02
· ISA 62443-2-1:2009 4.2.3.6
· ISO/IEC 27001:2013 A.8.2.1
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
ID.AM-3.1 Ensure that organizational communication and data flows are mapped and systems
are designed or configured to regulate information flow based on data classification.
ID.AM-3.2 Establish procedures that ensure only agency-owned or approved IT resources are
connected to the agency internal network and resources.
ID.AM-3.3 Design and document its information security architecture using a defense-in-breadth
approach. Design and documentation shall be assessed and updated periodically based on an
agency defined, risk-driven frequency that considers potential threat vectors (i.e., paths or tools
that a threat actor may use to attack a target).
ID.AM-3.4 Consider diverse suppliers when designing the information security architecture.
ID.AM-4.1 Each agency shall ensure that interdependent external information systems are
catalogued.
ID.AM-4.2 Verify or enforce required security controls on interconnected external IT resources in
accordance with the information security policy or security plan.
ID.AM-4.3 Implement service level agreements for non-agency provided technology services to
ensure appropriate security controls are established and maintained.
ID.AM-4.4 For non-interdependent external IT resources, execute information sharing or
processing agreements with the entity receiving the shared information or hosting the external
system in receipt of shared information.
ID.AM-4.5 Restrict or prohibit portable storage devices either by policy or a technology that
enforces security controls for such devices.
ID.AM-4.6 Authorize and document inter-agency system connections.
ID.AM-4.7 Require external service providers adhere to agency security policies.
ID.AM-4.8 Document agency oversight expectations, and periodically monitor provider
compliance.
ID.AM-5.1 Each agency shall ensure that IT resources (hardware, devices, and software) are
categorized, prioritized, and documented based on their classification, criticality, and business
value.
ID.AM-5.2 Perform a criticality analysis for each categorized IT resource and document the
findings of the analysis conducted.
ID.AM-5.3 Designate an authorizing official for each categorized IT resource and document the
authorizing official’s approval of the security categorization.
ID.AM-5.4 Create a contingency plan for each categorized IT resource. The contingency plan
shall be based on resource classification and identify related cybersecurity roles and
responsibilities.
ID.AM-5.5 Identify and maintain a reference list of exempt, and confidential and exempt agency
information or software and the associated applicable state and federal statutes and rules.
ID.AM-5.6 Perform an assessment of data to identify sensitive information that requires the
application of encryption and integrity controls.
Asset Management
(ID.AM): The data,
personnel, devices, systems,
and facilities that enable the
organization to achieve
business purposes are
identified and managed
consistent with their relative
importance to business
objectives and the
organization’s risk strategy.
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are
prioritized based on their classification, criticality, and business value
IDENTIFY
(ID)
· COBIT 5 APO01.02, DSS06.03
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
· COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
· ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.AM-6.1 Establish cybersecurity roles and responsibilities for the entire workforce and third-
party stakeholders.
ID.AM-6.2 Inform workers that they are responsible for safeguarding their passwords and other
authentication methods.
ID.AM-6.3 Inform workers that they shall not share their agency accounts, passwords, personal
identification numbers, security tokens, smart cards, identification badges, or other devices used
for identification and authentication purposes.
ID.AM-6.4 Inform workers that use, or orversee or manage workers that use, IT equipment that
they shall immediately report suspected unauthorized activity, in accordance with agency-
established incident reporting procedures.
ID.AM-6.5 Inform users that they shall take precautions that are appropriate to protect IT
resources in their possession from loss, theft, tampering, unauthorized access, and damage.
Consideration will be given to the impact that may result if the IT resource is lost, and safety
issues relevant to protections identified in this subsection.
ID.AM-6.6 Inform users of the extent that they will be held accountable for their activities.
ID.AM-6.7 Inform workers that they have no reasonable expectation of privacy with respect to
agency-owned or agency-managed IT resources.
ID.AM-6.8 Ensure that monitoring, network sniffing, and related security activities are only be
performed by workers who have been assigned security-related responsibilities either via their
approved position descriptions or tasks assigned to them.
ID.AM-6.9 "Appoint an Information Security Managers (ISM). Agency responsibilities related to
ISMs include:
a. Notifying the Agency for State Technology (AST) of ISM appointments and reappointments.
b. Specifying ISM responsibilities in the ISM’s position description.
c. Establishing an information security program that includes information security policies,
procedures, standards, and guidelines; an information security awareness program; an
information security risk management process, including the comprehensive risk assessment
required by section 282.318, F.S.; a Computer Security Incident Response Team; and a disaster
recovery program that aligns with the agency’s Continuity of Operations (COOP) Plan.
d. Each agency ISM shall be responsible for the information security program plan."
ID.AM-6.10 "Performing background checks and ensuring that a background investigation is
performed on all individuals hired as IT workers with access to information processing facilities,
or who have system, database, developer, network, or other administrative capabilities for
systems, applications, or servers with risk categorization of moderate-impact or higher. See rule
74A-1.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in
addition to agency required background screening, background checks conducted by agencies
shall include a federal criminal history check that screens for felony convictions that convern or
involve the following:
a. Computer related or IT crimes;
b. Identity theft crimes;
c. Financially-related crimes, such as: fraudulent practices, false pretenses and frauds, credit card
crimes;
d. Forgery and counterfeiting;
e. Violations involving checks and drafts;
f. Misuse of medical or personnel records; and
g. Theft."
ID.AM-6.11 Each agency shall establish appointment selection disqualifying criteria for
individuals hired as IT workers that will have access to information processing facilities, or who
have system, database, developer, network, or other administrative capabilities for systems,
applications, or servers with risk categorization of moderate-impact or higher.
ID.BE-1.1 Identify and communicate the agency’s role in the business mission of the state.
Business Environment
(ID.BE): The organization’s
mission, objectives,
stakeholders, and activities
are understood and
prioritized; this information
is used to inform
cybersecurity roles,
responsibilities, and risk
management decisions.
ID.BE-1: The organization’s role in the supply chain is identified and
communicated
Asset Management
(ID.AM): The data,
personnel, devices, systems,
and facilities that enable the
organization to achieve
business purposes are
identified and managed
consistent with their relative
importance to business
objectives and the
organization’s risk strategy.
ID.AM-6: Cybersecurity roles and responsibilities for the entire
workforce and third-party stakeholders (e.g., suppliers, customers,
partners) are established
IDENTIFY
(ID)
· COBIT 5 APO02.06, APO03.01
· NIST SP 800-53 Rev. 4 PM-8
· COBIT 5 APO02.01, APO02.06, APO03.01
· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
· NIST SP 800-53 Rev. 4 PM-11, SA-14
· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
· COBIT 5 DSS04.02
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
· COBIT 5 APO01.03, EDM01.01, EDM01.02
· ISA 62443-2-1:2009 4.3.2.6
· ISO/IEC 27001:2013 A.5.1.1
· NIST SP 800-53 Rev. 4 -1 controls from all families
· COBIT 5 APO13.12
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1
· NIST SP 800-53 Rev. 4 PM-1, PS-7
· COBIT 5 MEA03.01, MEA03.04
· ISA 62443-2-1:2009 4.4.3.7
· ISO/IEC 27001:2013 A.18.1
· NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1)
· COBIT 5 DSS04.02
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3,
4.3.2.6.3
· NIST SP 800-53 Rev. 4 PM-9, PM-11
· CCS CSC 4 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-
2, SI-4, SI-5
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
· COBIT 5 DSS04.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 A.12.6.1
ID.GV-1.1 Establish or adopt a comprehensive information security policy.
ID.GV-2.1 Coordinate and align information security roles and responsibilities with internal roles
and external partners.
ID.GV-3.1 Document and manage legal and regulatory requirements regarding cybersecurity,
including privacy and civil liberties obligations.
ID.GV-4.1 Ensure governance and risk management processes address cybersecurity risks.
ID.RA-1.1 Identify and document asset vulnerabilities, business processes and protection
requirements. Establish procedures to analyze systems and applications to ensure security
controls are effective and appropriate.
ID.RA-1.2 Run automated vulnerability scanning tools against all systems on the network on a
weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to
each responsible system administrator along with risk scores that compare the effectiveness of
system administrators and departments in reducing risk. Use a SCAP-validated vulnerability
scanner that looks for both code-based vulnerabilities (such as those described by Common
Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by
the Common Configuration Enumeration Project).
ID.RA-3.1 Identify and document threats, both internal and external.
ID.RA-4.1 Identify potential business impacts and likelihoods.
ID.RM-5.1 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.
ID.BE-2.1 Identify and communicate the agency’s place in critical infrastructure and its industry
sector to inform internal stakeholders of IT strategy and direction.Business Environment
(ID.BE): The organization’s
mission, objectives,
stakeholders, and activities
are understood and
prioritized; this information
is used to inform
cybersecurity roles,
responsibilities, and risk
management decisions.
ID.BE-2: The organization’s place in critical infrastructure and its
industry sector is identified and communicated
ID.BE-3: Priorities for organizational mission, objectives, and
activities are established and communicated
ID.BE-4: Dependencies and critical functions for delivery of critical
services are established
ID.BE-5: Resilience requirements to support delivery of critical
services are established
ID.BE-3.1 Establish and communicate priorities for agency mission, objectives, and activities.
ID.BE-4.1 Identify system dependencies and critical functions for delivery of critical services.
ID.BE-5.1 Implement information resilience requirements to support the delivery of critical
services.
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to
determine risk
Governance (ID.GV): The
policies, procedures, and
processes to manage and
monitor the organization’s
regulatory, legal, risk,
environmental, and
operational requirements are
understood and inform the
management of
cybersecurity risk.
ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated
and aligned with internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity,
including privacy and civil liberties obligations, are understood and
managed
ID.GV-4: Governance and risk management processes address
cybersecurity risks
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Threat and vulnerability information is received from
information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and
documented
IDENTIFY
(ID)
Risk Assessment (ID.RA):
The organization
understands the
cybersecurity risk to
organizational operations
(including mission,
functions, image, or
reputation), organizational
assets, and individuals.
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
· COBIT 5 APO12.05, APO13.02
· NIST SP 800-53 Rev. 4 PM-4, PM-9
· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
· ISA 62443-2-1:2009 4.3.4.2
· NIST SP 800-53 Rev. 4 PM-9
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.2.6.5
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-3: The organization’s determination of risk tolerance is
informed by its role in critical infrastructure and sector specific risk
analysis
ID.RM-3.1 Determine risk tolerance as informed by its role in the state’s mission and
performance of a sector specific risk analysis.
ID.RM-3.2 Establish a process to risk-rate vulnerabilities based on the exploitability and potential
impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ
servers, internal network servers, desktops, laptops). Apply patches for the riskiest
vulnerabilities first. A phased rollout can be used to minimize the impact to the organization.
Establish expected patching timelines based on the risk rating level.
· NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14
ID.RA-6.1 Identify and prioritize risk responses, implement risk mitigation plans, and monitor
and document plan implementation.
ID.RM-1.1 Establish a risk management workgroup that ensures that risk management processes
are authorized by agency stakeholders.
ID.RM-1.2 Establish parameters for IT staff participation in procurement activities.
ID.RM-1.3 Identify the IT issues IT staff must address during procurement activities (e.g., system
hardening, logging, performance, service availability, incident notification, and recovery
expectations).
ID.RM-1.4 Implement appropriate security controls for software applications obtained,
purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability
of the application, its data, and other IT resources.
ID.RM-1.5 Prior to introducing new IT resources or modifying current IT resources, perform an
impact analysis. The purpose of this analysis is to assess the effects of the technology or
modifications on the existing environment. Validate that IT resources conform to agency standard
configurations prior to implementation into the production environment.
ID.RM-1.6 The Form AST 1000 (##/16) contains terms and conditions that shall be included in
agency IT services contracts that have any IT risk associated with the services provided.
ID.RM-1.7 Deploy automated patch management tools and software update tools for operating
system and software/applications on all systems for which such tools are available and safe.
Patches should be applied to all systems, even systems that are properly air gapped.
ID.RM-1.8 Monitor logs associated with any scanning activity and associated administrator
accounts to ensure that this activity is limited to the timeframes of legitimate scans.
ID.RM-2.1 Determine and clearly document organizational risk tolerance based on the
confidential and exempt nature of the data created, received, maintained, or transmitted by the
agency, by the agency’s role in critical infrastructure and sector specific analysis.
ID.RM-2.2 Compare the results from back-to-back vulnerability scans to verify that
vulnerabilities were addressed, either by patching, implementing a compensating control, or
documenting and accepting a reasonable business risk. Such acceptance of business risks for
existing vulnerabilities should be periodically reviewed to determine if newer compensating
controls or subsequent patches can address vulnerabilities that were previously accepted, or if
conditions have changed, increasing the risk.
ID.RM-5.1 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to
determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management
Strategy (ID.RM): The
organization’s priorities,
constraints, risk tolerances,
and assumptions are
established and used to
support operational risk
decisions.
ID.RM-1: Risk management processes are established, managed, and
agreed to by organizational stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly
expressed
IDENTIFY
(ID)
Risk Assessment (ID.RA):
The organization
understands the
cybersecurity risk to
organizational operations
(including mission,
functions, image, or
reputation), organizational
assets, and individuals.
· CCS CSC 16
16
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR
1.8, SR 1.9
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-2, IA Family
PR.AC-1.1 Each agency shall manage identities and credentials for authorized devices and users.
PR.AC-1.2 Require that all agency-owned or approved computing devices, including mobile
devices, use unique user authentication.
PR.AC-1.3 Require users to log off or lock their workstations prior to leaving the work area.
PR.AC-1.4 Require inactivity timeouts that terminate or secure sessions with a complex password.
PR.AC-1.5 Secure workstations with a password-protected screensaver, set at no more than 15
minutes.
PR.AC-1.6 Force users to change their passwords at least every 30-90 days, based on assessed risk
of the system.
PR.AC-1.7 Address responsibilities of information stewards that include administering access to
systems and data based on the documented authorizations and facilitate periodic review of access
rights with information owners. Frequency of reviews shall be based on system categorization or
assessed risk.
PR.AC-1.8 Establish access disablement and notification timeframes for worker separations. The
agency will identify the appropriate person in the IT unit to receive notifications. Notification
timeframes shall consider risks associated with system access post-separation.
PR.AC-1.9 Ensure IT access is removed when the IT resource is no longer required.
PR.AC-1.10 Consider the use of multi-factor authentication (MFA) for any application that has a
categorization of moderate or contains exempt, or confidential and exempt information. This
excludes externally hosted systems designed to deliver services to customers, where MFA is not
necessary or viable.
PR.AC-1.11 Require multifactor authentication (MFA) for any application that has a
categorization of high or is administered by remote connection to the internal network.
PR.AC-1.12 Require multifactor authentication (MFA) for network access to privileged accounts.
PR.AC-1.13 All enterprise devices remotely logging into the internal network should be managed
by the enterprise, with remote control of their configuration, installed software, and patch levels.
For third-party devices (e.g., subcontractors/vendors), publish minimum security standards for
access to the enterprise network and perform a security scan before allowing access.
PR.AC-1.14 Ensure that each wireless device connected to the network matches an authorized
configuration and security profile, with a documented owner of the connection and a defined
business need. Organizations should deny access to those wireless devices that do not have such a
configuration and profile.
PR.AC-1.15 Review all system accounts and disable any account that cannot be associated with a
business process and owner.
PR.AC-1.16 Ensure that all accounts have an expiration date that is monitored and enforced.
PR.AC-1.17 Use and configure account lockouts such that after a set number of failed login
attempts the account is locked for a standard period of time.
PR.AC-1.18 Configure access for all accounts through a centralized point of authentication, for
example Active Directory or LDAP. Configure network and security devices for centralized
authentication as well.
PR.AC-1.19 Require multi-factor authentication for all user accounts that have access to sensitive
data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One
Time Password (OTP) tokens, or biometrics.
PR.AC-1.20 Where multi-factor authentication is not supported, user accounts shall be required
to use long passwords on the system (longer than 14 characters).
PR.AC-1.21 Ensure that all account usernames and authentication credentials are transmitted
across networks using encrypted channels.
PR.AC-1.22 Verify that all authentication files are encrypted or hashed and that these files cannot
be accessed without root or administrator privileges. Audit all access to password files in the
system.
PROTECT (PR)
Access Control (PR.AC):
Access to assets and
associated facilities is
limited to authorized users,
processes, or devices, and to
authorized activities and
transactions.
PR.AC-1: Identities and credentials are managed for authorized devices
and users
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9
· COBIT 5 APO13.01, DSS01.04, DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC‑17, AC-19, AC-20
· CCS CSC 12, 15
12, 15
· ISA 62443-2-1:2009 4.3.3.7.3
· ISA 62443-3-3:2013 SR 2.1
PR.AC-2.1 Address protection of IT resources from environmental hazards (e.g., temperature,
humidity, air movement, dust, and faulty power) in accordance with manufacturers’
specifications.
PR.AC-2.2 Implement procedures to manage physical access to information technology facilities
and/or equipment.
PR.AC-2.3 Identify physical controls that are appropriate for the size and criticality of the
information technology resources.
PR.AC-2.4 Specify physical access to central information resource facilities and/or equipment
that is restricted to authorized personnel.
PR.AC-2.5 Detail visitor access protocols, including recordation procedures, and in locations
housing systems categorized as moderate-impact or high-impact, require that visitors be
supervised.
PR.AC-2.6 Address how the agency will protect network integrity by incorporating network
segregation.
PR.AC-2.7 Configure screen locks on systems to limit access to unattended workstations.
PR.AC-3.1 Address how the agency will securely manage and document remote access.
PR.AC-3.2 Specify that only agency-managed, secure remote access methods may be used to
remotely connect computing devices to the agency internal network.
PR.AC-3.3 For systems containing exempt, or confidential and exempt data, ensure written
agreements and procedures are in place to ensure security for sharing, handling or storing
confidential data with entities outside the agency.
PR.AC-3.4 Deny communications with (or limit data flow to) known malicious IP addresses (black
lists), or limit access only to trusted sites (whitelists). Tests can be periodically carried out by
sending packets from bogon source IP addresses (non-routable or otherwise unused IP addresses)
into the network to verify that they are not transmitted through network perimeters. Lists of
bogon addresses are publicly available on the Internet from various sources, and indicate a series
of IP addresses that should not be used for legitimate traffic traversing the Internet.
PR.AC-3.5 Require all remote login access (including VPN, dial-up, and other forms of access that
allow login to internal systems) to use two-factor authentication.
PR.AC-4.1 Each agency shall ensure that access permissions are managed, incorporating the
principles of least privilege and separation of duties.
PR.AC-4.2 Execute interconnection security agreements to authorize, document, and support
continual management of inter-agency connected systems.
PR.AC-4.3 Manage access permissions by incorporating the principles of least privilege and
segregation of duties.
PR.AC-4.4 Specify that all workers be granted access to agency IT resources based on the
principles of “least privilege” and “need to know determination.”
PR.AC-4.5 Specify that system administrators restrict and tightly control the use of system
development utility programs that may be capable of overriding system and application controls.
PR.AC-4.6 Minimize administrative privileges and only use administrative accounts when they
are required. Implement focused auditing on the use of administrative privileged functions and
monitor for anomalous behavior.
PR.AC-4.7 Use automated tools to inventory all administrative accounts and validate that each
person with administrative privileges on desktops, laptops, and servers is authorized by a senior
executive.
PR.AC-4.8 Before deploying any new devices in a networked environment, change all default
passwords for applications, operating systems, routers, firewalls, wireless access points, and other
systems to have values consistent with administration-level accounts.
PR.AC-4.9 Configure systems to issue a log entry and alert when an account is added to or
removed from a domain administrators’ group, or when a new local administrator account is
added on a system.
PR.AC-4.10 Configure systems to issue a log entry and alert on any unsuccessful login to an
administrative account.
PR.AC-4.11 Use multi-factor authentication for all administrative access, including domain
administrative access. Multi-factor authentication can include a variety of techniques, to include
the use of smart cards,certificates, One Time Password (OTP) tokens, biometrics, or other similar
authentication methods.
PR.AC-4.12 Administrators should be required to access a system using a fully logged and non-
administrative account. Then, once logged on to the machine without administrative privileges,
the administrator should transition to administrative privileges using tools such as Sudo on
Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.
PR.AC-4.13 Administrators shall use a dedicated machine for all administrative tasks or tasks
requiring elevated access. This machine shall be isolated from the organization's primary network
and not be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
PR.AC-4.14 Where a specific business need for wireless access has been identified, configure
wireless access on client machines to allow access only to authorized wireless networks. For
devices that do not have an essential wireless business purpose, disable wireless access in the
hardware configuration (basic input/output system or extensible firmware interface).
PROTECT (PR)
Access Control (PR.AC):
Access to assets and
associated facilities is
limited to authorized users,
processes, or devices, and to
authorized activities and
transactions.
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions are managed, incorporating the
principles of least privilege and separation of duties
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4
· NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16
· ISA 62443-2-1:2009 4.3.3.4
· ISA 62443-3-3:2013 SR 3.1, SR 3.8
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1
PR.AC-4.1 Each agency shall ensure that access permissions are managed, incorporating the
principles of least privilege and separation of duties.
PR.AC-4.2 Execute interconnection security agreements to authorize, document, and support
continual management of inter-agency connected systems.
PR.AC-4.3 Manage access permissions by incorporating the principles of least privilege and
segregation of duties.
PR.AC-4.4 Specify that all workers be granted access to agency IT resources based on the
principles of “least privilege” and “need to know determination.”
PR.AC-4.5 Specify that system administrators restrict and tightly control the use of system
development utility programs that may be capable of overriding system and application controls.
PR.AC-4.6 Minimize administrative privileges and only use administrative accounts when they
are required. Implement focused auditing on the use of administrative privileged functions and
monitor for anomalous behavior.
PR.AC-4.7 Use automated tools to inventory all administrative accounts and validate that each
person with administrative privileges on desktops, laptops, and servers is authorized by a senior
executive.
PR.AC-4.8 Before deploying any new devices in a networked environment, change all default
passwords for applications, operating systems, routers, firewalls, wireless access points, and other
systems to have values consistent with administration-level accounts.
PR.AC-4.9 Configure systems to issue a log entry and alert when an account is added to or
removed from a domain administrators’ group, or when a new local administrator account is
added on a system.
PR.AC-4.10 Configure systems to issue a log entry and alert on any unsuccessful login to an
administrative account.
PR.AC-4.11 Use multi-factor authentication for all administrative access, including domain
administrative access. Multi-factor authentication can include a variety of techniques, to include
the use of smart cards,certificates, One Time Password (OTP) tokens, biometrics, or other similar
authentication methods.
PR.AC-4.12 Administrators should be required to access a system using a fully logged and non-
administrative account. Then, once logged on to the machine without administrative privileges,
the administrator should transition to administrative privileges using tools such as Sudo on
Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.
PR.AC-4.13 Administrators shall use a dedicated machine for all administrative tasks or tasks
requiring elevated access. This machine shall be isolated from the organization's primary network
and not be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
PR.AC-4.14 Where a specific business need for wireless access has been identified, configure
wireless access on client machines to allow access only to authorized wireless networks. For
devices that do not have an essential wireless business purpose, disable wireless access in the
hardware configuration (basic input/output system or extensible firmware interface).
PR.AC-5.1 Each agency shall ensure that network integrity is protected, incorporating network
segregation where appropriate.
PR.AC-5.2 Uninstall or disable any unnecessary or unauthorized browser or email client plugins
or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the
use of the application for pre-approved domains.
PR.AC-5.3 Limit the use of unnecessary scripting languages in all web browsers and email clients.
This includes the use of languages such as ActiveX and JavaScript on systems where it is
unnecessary to support such capabilities.
PR.AC-5.4 Ensure that only ports, protocols, and services with validated business needs are
running on each system.
PR.AC-5.5 Apply host-based firewalls or port filtering tools on end systems, with a default-deny
rule that drops all traffic except those services and ports that are explicitly allowed.
PR.AC-5.6 Perform automated port scans on a regular basis against all key servers and compare
to a known effective baseline. If a change that is not listed on the organization’s approved
baseline is discovered, an alert should be generated and reviewed.
PR.AC-5.7 Verify any server that is visible from the Internet or an untrusted network, and if it is
not required for business purposes, move it to an internal VLAN and give it a private address.
PR.AC-5.8 Operate critical services on separate physical or logical host machines, such as DNS,
file, mail, web, and database servers.
PR.AC-5.9 Place application firewalls in front of any critical servers to verify and validate the
traffic going to the server. Any unauthorized services or traffic should be blocked and an alert
generated.
PR.AC-5.10 Network engineers shall use a dedicated machine for all administrative tasks or tasks
requiring elevated access. This machine shall be isolated from the organization's primary network
and not be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
PR.AC-5.11 Design and implement network perimeters so that all outgoing network traffic to the
Internet must pass through at least one application layer filtering proxy server. The proxy should
support decrypting network traffic, logging individual TCP sessions, blocking specific URLs,
domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites
that can be accessed through the proxy while blocking all other sites. Organizations should force
outbound traffic to the Internet through an authenticated proxy server on the enterprise
perimeter.
PR.AC-5.12 Disable peer-to-peer wireless network capabilities on wireless clients.
PR.AC-5.13 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is
required for a documented business need.
PROTECT (PR)
Access Control (PR.AC):
Access to assets and
associated facilities is
limited to authorized users,
processes, or devices, and to
authorized activities and
transactions.
PR.AC-4: Access permissions are managed, incorporating the
principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network
segregation where appropriate
· NIST SP 800-53 Rev. 4 AC-4, SC-7
· CCS CSC 9
9
· COBIT 5 APO07.03, BAI05.07
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.7.2.2
PR.AC-5.1 Each agency shall ensure that network integrity is protected, incorporating network
segregation where appropriate.
PR.AC-5.2 Uninstall or disable any unnecessary or unauthorized browser or email client plugins
or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the
use of the application for pre-approved domains.
PR.AC-5.3 Limit the use of unnecessary scripting languages in all web browsers and email clients.
This includes the use of languages such as ActiveX and JavaScript on systems where it is
unnecessary to support such capabilities.
PR.AC-5.4 Ensure that only ports, protocols, and services with validated business needs are
running on each system.
PR.AC-5.5 Apply host-based firewalls or port filtering tools on end systems, with a default-deny
rule that drops all traffic except those services and ports that are explicitly allowed.
PR.AC-5.6 Perform automated port scans on a regular basis against all key servers and compare
to a known effective baseline. If a change that is not listed on the organization’s approved
baseline is discovered, an alert should be generated and reviewed.
PR.AC-5.7 Verify any server that is visible from the Internet or an untrusted network, and if it is
not required for business purposes, move it to an internal VLAN and give it a private address.
PR.AC-5.8 Operate critical services on separate physical or logical host machines, such as DNS,
file, mail, web, and database servers.
PR.AC-5.9 Place application firewalls in front of any critical servers to verify and validate the
traffic going to the server. Any unauthorized services or traffic should be blocked and an alert
generated.
PR.AC-5.10 Network engineers shall use a dedicated machine for all administrative tasks or tasks
requiring elevated access. This machine shall be isolated from the organization's primary network
and not be allowed Internet access. This machine shall not be used for reading e-mail, composing
documents, or surfing the Internet.
PR.AC-5.11 Design and implement network perimeters so that all outgoing network traffic to the
Internet must pass through at least one application layer filtering proxy server. The proxy should
support decrypting network traffic, logging individual TCP sessions, blocking specific URLs,
domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites
that can be accessed through the proxy while blocking all other sites. Organizations should force
outbound traffic to the Internet through an authenticated proxy server on the enterprise
perimeter.
PR.AC-5.12 Disable peer-to-peer wireless network capabilities on wireless clients.
PR.AC-5.13 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is
required for a documented business need.
PR.AT-1.1 Inform and train all workers.
PR.AT-1.2 Appoint a worker to coordinate the agency information security awareness program.
If an IT security worker does not coordinate the security awareness program, they shall be
consulted for content development purposes. Agencies will ensure that all workers (including
volunteer workers) are clearly notified of applicable obligations, established via agency policies, to
maintain compliance with such controls.
PR.AT-1.3 Establish a program that includes, at a minimum, annual security awareness training
and on-going education and reinforcement of security practices.
PR.AT-1.4 Provide training to workers within 30 days of start date.
PR.AT-1.5 Include security policy adherence expectations for the following, at a minimum:
disciplinary procedures and implications, acceptable use restrictions, data handling (procedures
for handling exempt and confidential and exempt information), telework and computer security
incident reporting procedures.
PR.AT-1.6 Establish requirements for workers to immediately report loss of mobile devices,
security tokens, smart cards, identification badges, or other devices used for identification and
authentication purposes according to agency reporting procedures.
PR.AT-1.7 Where technology permits, provide training prior to system access. For specialized
agency workers (e.g., law enforcement officers), who are required to receive extended off-site
training prior to reporting to their permanent duty stations, initial security awareness training
shall be provided within 30 days of the date they report to their permanent duty station.
PR.AT-1.8 Require, prior to access, workers verify in writing that they will comply with agency
IT security policies and procedures.
PR.AT-1.9 Document parameters that govern personal use of agency IT resources and define
what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the
normal performance of any worker’s duties, or consume significant or unreasonable amounts of
state information technology resources (e.g. bandwidth, storage).
PR.AT-1.10 "Inform workers of what constitutes inappropriate use of IT resources.
Inappropriate use shall include, but may not be limited to, the following:
1. Distribution of malware
2. Disablement or circumvention of security controls
3. Forging headers
4. Propagating “chain” letters
5. Political campaigning or unauthorized fund raising
6. Use for personal profit, benefit or gain
Offensive, indecent, or obscene access or activities, unless required by job duties
8. Harassing, threatening, or abusive activity
9. Any activity that leads to performance degradation
10. Auto-forwarding to external e-mail addresses
Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating
services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal
drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and
sites containing obscene materials."
PR.AT-1.11 Perform gap analysis to see which skills employees need and which behaviors
employees are not adhering to, using this information to build a baseline training and awareness
roadmap for all employees.
PR.AT-1.12 Implement an security awareness program that (1) focuses only on the methods
commonly used in intrusions that can be blocked through individual action, (2) is delivered in
short online modules convenient for employees (3) is updated frequently (at least annually) to
represent the latest attack techniques, (4) is mandated for completion by all employees at least
annually, and (5) is reliably monitored for employee completion.
PR.AT-1.13 Validate and improve awareness levels through periodic tests to see whether
employees will click on a link from suspicious e-mail or provide sensitive information on the
telephone without following appropriate procedures for authenticating a caller; targeted training
should be provided to those who fall victim to the exercise.
PR.AT-1.14 Ensure that all software development personnel receive training in writing secure
code for their specific development environment.
PROTECT (PR)
Access Control (PR.AC):
Access to assets and
associated facilities is
limited to authorized users,
processes, or devices, and to
authorized activities and
transactions.
PR.AC-5: Network integrity is protected, incorporating network
segregation where appropriate
Awareness and Training
(PR.AT): The
organization’s personnel and
partners are provided
cybersecurity awareness
education and are adequately
trained to perform their
information security-related
duties and responsibilities
consistent with related
policies, procedures, and
agreements.
PR.AT-1: All users are informed and trained
· NIST SP 800-53 Rev. 4 AT-2, PM-13
· CCS CSC 9 9
· COBIT 5 APO07.02, DSS06.03
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CCS CSC 9 9
· COBIT 5 APO07.03, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 PS-7, SA-9
· CCS CSC 9 9
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CCS CSC 9 9
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
· NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-2.1 Ensure that privileged users understand their roles and
PR.AT-2.2 Use security skills assessments for each of the mission-critical roles to identify skills
gaps. Use hands-on, real-world examples to measure mastery. If you do not have such
assessments, use one of the available online competitions that simulate real-world scenarios for
each of the identified jobs in order to measure skills mastery.
PR.AT-3.1 Ensure that third-party stakeholders understand their roles and responsibilities.
PR.AT-4.1 Ensure that senior executives understand their roles and responsibilities.
PR.AT-4.2 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the
training. A second option is to have outside teachers provide training onsite so the examples used
will be directly relevant. If you have small numbers of people to train, use training conferences or
online training to fill the gaps.
PR.AT-5.1 Ensure that physical and information security personnel understand their roles and
responsibilities.
PR.AT-1.1 Inform and train all workers.
PR.AT-1.2 Appoint a worker to coordinate the agency information security awareness program.
If an IT security worker does not coordinate the security awareness program, they shall be
consulted for content development purposes. Agencies will ensure that all workers (including
volunteer workers) are clearly notified of applicable obligations, established via agency policies, to
maintain compliance with such controls.
PR.AT-1.3 Establish a program that includes, at a minimum, annual security awareness training
and on-going education and reinforcement of security practices.
PR.AT-1.4 Provide training to workers within 30 days of start date.
PR.AT-1.5 Include security policy adherence expectations for the following, at a minimum:
disciplinary procedures and implications, acceptable use restrictions, data handling (procedures
for handling exempt and confidential and exempt information), telework and computer security
incident reporting procedures.
PR.AT-1.6 Establish requirements for workers to immediately report loss of mobile devices,
security tokens, smart cards, identification badges, or other devices used for identification and
authentication purposes according to agency reporting procedures.
PR.AT-1.7 Where technology permits, provide training prior to system access. For specialized
agency workers (e.g., law enforcement officers), who are required to receive extended off-site
training prior to reporting to their permanent duty stations, initial security awareness training
shall be provided within 30 days of the date they report to their permanent duty station.
PR.AT-1.8 Require, prior to access, workers verify in writing that they will comply with agency
IT security policies and procedures.
PR.AT-1.9 Document parameters that govern personal use of agency IT resources and define
what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the
normal performance of any worker’s duties, or consume significant or unreasonable amounts of
state information technology resources (e.g. bandwidth, storage).
PR.AT-1.10 "Inform workers of what constitutes inappropriate use of IT resources.
Inappropriate use shall include, but may not be limited to, the following:
1. Distribution of malware
2. Disablement or circumvention of security controls
3. Forging headers
4. Propagating “chain” letters
5. Political campaigning or unauthorized fund raising
6. Use for personal profit, benefit or gain
Offensive, indecent, or obscene access or activities, unless required by job duties
8. Harassing, threatening, or abusive activity
9. Any activity that leads to performance degradation
10. Auto-forwarding to external e-mail addresses
Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating
services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal
drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and
sites containing obscene materials."
PR.AT-1.11 Perform gap analysis to see which skills employees need and which behaviors
employees are not adhering to, using this information to build a baseline training and awareness
roadmap for all employees.
PR.AT-1.12 Implement an security awareness program that (1) focuses only on the methods
commonly used in intrusions that can be blocked through individual action, (2) is delivered in
short online modules convenient for employees (3) is updated frequently (at least annually) to
represent the latest attack techniques, (4) is mandated for completion by all employees at least
annually, and (5) is reliably monitored for employee completion.
PR.AT-1.13 Validate and improve awareness levels through periodic tests to see whether
employees will click on a link from suspicious e-mail or provide sensitive information on the
telephone without following appropriate procedures for authenticating a caller; targeted training
should be provided to those who fall victim to the exercise.
PR.AT-1.14 Ensure that all software development personnel receive training in writing secure
code for their specific development environment.
PROTECT (PR)
Awareness and Training
(PR.AT): The
organization’s personnel and
partners are provided
cybersecurity awareness
education and are adequately
trained to perform their
information security-related
duties and responsibilities
consistent with related
policies, procedures, and
agreements.
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles & responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers,
partners) understand roles & responsibilities
PR.AT-4: Senior executives understand roles & responsibilities
PR.AT-5: Physical and information security personnel understand roles
& responsibilities
· CCS CSC 17
17
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06
· ISA 62443-3-3:2013 SR 3.4, SR 4.1
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 SC-28
· CCS CSC 17
17
· COBIT 5 APO01.06, DSS06.06
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2,
A.14.1.3
· NIST SP 800-53 Rev. 4 SC-8
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
· COBIT 5 APO13.01
· ISA 62443-3-3:2013 SR 7.1, SR 7.2
· ISO/IEC 27001:2013 A.12.3.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
· CCS CSC 17
17
· COBIT 5 APO01.06
PR.DS-1.1 Procedures that ensure only agency-owned or approved IT resources are used to store
confidential or exempt information.
PR.DS-1.2 Procedures that ensure agency-owned or approved portable IT resources containing
confidential or mission critical data are encrypted.
PR.DS-1.3 Procedures that ensure agency-owned or approved portable IT resources that connect
to the agency internal network use agency-managed security software.
PR.DS-1.4 Inform users not to store unique copies of agency data on workstations or mobile
devices.
PR.DS-2.1 Encrypt confidential and exempt information during transmission, except when the
transport medium is owned or managed by the agency and controls are in place to protect the
data during transit.
PR.DS-2.2 Ensure that wireless transmissions of agency data employ cryptography for
authentication and transmission.
PR.DS-2.3 Make passwords unreadable during transmission and storage.
PR.DS-2.4 Encrypt mobile IT resources that store, process, or transmit exempt, or confidential
and exempt agency data.
PR.DS-2.5 Monitor all traffic leaving the organization and detect any unauthorized use of
encryption. Attackers often use an encrypted channel to bypass network security devices.
Therefore it is essential that organizations be able to detect rogue connections, terminate the
connection, and remediate the infected system.
PR.DS-2.6 Block access to known file transfer and e-mail exfiltration websites.
PR.DS-2.7 Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied
off a server. In most organizations, access to the data is controlled by ACLs that are implemented
on the server. Once the data have been copied to a desktop system, the ACLs are no longer
enforced and the users can send the data to whomever they want.
PR.DS-3.1 Before equipment is disposed of or released for reuse, sanitize or destroy media in
accordance with the State of Florida General Records Schedule GS1-SL for State and Local
Government Agencies.
PR.DS-3.2 Destruction of confidential or exempt information shall be conducted such that the
information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or
reconstruction.
PR.DS-3.3 Document procedures for sanitization of agency-owned IT resources prior to
reassignment or disposal.
PR.DS-3.4 Equipment sanitization shall be performed such that confidential or exempt
information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or
reconstruction. File deletion and media formatting are not acceptable methods of sanitization.
Acceptable methods of sanitization include using software to overwrite data on computer media,
degaussing, or physically destroying media.
PR.DS-4.1 Ensure adequate audit/log capacity.
PR.DS-4.2 Protect against or limit the effects of denial of service attacks.
PR.DS-5.1 Establish a policy and processes that addresses appropriate handling and protecting of
exempt, and confidential and exempt information. The policy shall be reviewed and acknowledged
by all workers.
PR.DS-5.2 Retention and destruction of confidential and exempt information in accordance with
the records retention requirements as provided in the State of Florida General Records Schedule
GS1-SL for State and Local Government Agencies.
PR.DS-5.3 Develop and document access agreements for agency information systems.
PR.DS-5.4 Boundary protection.
PR.DS-5.5 Transmission confidentiality & integrity.
PROTECT (PR)
Data Security (PR.DS):
Information and records
(data) are managed
consistent with the
organization’s risk strategy
to protect the confidentiality,
integrity, and availability of
information.
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers,
and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
· ISA 62443-3-3:2013 SR 5.2
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,
A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-
8, SC-13, SC-31, SI-4
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 SI-7
· COBIT 5 BAI07.04
· ISO/IEC 27001:2013 A.12.1.4
· NIST SP 800-53 Rev. 4 CM-2
· CCS CSC 3, 10
3, 10
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
PR.DS-6.1 Application controls shall be established to ensure the accuracy and completeness of
data, including validation and integrity checks, to detect data corruption that may occur through
processing errors or deliberate actions.
PR.DS-6.2 Deploy approved hard drive encryption software to mobile devices and systems that
hold sensitive data.
PR.DS-6.3 For in-house developed software, ensure that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or formats.
PR.DS-6.4 Test in-house-developed and third-party-procured web applications for common
security weaknesses using automated remote web application scanners prior to deployment,
whenever updates are made to the application, and on a regular recurring basis. In particular,
input validation and output encoding routines of application software should be reviewed and
tested.
PR.DS-6.5 For in-house developed applications, ensure that development artifacts (sample data
and scripts; unused libraries, components, debug code; or tools) are not included in the deployed
software, or accessible in the production environment.
PR.DS-7.1 Physically or logically separate development and testing environment(s) from the
production environment and ensure that production exempt, or confidential and exempt data is
not used for development where technology permits. Production exempt, or confidential and
exempt data may be used for testing if the data owner authorizes the use and regulatory
prohibitions do not exist; the test environment limits access and access is audited; and production
exempt, and confidential and exempt data is removed from the system when testing is completed.
Data owner authorization shall be managed via technical means, to the extent practical.
PR.DS-7.2 Maintain separate environments for production and nonproduction systems.
Developers should not typically have unmonitored access to production environments.
PR.IP-1.1 Specify standard hardware and secure standard configurations.
PR.IP-1.2 Include documented firewall and router configuration standards, and include a current
network diagram.
PR.IP-1.3 Require that vendor default settings, posing security risks, are changed or disabled for
agency-owned or managed IT resources, including encryption keys, accounts, passwords, and
SNMP (Simple Network Management Protocol) community strings, and ensure device security
settings are enabled where appropriate.
PR.IP-1.4 Allow only agency-approved software to be installed on agency-owned IT resources.
PR.IP-1.5 Establish standard secure configurations of operating systems and software
applications. Standardized images should represent hardened versions of the underlying
operating system and the applications installed on the system. These images should be validated
and refreshed on a regular basis to update their security configuration in light of recent
vulnerabilities and attack vectors.
PR.IP-1.6 Follow strict configuration management, building a secure image that is used to build
all new systems that are deployed in the enterprise. Any existing system that becomes
compromised should be re-imaged with the secure build. Regular updates or exceptions to this
image should be integrated into the organization’s change management processes. Images should
be created for workstations, servers, and other system types used by the organization.
PR.IP-1.7 Store the master images on securely configured servers, validated with integrity
checking tools capable of continuous inspection, and change management to ensure that only
authorized changes to the images are possible. Alternatively, these master images can be stored in
offline machines, air-gapped from the production network, with images copied via secure media
to move them between the image storage servers and the production network.
PR.IP-1.8 Perform all remote administration of servers, workstation, network devices, and
similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not
actively support strong encryption should only be used if they are performed over a secondary
encryption channel, such as SSL, TLS or IPSEC.
PR.IP-1.9 Use file integrity checking tools to ensure that critical system files (including sensitive
system and application executables, libraries, and configurations) have not been altered. The
reporting system should: have the ability to account for routine and expected changes; highlight
and alert on unusual or unexpected alterations; show the history of configuration changes over
time and identify who made the change (including the original logged-in account in the event of a
user ID switch, such as with the su or sudo command). These integrity checks should identify
suspicious system alterations such as: owner and permissions changes to files or directories; the
use of alternate data streams which could be used to hide malicious activities; and the
introduction of extra files into key system areas (which could indicate malicious payloads left by
attackers or additional files inappropriately added during batch distribution processes).
PR.IP-1.10 Implement and test an automated configuration monitoring system that verifies all
remotely testable secure configuration elements, and alerts when unauthorized changes occur.
This includes detecting new listening ports, new administrative users, changes to group and local
policy objects (where applicable), and new services running on a system. Whenever possible use
tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline
reporting and integration.
PR.IP-1.11 Deploy system configuration management tools, such as Active Directory Group
Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will
automatically enforce and redeploy configuration settings to systems at regularly scheduled
intervals. They should be capable of triggering redeployment of configuration settings on a
scheduled, manual, or event-driven basis.
PR.IP-1.12 Include at least two synchronized time sources from which all servers and network
equipment retrieve time information on a regular basis so that timestamps in logs are consistent.
PR.IP-1.13 Validate audit log settings for each hardware device and the software installed on it,
ensuring that logs include a date, timestamp, source addresses, destination addresses, and various
other useful elements of each packet and/or transaction. Systems should record logs in a
standardized format such as syslog entries or those outlined by the Common Event Expression
initiative. If systems cannot generate logs in a standardized format, log normalization tools can be
deployed to convert logs into such a format.
PR.IP-1.14 Configure network boundary devices, including firewalls, network-based IPS, and
inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at
the device.
PR.IP-1.15 All new configuration rules beyond a baseline-hardened configuration that allow
traffic to flow through network security devices, such as firewalls and network-based IPS, should
be documented and recorded in a configuration management system, with a specific business
reason for each change, a specific individual’s name responsible for that business need, and an
expected duration of the need.
PR.IP-1.16 Use automated tools to verify standard device configurations and detect changes. All
alterations to such files should be logged and automatically reported to security personnel.
PR.IP-1.17 To help identify covert channels exfiltrating data through a firewall, configure the
built-in firewall session tracking mechanisms included in many commercial firewalls to identify
TCP sessions that last an unusually long time for the given organization and firewall device,
alerting personnel about the source and destination addresses associated with these long sessions.
PR.IP-1.18 For all acquired application software, check that the version you are using is still
supported by the vendor. If not, update to the most current version and install all relevant patches
and vendor security recommendations.
PR.IP-1.19 Do not display system error messages to end-users (output sanitization).
PR.IP-1.20 For applications that rely on a database, use standard hardening configuration
templates. All systems that are part of critical business processes should also be tested.
PR.DS-5.1 Establish a policy and processes that addresses appropriate handling and protecting of
exempt, and confidential and exempt information. The policy shall be reviewed and acknowledged
by all workers.
PR.DS-5.2 Retention and destruction of confidential and exempt information in accordance with
the records retention requirements as provided in the State of Florida General Records Schedule
GS1-SL for State and Local Government Agencies.
PR.DS-5.3 Develop and document access agreements for agency information systems.
PR.DS-5.4 Boundary protection.
PR.DS-5.5 Transmission confidentiality & integrity.
PROTECT (PR)
Data Security (PR.DS):
Information and records
(data) are managed
consistent with the
organization’s risk strategy
to protect the confidentiality,
integrity, and availability of
information.
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software,
firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate
from the production environment
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
PR.IP-1: A baseline configuration of information technology/industrial
control systems is created and maintained
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,
A.14.2.4
PR.IP-1.1 Specify standard hardware and secure standard configurations.
PR.IP-1.2 Include documented firewall and router configuration standards, and include a current
network diagram.
PR.IP-1.3 Require that vendor default settings, posing security risks, are changed or disabled for
agency-owned or managed IT resources, including encryption keys, accounts, passwords, and
SNMP (Simple Network Management Protocol) community strings, and ensure device security
settings are enabled where appropriate.
PR.IP-1.4 Allow only agency-approved software to be installed on agency-owned IT resources.
PR.IP-1.5 Establish standard secure configurations of operating systems and software
applications. Standardized images should represent hardened versions of the underlying
operating system and the applications installed on the system. These images should be validated
and refreshed on a regular basis to update their security configuration in light of recent
vulnerabilities and attack vectors.
PR.IP-1.6 Follow strict configuration management, building a secure image that is used to build
all new systems that are deployed in the enterprise. Any existing system that becomes
compromised should be re-imaged with the secure build. Regular updates or exceptions to this
image should be integrated into the organization’s change management processes. Images should
be created for workstations, servers, and other system types used by the organization.
PR.IP-1.7 Store the master images on securely configured servers, validated with integrity
checking tools capable of continuous inspection, and change management to ensure that only
authorized changes to the images are possible. Alternatively, these master images can be stored in
offline machines, air-gapped from the production network, with images copied via secure media
to move them between the image storage servers and the production network.
PR.IP-1.8 Perform all remote administration of servers, workstation, network devices, and
similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not
actively support strong encryption should only be used if they are performed over a secondary
encryption channel, such as SSL, TLS or IPSEC.
PR.IP-1.9 Use file integrity checking tools to ensure that critical system files (including sensitive
system and application executables, libraries, and configurations) have not been altered. The
reporting system should: have the ability to account for routine and expected changes; highlight
and alert on unusual or unexpected alterations; show the history of configuration changes over
time and identify who made the change (including the original logged-in account in the event of a
user ID switch, such as with the su or sudo command). These integrity checks should identify
suspicious system alterations such as: owner and permissions changes to files or directories; the
use of alternate data streams which could be used to hide malicious activities; and the
introduction of extra files into key system areas (which could indicate malicious payloads left by
attackers or additional files inappropriately added during batch distribution processes).
PR.IP-1.10 Implement and test an automated configuration monitoring system that verifies all
remotely testable secure configuration elements, and alerts when unauthorized changes occur.
This includes detecting new listening ports, new administrative users, changes to group and local
policy objects (where applicable), and new services running on a system. Whenever possible use
tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline
reporting and integration.
PR.IP-1.11 Deploy system configuration management tools, such as Active Directory Group
Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will
automatically enforce and redeploy configuration settings to systems at regularly scheduled
intervals. They should be capable of triggering redeployment of configuration settings on a
scheduled, manual, or event-driven basis.
PR.IP-1.12 Include at least two synchronized time sources from which all servers and network
equipment retrieve time information on a regular basis so that timestamps in logs are consistent.
PR.IP-1.13 Validate audit log settings for each hardware device and the software installed on it,
ensuring that logs include a date, timestamp, source addresses, destination addresses, and various
other useful elements of each packet and/or transaction. Systems should record logs in a
standardized format such as syslog entries or those outlined by the Common Event Expression
initiative. If systems cannot generate logs in a standardized format, log normalization tools can be
deployed to convert logs into such a format.
PR.IP-1.14 Configure network boundary devices, including firewalls, network-based IPS, and
inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at
the device.
PR.IP-1.15 All new configuration rules beyond a baseline-hardened configuration that allow
traffic to flow through network security devices, such as firewalls and network-based IPS, should
be documented and recorded in a configuration management system, with a specific business
reason for each change, a specific individual’s name responsible for that business need, and an
expected duration of the need.
PR.IP-1.16 Use automated tools to verify standard device configurations and detect changes. All
alterations to such files should be logged and automatically reported to security personnel.
PR.IP-1.17 To help identify covert channels exfiltrating data through a firewall, configure the
built-in firewall session tracking mechanisms included in many commercial firewalls to identify
TCP sessions that last an unusually long time for the given organization and firewall device,
alerting personnel about the source and destination addresses associated with these long sessions.
PR.IP-1.18 For all acquired application software, check that the version you are using is still
supported by the vendor. If not, update to the most current version and install all relevant patches
and vendor security recommendations.
PR.IP-1.19 Do not display system error messages to end-users (output sanitization).
PR.IP-1.20 For applications that rely on a database, use standard hardening configuration
templates. All systems that are part of critical business processes should also be tested.
PROTECT (PR)
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
PR.IP-1: A baseline configuration of information technology/industrial
control systems is created and maintained
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9,
SA-10
· COBIT 5 APO13.01 6
· ISA 62443-2-1:2009 4.3.4.3.3
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
· NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15,
SA-17, PL-8
· COBIT 5 BAI06.01, BAI01.06
6
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,
A.14.2.4
PR.IP-1.1 Specify standard hardware and secure standard configurations.
PR.IP-1.2 Include documented firewall and router configuration standards, and include a current
network diagram.
PR.IP-1.3 Require that vendor default settings, posing security risks, are changed or disabled for
agency-owned or managed IT resources, including encryption keys, accounts, passwords, and
SNMP (Simple Network Management Protocol) community strings, and ensure device security
settings are enabled where appropriate.
PR.IP-1.4 Allow only agency-approved software to be installed on agency-owned IT resources.
PR.IP-1.5 Establish standard secure configurations of operating systems and software
applications. Standardized images should represent hardened versions of the underlying
operating system and the applications installed on the system. These images should be validated
and refreshed on a regular basis to update their security configuration in light of recent
vulnerabilities and attack vectors.
PR.IP-1.6 Follow strict configuration management, building a secure image that is used to build
all new systems that are deployed in the enterprise. Any existing system that becomes
compromised should be re-imaged with the secure build. Regular updates or exceptions to this
image should be integrated into the organization’s change management processes. Images should
be created for workstations, servers, and other system types used by the organization.
PR.IP-1.7 Store the master images on securely configured servers, validated with integrity
checking tools capable of continuous inspection, and change management to ensure that only
authorized changes to the images are possible. Alternatively, these master images can be stored in
offline machines, air-gapped from the production network, with images copied via secure media
to move them between the image storage servers and the production network.
PR.IP-1.8 Perform all remote administration of servers, workstation, network devices, and
similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not
actively support strong encryption should only be used if they are performed over a secondary
encryption channel, such as SSL, TLS or IPSEC.
PR.IP-1.9 Use file integrity checking tools to ensure that critical system files (including sensitive
system and application executables, libraries, and configurations) have not been altered. The
reporting system should: have the ability to account for routine and expected changes; highlight
and alert on unusual or unexpected alterations; show the history of configuration changes over
time and identify who made the change (including the original logged-in account in the event of a
user ID switch, such as with the su or sudo command). These integrity checks should identify
suspicious system alterations such as: owner and permissions changes to files or directories; the
use of alternate data streams which could be used to hide malicious activities; and the
introduction of extra files into key system areas (which could indicate malicious payloads left by
attackers or additional files inappropriately added during batch distribution processes).
PR.IP-1.10 Implement and test an automated configuration monitoring system that verifies all
remotely testable secure configuration elements, and alerts when unauthorized changes occur.
This includes detecting new listening ports, new administrative users, changes to group and local
policy objects (where applicable), and new services running on a system. Whenever possible use
tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline
reporting and integration.
PR.IP-1.11 Deploy system configuration management tools, such as Active Directory Group
Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will
automatically enforce and redeploy configuration settings to systems at regularly scheduled
intervals. They should be capable of triggering redeployment of configuration settings on a
scheduled, manual, or event-driven basis.
PR.IP-1.12 Include at least two synchronized time sources from which all servers and network
equipment retrieve time information on a regular basis so that timestamps in logs are consistent.
PR.IP-1.13 Validate audit log settings for each hardware device and the software installed on it,
ensuring that logs include a date, timestamp, source addresses, destination addresses, and various
other useful elements of each packet and/or transaction. Systems should record logs in a
standardized format such as syslog entries or those outlined by the Common Event Expression
initiative. If systems cannot generate logs in a standardized format, log normalization tools can be
deployed to convert logs into such a format.
PR.IP-1.14 Configure network boundary devices, including firewalls, network-based IPS, and
inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at
the device.
PR.IP-1.15 All new configuration rules beyond a baseline-hardened configuration that allow
traffic to flow through network security devices, such as firewalls and network-based IPS, should
be documented and recorded in a configuration management system, with a specific business
reason for each change, a specific individual’s name responsible for that business need, and an
expected duration of the need.
PR.IP-1.16 Use automated tools to verify standard device configurations and detect changes. All
alterations to such files should be logged and automatically reported to security personnel.
PR.IP-1.17 To help identify covert channels exfiltrating data through a firewall, configure the
built-in firewall session tracking mechanisms included in many commercial firewalls to identify
TCP sessions that last an unusually long time for the given organization and firewall device,
alerting personnel about the source and destination addresses associated with these long sessions.
PR.IP-1.18 For all acquired application software, check that the version you are using is still
supported by the vendor. If not, update to the most current version and install all relevant patches
and vendor security recommendations.
PR.IP-1.19 Do not display system error messages to end-users (output sanitization).
PR.IP-1.20 For applications that rely on a database, use standard hardening configuration
templates. All systems that are part of critical business processes should also be tested.
PR.IP-2.1 Develop and implement processes that include reviews of security requirements and
controls to ascertain effectiveness and appropriateness relative to new technologies and applicable
state and federal regulations.
PR.IP-2.2 Ensure security reviews are approved by the ISM and Chief Information Officer (or
designee) before new or modified applications or technologies are moved into production. For IT
resources housed in a state data center, the security review shall also be approved by the data
center before the new or modified applications or technologies are moved into production.
PR.IP-2.3 The application development team at each agency shall implement appropriate security
controls to minimize risks to agency information technology resources and meet the security
requirements of the application owner. Agencies will identify in their policies, processes and
procedures the security coding guidelines the agency will follow when obtaining, purchasing,
leasing or developing software.
PR.IP-2.4 Where technology permits, the agency shall ensure anti-malware software is
maintained on agency IT resources.
PR.IP-3.1 Determine types of changes that are configuration-controlled (e.g. emergency patches,
releases, and other out-of-band security packages).
PR.IP-3.2 Develop a process to review and approve or disapprove proposed changes based on a
security impact analysis (e.g., implementation is commensurate with the risk associated with the
weakness or vulnerability).
PR.IP-3.3 Develop a process to document change decisions.
PR.IP-3.4 Develop a process to implement approved changes and review implemented changes.
PR.IP-3.5 Develop an oversight capability for change control activities.
PR.IP-3.6 Develop procedures to ensure security requirements are incorporated into the change
control process.
PR.IP-3.7 Compare firewall, router, and switch configuration against standard secure
configurations defined for each type of network device in use in the organization. The security
configuration of such devices should be documented, reviewed, and approved by an organization
change control board. Any deviations from the standard configuration or updates to the standard
configuration should be documented and approved in a change control system.
PROTECT (PR)
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
PR.IP-1: A baseline configuration of information technology/industrial
control systems is created and maintained
PR.IP-2: A System Development Life Cycle to manage systems is
implemented
PR.IP-3: Configuration change control processes are in place
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
· COBIT 5 APO13.01
· ISA 62443-2-1:2009 4.3.4.3.9
· ISA 62443-3-3:2013 SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3
· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.4.4.4
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
· NIST SP 800-53 Rev. 4 MP-6
· COBIT 5 APO11.06, DSS04.05
PR.IP-3.1 Determine types of changes that are configuration-controlled (e.g. emergency patches,
releases, and other out-of-band security packages).
PR.IP-3.2 Develop a process to review and approve or disapprove proposed changes based on a
security impact analysis (e.g., implementation is commensurate with the risk associated with the
weakness or vulnerability).
PR.IP-3.3 Develop a process to document change decisions.
PR.IP-3.4 Develop a process to implement approved changes and review implemented changes.
PR.IP-3.5 Develop an oversight capability for change control activities.
PR.IP-3.6 Develop procedures to ensure security requirements are incorporated into the change
control process.
PR.IP-3.7 Compare firewall, router, and switch configuration against standard secure
configurations defined for each type of network device in use in the organization. The security
configuration of such devices should be documented, reviewed, and approved by an organization
change control board. Any deviations from the standard configuration or updates to the standard
configuration should be documented and approved in a change control system.
PR.IP-4.1 Ensure backups of information are conducted, maintained, and tested periodically
PR.IP-4.2 Ensure that all systems that store logs have adequate storage space for the logs
generated on a regular basis, so that log files will not fill up between log rotation intervals. The
logs must be archived and digitally signed on a periodic basis.
PR.IP-4.3 Ensure that each system is automatically backed up on at least a weekly basis, and
more often for systems storing sensitive information. To help ensure the ability to rapidly restore
a system from backup, the operating system, application software, and data on a machine should
each be included in the overall backup procedure. These three components of a system do not
have to be included in the same backup file or use the same backup software. There should be
multiple backups over time, so that in the event of malware infection, restoration can be from a
version that is believed to predate the original infection. All backup policies should be compliant
with any regulatory or official requirements.
PR.IP-4.4 Test data on backup media on a regular basis by performing a data restoration process
to ensure that the backup is properly working.
PR.IP-4.5 Ensure that backups are properly protected via physical security or encryption when
they are stored, as well as when they are moved across the network. This includes remote
backups and cloud services.
PR.IP-4.6 Ensure that key systems have at least one backup destination that is not continuously
addressable through operating system calls. This will mitigate the risk of attacks like
CryptoLocker which seek to encrypt or damage data on all addressable data shares, including
backup destinations.
PR.IP-5.1 Establish policy and regulatory expectations for protection of the physical operating
environment for agency-owned or managed IT resources.
PR.IP-6.1 Manage and dispose of records/data in accordance with the records retention
requirements as provided in the State of Florida General Records Schedule GS1-SL for State and
Local Government Agencies.
PR.IP-7.1 Establish a policy and procedure review process that facilitates continuous
improvement to protection processes.
PR.IP-7.2 Ensure security control selection occurs during the beginning of the system
development lifecycle (SDLC) and is documented in final design documentation.
PR.IP-7.3 System security plans shall document controls necessary to protect production data in
the production environment and copies of production data used in non-production environments.
PR.IP-7.4 System security plans are confidential per section 282.318, F.S., and shall be available
to the agency ISM and CISO.
PR.IP-7.5 Require that each agency application or system with a categorization of moderate-
impact or higher have a documented system security plan (SSP). For existing production systems,
that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent
documentation efforts.
PR.IP-7.6 "The SSP shall include a provisions that:
Align the system with the agency’s enterprise architecture
ii. Define the authorization boundary for the system
iii. Describe the mission-related business purpose
iv. Provide the security categorization, including security requirements and rationale
(compliance, availability, etc.)
v. Describe the operational environment, including relationships, interfaces, or dependencies on
external services
vi. Provide an overview of system security requirements
vii. Identify authorizing official or designee, who reviews and approves prior to implementation."
PR.IP-7.7 Require Information system owners (ISOs) to define application security-related
business requirements using role-based access controls and rule-based security policies.
PR.IP-7.8 Require ISOs to establish and authorize the types of privileges and access rights
appropriate to system users, both internal and external.
PR.IP-7.9 Create procedures to address inspection of content stored, processed or transmitted on
agency-owned or managed IT resources, including attached removable media. Inspection shall be
performed where authorization has been provided by stakeholders that should or must receive
this information.
PR.IP-7.10 Establish parameters for agency-managed devices that prohibit installation (without
worker consent) of clients that allow the agency to inspect private partitions or personal data.
PR.IP-7.11 Require ISOs ensure segregation of duties when establishing system authorizations.
PR.IP-7.12 Establish controls that prohibit a single individual from having the ability to complete
all steps in a transaction or control all stages of a critical process.
PR.IP-7.13 Require agency information owners to identify exempt, and confidential and exempt
information in their systems.
PR.IP-7.14 Have security personnel and/or system administrators run biweekly reports that
identify anomalies in logs. They should then actively review the anomalies, documenting their
findings.
PROTECT (PR)
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested
periodically
PR.IP-5: Policy and regulations regarding the physical operating
environment for organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6,
4.4.3.7, 4.4.3.8
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
· COBIT 5 DSS04.03
· ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1
· ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2
· NIST SP 800-53 Rev. 4 CP-2, IR-8
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
· ISA 62443-3-3:2013 SR 3.3
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14
· COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
· ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3
· ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4
· NIST SP 800-53 Rev. 4 PS Family
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.2
PR.IP-8.1 Ensure that effectiveness of protection technologies is shared with stakeholders that
should or must receive this information.
PR.IP-9.1 Develop, implement and manage response plans (e.g., Incident Response and Business
Continuity) and recovery plans (e.g., Incident Recovery and Disaster Recovery).
PR.IP-9.2 Deploy a SIEM (Security Information and Event Management) or log analytic tools for
log aggregation and consolidation from multiple machines and for log correlation and analysis.
Using the SIEM tool, system administrators and security personnel should devise profiles of
common events from given systems so that they can tune detection to focus on unusual activity,
avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with
insignificant alerts.
PR.IP-10.1 Establish a procedure that ensures that agency response and recovery plans are
regularly tested.
PR.IP-11.1 Include cybersecurity in human resources practices (e.g., de-provisioning, personnel
screening).
PR.IP-12.1 Each agency shall develop and implement a vulnerability management plan.
PR.IP-12.2 Configure network vulnerability scanning tools to detect wireless access points
connected to the wired network. Identified devices should be reconciled against a list of
authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.
PR.IP-7.1 Establish a policy and procedure review process that facilitates continuous
improvement to protection processes.
PR.IP-7.2 Ensure security control selection occurs during the beginning of the system
development lifecycle (SDLC) and is documented in final design documentation.
PR.IP-7.3 System security plans shall document controls necessary to protect production data in
the production environment and copies of production data used in non-production environments.
PR.IP-7.4 System security plans are confidential per section 282.318, F.S., and shall be available
to the agency ISM and CISO.
PR.IP-7.5 Require that each agency application or system with a categorization of moderate-
impact or higher have a documented system security plan (SSP). For existing production systems,
that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent
documentation efforts.
PR.IP-7.6 "The SSP shall include a provisions that:
Align the system with the agency’s enterprise architecture
ii. Define the authorization boundary for the system
iii. Describe the mission-related business purpose
iv. Provide the security categorization, including security requirements and rationale
(compliance, availability, etc.)
v. Describe the operational environment, including relationships, interfaces, or dependencies on
external services
vi. Provide an overview of system security requirements
vii. Identify authorizing official or designee, who reviews and approves prior to implementation."
PR.IP-7.7 Require Information system owners (ISOs) to define application security-related
business requirements using role-based access controls and rule-based security policies.
PR.IP-7.8 Require ISOs to establish and authorize the types of privileges and access rights
appropriate to system users, both internal and external.
PR.IP-7.9 Create procedures to address inspection of content stored, processed or transmitted on
agency-owned or managed IT resources, including attached removable media. Inspection shall be
performed where authorization has been provided by stakeholders that should or must receive
this information.
PR.IP-7.10 Establish parameters for agency-managed devices that prohibit installation (without
worker consent) of clients that allow the agency to inspect private partitions or personal data.
PR.IP-7.11 Require ISOs ensure segregation of duties when establishing system authorizations.
PR.IP-7.12 Establish controls that prohibit a single individual from having the ability to complete
all steps in a transaction or control all stages of a critical process.
PR.IP-7.13 Require agency information owners to identify exempt, and confidential and exempt
information in their systems.
PR.IP-7.14 Have security personnel and/or system administrators run biweekly reports that
identify anomalies in logs. They should then actively review the anomalies, documenting their
findings.
PROTECT (PR)
PR.IP-9: Response plans (Incident Response and Business Continuity)
and recovery plans (Incident Recovery and Disaster Recovery) are in
place and managed
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g.,
deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and
implemented
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with
appropriate parties
· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.3.3.7
· ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
· NIST SP 800-53 Rev. 4 MA-4
· CCS CSC 14 14
· COBIT 5 APO11.04
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
· NIST SP 800-53 Rev. 4 AU Family
· COBIT 5 DSS05.02, APO13.01
· ISA 62443-3-3:2013 SR 2.3
· ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9
· NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7
· COBIT 5 DSS05.02
· ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5,
4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4,
4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2,
4.3.3.7.3, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR
1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR
2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
· ISO/IEC 27001:2013 A.9.1.2
PR.PT-3.1 Control access to systems and assets, utilizing the priciple of least trust.
PR.PT-3.2 Virtual machines and/or air-gapped systems should be used to isolate and run
applications that are required for business operations but based on higher risk should not be
installed within a networked environment.
PR.PT-3.3 All communication of sensitive information over less-trusted networks should be
encrypted. Whenever information flows over a network with a lower trust level, the information
should be encrypted.
PR.PT-3.4 All information stored on systems shall be protected with file system, network share,
claims, application, or database specific access control lists. These controls will enforce the
principal that only authorized individuals should have access to the information based on their
need to access the information as a part of their responsibilities.
PR.PT-3.5 Sensitive information stored on systems shall be encrypted at rest and require a
secondary authentication mechanism, not integrated into the operating system, in order to access
the information.
PR.PT-3.6 Archived data sets or systems not regularly accessed by the organization shall be
removed from the organization's network. These systems shall only be used as stand alone systems
(disconnected from the network) by the business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
PR.IP-12.1 Each agency shall develop and implement a vulnerability management plan.
PR.IP-12.2 Configure network vulnerability scanning tools to detect wireless access points
connected to the wired network. Identified devices should be reconciled against a list of
authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.
PR.MA-1.1 Perform and log maintenance and repair of IT resources in a timely manner with
tools that have been approved and are administered by the agency to be used for such activities.
PR.MA-2.1 Approve, encrypt, log and perform remote maintenance of IT resources in a manner
that prevents unauthorized access.
PR.MA-2.2 Not engage in new development of custom authenticators . Agencies assess the
feasibility of replacing agency-developed authenticators in legacy applications.
PR.PT-1.1 Determine and document required audit/log records, implement logging of audit
records, and protect and review logs in accordance with agency-developed policy. Agency-
developed policy shall be based on resource criticality. Where possible, ensure that electronic
audit records allow actions of users to be uniquely traced to those users so they can be held
accountable for their actions. Maintain logs identifying where access to exempt, or confidential
and exempt data was permitted. The logs shall support unique identification of individuals and
permit an audit of the logs to trace activities through the system, including the capability to
determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the
individual.
PR.PT-1.2 Enforce detailed audit logging for access to nonpublic data and special authentication
for sensitive data.
PR.PT-2.1 Protect and restrict removable media in accordance with agency-developed
information security policy.
PR.PT-2.2 If there is no business need for supporting such devices, configure systems so that they
will not write data to USB tokens or USB hard drives. If such devices are required, enterprise
software should be used that can configure systems to allow only specific USB devices (based on
serial number or other unique property) to be accessed, and that can automatically encrypt all
data placed on such devices. An inventory of all authorized devices must be maintained.
PROTECT (PR)
PR.IP-12: A vulnerability management plan is developed and
implemented
Maintenance (PR.MA):
Maintenance and repairs of
industrial control and
information system
components is performed
consistent with policies and
procedures.
PR.MA-1: Maintenance and repair of organizational assets is
performed and logged in a timely manner, with approved and controlled
tools
PR.MA-2: Remote maintenance of organizational assets is approved,
logged, and performed in a manner that prevents unauthorized access
Information Protection
Processes and Procedures
(PR.IP): Security policies
(that address purpose, scope,
roles, responsibilities,
management commitment,
and coordination among
organizational entities),
processes, and procedures
are maintained and used to
manage protection of
information systems and
assets.
Protective Technology
(PR.PT): Technical security
solutions are managed to
ensure the security and
resilience of systems and
assets, consistent with
related policies, procedures,
and agreements.
PR.PT-1: Audit/log records are determined, documented, implemented,
and reviewed in accordance with policy
PR.PT-2: Removable media is protected and its use restricted
according to policy
PR.PT-3: Access to systems and assets is controlled, incorporating the
principle of least functionality
· NIST SP 800-53 Rev. 4 AC-3, CM-7
· CCS CSC 7
7
· COBIT 5 DSS05.02, APO13.01
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR
5.2, SR 5.3, SR 7.1, SR 7.6
· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1
PR.PT-3.1 Control access to systems and assets, utilizing the priciple of least trust.
PR.PT-3.2 Virtual machines and/or air-gapped systems should be used to isolate and run
applications that are required for business operations but based on higher risk should not be
installed within a networked environment.
PR.PT-3.3 All communication of sensitive information over less-trusted networks should be
encrypted. Whenever information flows over a network with a lower trust level, the information
should be encrypted.
PR.PT-3.4 All information stored on systems shall be protected with file system, network share,
claims, application, or database specific access control lists. These controls will enforce the
principal that only authorized individuals should have access to the information based on their
need to access the information as a part of their responsibilities.
PR.PT-3.5 Sensitive information stored on systems shall be encrypted at rest and require a
secondary authentication mechanism, not integrated into the operating system, in order to access
the information.
PR.PT-3.6 Archived data sets or systems not regularly accessed by the organization shall be
removed from the organization's network. These systems shall only be used as stand alone systems
(disconnected from the network) by the business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
PR.PT-4.1 Protect communications and control networks by establishing perimeter security
measures to prevent unauthorized connections to agency IT resources.
PR.PT-4.2 Place databases containing mission critical, exempt, or confidential and exempt data in
an internal network zone, segregated from the demilitarized zone (DMZ).
PR.PT-4.3 Agencies shall require host-based (e.g. a system controlled by a central or main
computer) boundary protection on mobile computing devices where technology permits (i.e.,
detection agent).
PR.PT-4.4 Ensure that only fully supported web browsers and email clients are allowed to execute
in the organization, ideally only using the latest version of the browsers provided by the vendor in
order to take advantage of the latest security functions and fixes.
PR.PT-4.5 Deploy two separate browser configurations to each system. One configuration should
disable the use of all plugins, unnecessary scripting languages, and generally be configured with
limited functionality and be used for general web browsing. The other configuration shall allow
for more browser functionality but should only be used to access specific websites that require the
use of such functionality.
PR.PT-4.6 The organization shall maintain and enforce network based URL filters that limit a
system's ability to connect to websites not approved by the organization. The organization shall
subscribe to URL categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default. This
filtering shall be enforced for each of the organization's systems, whether they are physically at
an organization's facilities or not.
PR.PT-4.7 To lower the chance of spoofed e-mail messages, implement the Sender Policy
Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in
mail servers.
PR.PT-4.8 Manage network devices using two-factor authentication and encrypted sessions.
PR.PT-4.9 Install the latest stable version of any security-related updates on all network devices.
PR.PT-4.10 Manage the network infrastructure across network connections that are separated
from the business use of that network, relying on separate VLANs or, preferably, on entirely
different physical connectivity for management sessions for network devices.
PR.PT-4.11 On DMZ networks, configure monitoring systems (which may be built in to the IDS
sensors or deployed as a separate technology) to record at least packet header information, and
preferably full packet header and payloads of the traffic destined for or passing through the
network border. This traffic should be sent to a properly configured Security Information Event
Management (SIEM) or log analytics system so that events can be correlated from all devices on
the network.
PR.PT-4.12 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous
activity.
PR.PT-4.13 Segment the network based on the label or classification level of the information
stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering
to ensure that only authorized individuals are only able to communicate with systems necessary to
fulfill their specific responsibilities.
PR.PT-4.14 All network switches will enable Private Virtual Local Area Networks (VLANs) for
segmented workstation networks to limit the ability of devices on a network to directly
communicate with other devices on the subnet and limit an attackers ability to laterally move to
compromise neighboring systems.
PR.PT-4.15 Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices
and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic
should be monitored by WIDS as traffic passes into the wired network.
PR.PT-4.16 Ensure that all wireless traffic leverages at least Advanced Encryption Standard
(AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.
PR.PT-4.17 Ensure that wireless networks use authentication protocols such as Extensible
Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential
protection and mutual authentication.
PR.PT-4.18 Create separate virtual local area networks (VLANs) for BYOD systems or other
untrusted devices. Internet access from this VLAN should go through at least the same border as
corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered
and audited accordingly.
PROTECT (PR)
Protective Technology
(PR.PT): Technical security
solutions are managed to
ensure the security and
resilience of systems and
assets, consistent with
related policies, procedures,
and agreements.
PR.PT-3: Access to systems and assets is controlled, incorporating the
principle of least functionality
PR.PT-4: Communications and control networks are protected
· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
· COBIT 5 DSS03.01
· ISA 62443-2-1:2009 4.4.3.3
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9,
SR 6.1, SR 6.2
· ISO/IEC 27001:2013 A.16.1.1, A.16.1.4
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
· ISA 62443-3-3:2013 SR 6.1
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
· COBIT 5 APO12.06
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.2.3.10
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
· CCS CSC 14, 16 14, 16
· COBIT 5 DSS05.07
· ISA 62443-3-3:2013 SR 6.2
PR.PT-4.1 Protect communications and control networks by establishing perimeter security
measures to prevent unauthorized connections to agency IT resources.
PR.PT-4.2 Place databases containing mission critical, exempt, or confidential and exempt data in
an internal network zone, segregated from the demilitarized zone (DMZ).
PR.PT-4.3 Agencies shall require host-based (e.g. a system controlled by a central or main
computer) boundary protection on mobile computing devices where technology permits (i.e.,
detection agent).
PR.PT-4.4 Ensure that only fully supported web browsers and email clients are allowed to execute
in the organization, ideally only using the latest version of the browsers provided by the vendor in
order to take advantage of the latest security functions and fixes.
PR.PT-4.5 Deploy two separate browser configurations to each system. One configuration should
disable the use of all plugins, unnecessary scripting languages, and generally be configured with
limited functionality and be used for general web browsing. The other configuration shall allow
for more browser functionality but should only be used to access specific websites that require the
use of such functionality.
PR.PT-4.6 The organization shall maintain and enforce network based URL filters that limit a
system's ability to connect to websites not approved by the organization. The organization shall
subscribe to URL categorization services to ensure that they are up-to-date with the most recent
website category definitions available. Uncategorized sites shall be blocked by default. This
filtering shall be enforced for each of the organization's systems, whether they are physically at
an organization's facilities or not.
PR.PT-4.7 To lower the chance of spoofed e-mail messages, implement the Sender Policy
Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in
mail servers.
PR.PT-4.8 Manage network devices using two-factor authentication and encrypted sessions.
PR.PT-4.9 Install the latest stable version of any security-related updates on all network devices.
PR.PT-4.10 Manage the network infrastructure across network connections that are separated
from the business use of that network, relying on separate VLANs or, preferably, on entirely
different physical connectivity for management sessions for network devices.
PR.PT-4.11 On DMZ networks, configure monitoring systems (which may be built in to the IDS
sensors or deployed as a separate technology) to record at least packet header information, and
preferably full packet header and payloads of the traffic destined for or passing through the
network border. This traffic should be sent to a properly configured Security Information Event
Management (SIEM) or log analytics system so that events can be correlated from all devices on
the network.
PR.PT-4.12 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous
activity.
PR.PT-4.13 Segment the network based on the label or classification level of the information
stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering
to ensure that only authorized individuals are only able to communicate with systems necessary to
fulfill their specific responsibilities.
PR.PT-4.14 All network switches will enable Private Virtual Local Area Networks (VLANs) for
segmented workstation networks to limit the ability of devices on a network to directly
communicate with other devices on the subnet and limit an attackers ability to laterally move to
compromise neighboring systems.
PR.PT-4.15 Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices
and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic
should be monitored by WIDS as traffic passes into the wired network.
PR.PT-4.16 Ensure that all wireless traffic leverages at least Advanced Encryption Standard
(AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.
PR.PT-4.17 Ensure that wireless networks use authentication protocols such as Extensible
Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential
protection and mutual authentication.
PR.PT-4.18 Create separate virtual local area networks (VLANs) for BYOD systems or other
untrusted devices. Internet access from this VLAN should go through at least the same border as
corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered
and audited accordingly.
DE.AE-1.1 Establish and manage a baseline of network operations and expected data flows for
users and systems.
DE.AE-2.1 Detect and analyze anomalous events to determine attack targets and methods.
DE.AE-2.2 Monitor unauthorized wireless access points when connected to the agency internal
network, and immediately remove them upon detection.
DE.AE-2.3 Implement procedures to establish accountability for accessing and modifying exempt,
or confidential and exempt data stores to ensure inappropriate access or modification is
detectable.
DE.AE-3.1 Aggregate and correlate event data from multiple sources and sensors.
DE.AE-4.1 Determine the impact of events.
DE.AE-5.1 Establish incident alert thresholds.
DE.CM-1.1 Monitor for unauthorized IT resource connections to the internal agency network.
DE.CM-1.2 Employ automated tools to continuously monitor workstations, servers, and mobile
devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All
malware detection events should be sent to enterprise anti-malware administration tools and
event log servers.
DE.CM-1.3 Use network-based anti-malware tools to identify executables in all network traffic
and use techniques other than signature-based detection to identify and filter out malicious
content before it arrives at the endpoint.
DE.CM-1.4 Deploy network-based IDS sensors on Internet and extranet DMZ systems and
networks that look for unusual attack mechanisms and detect compromise of these systems. These
network-based IDS sensors may detect attacks through the use of signatures, network behavior
analysis, or other mechanisms to analyze traffic.
DE.CM-1.5 Network-based IPS devices should be deployed to complement IDS by blocking known
bad signatures or the behavior of potential attacks. As attacks become automated, methods such
as IDS typically delay the amount of time it takes for someone to react to an attack. A properly
configured network-based IPS can provide automation to block bad traffic. When evaluating
network-based IPS products, include those using techniques other than signature-based detection
(such as virtual machine or sandbox-based approaches) for consideration.
DE.CM-1.6 Periodically scan for back-channel connections to the Internet that bypass the DMZ,
including unauthorized VPN connections and dual-homed hosts connected to the enterprise
network and to other networks via wireless, dial-up modems, or other mechanisms.
DE.CM-1.7 Conduct periodic scans of server machines using automated tools to determine
whether sensitive data (e.g., personally identifiable information, health, credit card, or classified
information) is present on the system in clear text. These tools, which search for patterns that
indicate the presence of sensitive information, can help identify if a business or technical process
is leaving behind or otherwise leaking sensitive information.
DE.CM-1.8 Use network-based DLP solutions to monitor and control the flow of data within the
network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate
action taken to address them.
DE.CM-1.9 Include tests for the presence of unprotected system information and artifacts that
would be useful to attackers, including network diagrams, configuration files, older penetration
test reports, e-mails or documents containing passwords or other information critical to system
operation.
PROTECT (PR)
Protective Technology
(PR.PT): Technical security
solutions are managed to
ensure the security and
resilience of systems and
assets, consistent with
related policies, procedures,
and agreements.
PR.PT-4: Communications and control networks are protected
DE.AE-1: A baseline of network operations and expected data flows
for users and systems is established and managed
DE.AE-2: Detected events are analyzed to understand attack targets
and methods
DE.AE-3: Event data are aggregated and correlated from multiple
sources and sensors
Anomalies and Events
(DE.AE): Anomalous
activity is detected in a
timely manner and the
potential impact of events is
understood.
DE.AE-5: Incident alert thresholds are established
DE.AE-4: Impact of events is determined
Security Continuous
Monitoring (DE.CM): The
information system and
assets are monitored at
discrete intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures.
DE.CM-1: The network is monitored to detect potential cybersecurity
events
DETECT
(DE)
· NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
· ISA 62443-2-1:2009 4.3.3.3.8
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
· ISA 62443-3-3:2013 SR 6.2
· ISO/IEC 27001:2013 A.12.4.1
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
· CCS CSC 5 5
· COBIT 5 DSS05.01
· ISA 62443-2-1:2009 4.3.4.3.8
· ISA 62443-3-3:2013 SR 3.2
· ISO/IEC 27001:2013 A.12.2.1
· NIST SP 800-53 Rev. 4 SI-3
· ISA 62443-3-3:2013 SR 2.4
· ISO/IEC 27001:2013 A.12.5.1
· NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44
· COBIT 5 APO07.06
· ISO/IEC 27001:2013 A.14.2.7, A.15.2.1
· NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
DE.CM-3.1 Monitoring user activity to detect potential cybersecurity.
DE.CM-3.2 Profile each user’s typical account usage by determining normal time-of-day access
and access duration. Reports should be generated that indicate users who have logged in during
unusual hours or have exceeded their normal login duration. This includes flagging the use of the
user’s credentials from a computer other than computers on which the user generally works.
DE.CM-3.3 Any user or system accounts used to perform penetration testing should be controlled
and monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
DE.CM-4.1 Scan and block all e-mail attachments entering the organization's e-mail gateway if
they contain malicious code or file types that are unnecessary for the organization's business. This
scanning should be done before the e-mail is placed in the user's inbox. This includes e-mail
content filtering and web content filtering.
DE.CM-4.2 Employ anti-malware software that offers a centralized infrastructure that compiles
information on file reputations or have administrators manually push updates to all machines.
After applying an update, automated systems should verify that each system has received its
signature update.
DE.CM-4.3 Enable domain name system (DNS) query logging to detect hostname lookup for
known malicious C2 domains.
DE.CM-4.4 Protect web applications by deploying web application firewalls (WAFs) that inspect
all traffic flowing to the web application for common web application attacks, including but not
limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks.
For applications that are not web-based, specific application firewalls should be deployed if such
tools are available for the given application type. If the traffic is encrypted, the device should
either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither
option is appropriate, a host-based web application firewall should be deployed.
DE.CM-5.1 Monitor for unauthorized mobile code.
DE.CM-6.1 Monitor external service provider activity to detect potential cybersecurity events.
DE.CM-1.1 Monitor for unauthorized IT resource connections to the internal agency network.
DE.CM-1.2 Employ automated tools to continuously monitor workstations, servers, and mobile
devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All
malware detection events should be sent to enterprise anti-malware administration tools and
event log servers.
DE.CM-1.3 Use network-based anti-malware tools to identify executables in all network traffic
and use techniques other than signature-based detection to identify and filter out malicious
content before it arrives at the endpoint.
DE.CM-1.4 Deploy network-based IDS sensors on Internet and extranet DMZ systems and
networks that look for unusual attack mechanisms and detect compromise of these systems. These
network-based IDS sensors may detect attacks through the use of signatures, network behavior
analysis, or other mechanisms to analyze traffic.
DE.CM-1.5 Network-based IPS devices should be deployed to complement IDS by blocking known
bad signatures or the behavior of potential attacks. As attacks become automated, methods such
as IDS typically delay the amount of time it takes for someone to react to an attack. A properly
configured network-based IPS can provide automation to block bad traffic. When evaluating
network-based IPS products, include those using techniques other than signature-based detection
(such as virtual machine or sandbox-based approaches) for consideration.
DE.CM-1.6 Periodically scan for back-channel connections to the Internet that bypass the DMZ,
including unauthorized VPN connections and dual-homed hosts connected to the enterprise
network and to other networks via wireless, dial-up modems, or other mechanisms.
DE.CM-1.7 Conduct periodic scans of server machines using automated tools to determine
whether sensitive data (e.g., personally identifiable information, health, credit card, or classified
information) is present on the system in clear text. These tools, which search for patterns that
indicate the presence of sensitive information, can help identify if a business or technical process
is leaving behind or otherwise leaking sensitive information.
DE.CM-1.8 Use network-based DLP solutions to monitor and control the flow of data within the
network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate
action taken to address them.
DE.CM-1.9 Include tests for the presence of unprotected system information and artifacts that
would be useful to attackers, including network diagrams, configuration files, older penetration
test reports, e-mails or documents containing passwords or other information critical to system
operation.
DE.CM-2.1 Monitoring the physical environment to detect potential cybersecurity events.
Security Continuous
Monitoring (DE.CM): The
information system and
assets are monitored at
discrete intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures.
DE.CM-1: The network is monitored to detect potential cybersecurity
events
DE.CM-2: The physical environment is monitored to detect potential
cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential
cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is monitored to detect
potential cybersecurity events
DETECT
(DE)
DE.CM-7: Monitoring for unauthorized personnel, connections,
devices, and software is performed
DE.CM-7.1 Monitor for unauthorized personnel, connections, devices, and software.
DE.CM-7.2 Log all URL requests from each of the organization's systems, whether onsite or a
mobile device, in order to identify potentially malicious activity and assist incident handlers with
identifying potentially compromised systems.
DE.CM-7.3 Limit use of external devices to those with an approved, documented business need.
Monitor for use and attempted use of external devices. Configure laptops, workstations, and
servers so that they will not auto-run content from removable media, like USB tokens (i.e.,
“thumb drives”), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced
technology attachment devices, and mounted network shares. Configure systems so that they
automatically conduct an anti-malware scan of removable media when inserted.
DE.CM-7.4 Regularly monitor the use of all accounts, automatically logging off users after a
standard period of inactivity.
DE.CM-7.5 Monitor account usage to determine dormant accounts, notifying the user or user’s
manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor
maintenance accounts needed for system recovery or continuity operations). Require that
managers match active employees and contractors with each account belonging to their managed
staff. Security or system administrators should then disable accounts that are not assigned to valid
workforce members.
DE.CM-7.6 Monitor attempts to access deactivated accounts through audit logging.
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20,
SI-4
· COBIT 5 BAI03.10
20
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-5
· CCS CSC 5 5
· COBIT 5 DSS05.01
· ISA 62443-2-1:2009 4.4.3.1
· ISO/IEC 27001:2013 A.6.1.1
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
· ISA 62443-2-1:2009 4.4.3.2
· ISO/IEC 27001:2013 A.18.1.4
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4
· COBIT 5 APO13.02 20
· ISA 62443-2-1:2009 4.4.3.2
· ISA 62443-3-3:2013 SR 3.3
· ISO/IEC 27001:2013 A.14.2.8
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4
DE.CM-8.1 Perform vulnerability scans. These shall be a part of the SDLC.
DE.CM-8.2 Deploy an automated tool on network perimeters that monitors for sensitive
information (e.g., personally identifiable information), keywords, and other document
characteristics to discover unauthorized attempts to exfiltrate data across network boundaries
and block such transfers while alerting information security personnel.
DE.CM-8.3 Conduct regular external and internal penetration tests to identify vulnerabilities and
attack vectors that can be used to exploit enterprise systems successfully. Penetration testing
should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around
an organization) as well as from within its boundaries (i.e., on the internal network) to simulate
both outsider and insider attacks.
DE.CM-8.4 Use vulnerability scanning and penetration testing tools in concert. The results of
vulnerability scanning assessments should be used as a starting point to guide and focus
penetration testing efforts.
DE.DP-1.1 Define roles and responsibilities for detection to ensure accountability.
DE.DP-1.3 Establish and follow a process for revoking system access by disabling accounts
immediately upon termination of an employee or contractor. Disabling instead of deleting
accounts allows preservation of audit trails.
DE.DP-2.1 Ensure that detection activities comply with all applicable requirements.
DE.DP-2.2 Wherever possible, ensure that Red Teams results are documented using open,
machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of
Red Team exercises so that results can be compared over time.
DE.DP-3.1 Perform periodic Red Team exercises to test organizational readiness to identify and
stop attacks or to respond quickly and effectively.
DE.DP-3.2 Plan clear goals of the penetration test itself with blended attacks in mind, identifying
the goal machine or target asset. Many APT-style attacks deploy multiple vectors—often social
engineering combined with web or network exploitation. Red Team manual or automated testing
that captures pivoted and multi-vector attacks offers a more realistic assessment of security
posture and risk to critical assets.
DE.DP-3.3 Create a test bed that mimics a production environment for specific penetration tests
and Red Team attacks against elements that are not typically tested in production, such as attacks
against supervisory control and data acquisition and other control systems.
Security Continuous
Monitoring (DE.CM): The
information system and
assets are monitored at
discrete intervals to identify
cybersecurity events and
verify the effectiveness of
protective measures.
DE.CM-8: Vulnerability scans are performed
DETECT
(DE)
Detection Processes
(DE.DP): Detection
processes and procedures are
maintained and tested to
ensure timely and adequate
awareness of anomalous
events.
DE.DP-1: Roles and responsibilities for detection are well defined to
ensure accountability
DE.DP-2: Detection activities comply with all applicable requirements
DE.DP-3: Detection processes are tested
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.9
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.16.1.2
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4
· COBIT 5 APO11.06, DSS04.05
· ISA 62443-2-1:2009 4.4.3.4
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
· COBIT 5 BAI01.10
· CCS CSC 18
18
· ISA 62443-2-1:2009 4.3.4.5.1
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4
· ISO/IEC 27001:2013 A.6.1.1, A.16.1.1
· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
· ISA 62443-2-1:2009 4.3.4.5.5
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
DE.DP-5.1 Enable anti-exploitation features such as Data Execution Prevention (DEP), Address
Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased
protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can
be configured to apply these protections to a broader set of applications and executables.
RS.RP-1.1 Each agency shall execute a response plan during or after an event.
RS.RP-1.2 Agencies shall establish a Computer Security Incident Response Team (CSIRT) to
respond to suspected computer security incidents. CSIRT members shall convene immediately,
upon notice of suspected computer security incidents.
RS.RP-1.3 CSIRT members convene at least quarterly to review, at a minimum, established
processes and escalation protocols.
RS.RP-1.4 CSIRT members receive training at least annually on cybersecurity threats, trends,
and evolving practices. Training shall be coordinated as a part of the information security
program.
RS.RP-1.5 CSIRT membership shall include, at a minimum, a member from the information
security team, the CIO (or designee), and a member from the Inspector General’s Office. For
agencies that are HIPAA-covered entities as defined by 45 CFR 164.103, CSIRT membership
shall also include the agency’s designated HIPAA privacy official or their designee. The CSIRT
team shall report findings to agency management.
RS.RP-1.6 The CSIRT shall determine the appropriate response required for each suspected
computer security incident.
RS.RP-1.7 The agency security incident reporting process must include notification procedures,
established pursuant to section 501.171, F.S., section 282.318, F.S., and as specified in executed
agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as
established within the Florida Department of Law Enforcement via section 943.0415, F.S.), use the
timeframes in the "TIMEFRAMES FOR REPORTING INCIDENTS TO AST AND THE
CYBERCRIME OFFICE" table in the INSTRUCTIONS worksheet.
RS.RP-1.8 Ensure that there are written incident response procedures that include a definition of
personnel roles for handling incidents. The procedures should define the phases of incident
handling.
RS.RP-1.9 Assign job titles and duties for handling computer and network incidents to specific
individuals.
RS.RP-1.10 Define management personnel who will support the incident handling process by
acting in key decision-making roles.
RS.RP-1.11 Devise organization-wide standards for the time required for system administrators
and other personnel to report anomalous events to the incident handling team, the mechanisms for
such reporting, and the kind of information that should be included in the incident notification.
This reporting should also include notifying the appropriate Community Emergency Response
Team in accordance with all legal or regulatory requirements for involving that organization in
computer incidents.
RS.CO-1.1 Inform workers of their roles and order of operations when a response is needed.
RS.CO-1.2 Conduct periodic incident scenario sessions for personnel associated with the incident
handling team to ensure that they understand current threats and risks, as well as their
responsibilities in supporting the incident handling team.
RS.CO-2.1 Require that events be reported consistent with established criteria and in accordance
with agency incident reporting procedures. Criteria shall require immediate reporting, including
instances of lost identification and authentication resources.
DE.DP-4.1 Communicate event detection information to stakeholders that should or must receive
this information.
DETECT
(DE)
Detection Processes
(DE.DP): Detection
processes and procedures are
maintained and tested to
ensure timely and adequate
awareness of anomalous
events.
DE.DP-4: Event detection information is communicated to appropriate
parties
DE.DP-5: Detection processes are continuously improved
RS.CO-1: Personnel know their roles and order of operations when a
response is needed
Communications (RS.CO):
Response activities are
coordinated with internal
and external stakeholders, as
appropriate, to include
external support from law
enforcement agencies.
RESPOND
(RS)
Response Planning
(RS.RP): Response
processes and procedures are
executed and maintained, to
ensure timely response to
detected cybersecurity
events.
RS.RP-1: Response plan is executed during or after an event
RS.CO-2: Events are reported consistent with established criteria
· ISA 62443-2-1:2009 4.3.4.5.2
· ISO/IEC 27001:2013 A.16.1.2
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4
· ISA 62443-2-1:2009 4.3.4.5.5
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.CO-5: Voluntary information sharing occurs with external
stakeholders to achieve broader cybersecurity situational awareness
RS.CO-5.1 Establish communications with external stakeholders to share and receive information
to achieve broader cybersecurity situational awareness. Where technology permits, enable
automated security alerts. Establish processes to receive, assess, and act upon security advisories.
RS.CO-5.2 Assemble and maintain information on third-party contact information to be used to
report a security incident (e.g., maintain an e-mail address of [email protected] or have
a web page http://organization.com/security).
· NIST SP 800-53 Rev. 4 PM-15, SI-5
· COBIT 5 DSS02.07
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4 CP-2, IR-4
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9,
SR 6.1
· ISO/IEC 27001:2013 A.16.1.7
· NIST SP 800-53 Rev. 4 AU-7, IR-4
· ISA 62443-2-1:2009 4.3.4.5.6
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
· ISA 62443-2-1:2009 4.3.4.5.6
· ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
· COBIT 5 BAI01.13
· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.IM-2: Response strategies are updated RS.IM-2.1 Agencies shall update response strategies in accordance with agency-established policy. · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· CCS CSC 88
· COBIT 5 DSS02.05, DSS03.04
RS.CO-3.1 Publish information for all personnel, including employees and contractors, regarding
reporting computer anomalies and incidents to the incident handling team. Such information
should be included in routine employee awareness activities.
RS.CO-4.1 Coordinate with stakeholders, consistent with response.
RS.AN-1.1 Each agency shall establish notification thresholds and investigate notifications from
detection systems.
RS.AN-2.1 Each agency shall assess and identify the impact of the incident.
RS.AN-3.1 Each agency shall perform forensics, where deemed appropriate.
RS.AN-4.1 Each agency shall categorize incidents, consistent with response plans. Each incident
report and analysis, including findings and corrective actions, shall be documented.
RS.MI-1.1 The objective of incident mitigation activities shall be to contain and prevent recurrent
of incidents.
RS.MI-2.1 The objective of incident mitigation activities shall be to mitigate incident effects and
eradicate the incident.
RS.MI-3.1 The objective of incident mitigation activities shall be address vulnerabilities or
document as acceptable risks.
RS.IM-1.1 Each agency shall improve organizational response activities by incorporating lessons
learned from current and previous detection/response activities into response plans.
RC.RP-1.1 Execute a recovery plan during or after an event.
RC.RP-1.2 Mirror data and software, essential to the continued operation of critical agency
functions, to an off-site location or regularly back up a current copy and store at an off-site
location.
RC.RP-1.3 Develop procedures to prevent loss of data, and ensure that agency data, including
unique copies, are backed up.
RC.RP-1.4 Document disaster recovery plans that address protection of critical IT resources and
provide for the continuation of critical agency functions in the event of a disaster. Plans shall
address shared resource systems, which require special consideration, when interdependencies
may affect continuity of critical agency functions.
RC.RP-1.5 IT disaster recovery plans shall be tested at least annually; results of the annual
exercise shall document plan procedures that were successful and specify any modifications
required to improve the plan.
RS.CO-4: Coordination with stakeholders occurs consistent with
response plans
Analysis (RS.AN): Analysis
is conducted to ensure
adequate response and
support recovery activities.
RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
Mitigation (RS.MI):
Activities are performed to
prevent expansion of an
event, mitigate its effects,
and eradicate the incident.
Communications (RS.CO):
Response activities are
coordinated with internal
and external stakeholders, as
appropriate, to include
external support from law
enforcement agencies.
RESPOND
(RS)
RECOVER (RC)
Recovery Planning
(RC.RP): Recovery
processes and procedures are
executed and maintained to
ensure timely restoration of
systems or assets affected by
cybersecurity events.
RC.RP-1: Recovery plan is executed during or after an event
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented
as accepted risks
Improvements (RS.IM):
Organizational response
activities are improved by
incorporating lessons learned
from current and previous
detection/response activities.
RS.IM-1: Response plans incorporate lessons learned
RS.CO-3: Information is shared consistent with response plans
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
· COBIT 5 BAI05.07
· ISA 62443-2-1 4.4.3.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· COBIT 5 BAI07.08
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RC.CO-1: Public relations are managed RC.CO-1.1 Manage public relations. · COBIT 5 EDM03.02
RC.CO-2: Reputation after an event is repaired RC.CO-2.1 Attempt to repair reputation after an event, if applicable. · COBIT 5 MEA03.02
RC.CO-3: Recovery activities are communicated to internal
stakeholders and executive and management teams
RC.CO-3.1 Communicate recovery activities to stakeholders, internal and external where
appropriate.· NIST SP 800-53 Rev. 4 CP-2, IR-4
RC.IM-1.1 Incorporate lessons learned in recovery plans.
RC.IM-2.1 Update recovery strategies.
RC.RP-1.1 Execute a recovery plan during or after an event.
RC.RP-1.2 Mirror data and software, essential to the continued operation of critical agency
functions, to an off-site location or regularly back up a current copy and store at an off-site
location.
RC.RP-1.3 Develop procedures to prevent loss of data, and ensure that agency data, including
unique copies, are backed up.
RC.RP-1.4 Document disaster recovery plans that address protection of critical IT resources and
provide for the continuation of critical agency functions in the event of a disaster. Plans shall
address shared resource systems, which require special consideration, when interdependencies
may affect continuity of critical agency functions.
RC.RP-1.5 IT disaster recovery plans shall be tested at least annually; results of the annual
exercise shall document plan procedures that were successful and specify any modifications
required to improve the plan.RECOVER (RC)
Recovery Planning
(RC.RP): Recovery
processes and procedures are
executed and maintained to
ensure timely restoration of
systems or assets affected by
cybersecurity events.
RC.RP-1: Recovery plan is executed during or after an event
Improvements (RC.IM):
Recovery planning and
processes are improved by
incorporating lessons learned
into future activities.
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications (RC.CO):
Restoration activities are
coordinated with internal
and external parties, such as
coordinating centers, Internet