Procedures and systems are in place to collect, manage, analyze, and log events.
Security Analytics
- The network is monitored to detect potential cybersecurity events and the organization uses synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that event timestamps are consistent.
- Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
- DE.AE-03
- CIS – 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16
- ISO/IEC 27001:2013 A.12.4.1, A.16.1.7
- NIST SP 800-53 Rev. 4 AU-6 (Page 203) | Rev. 5 AU-6 (Page 70)
- NIST SP 800-53 Rev. 4 CA-7 (Page 218) | Rev. 5 CA-7 (Page 90)
- NIST SP 800-53 Rev. 4 IR-4 (Page 263) | Rev. 5 IR-4 (Page 152)
- NIST SP 800-53 Rev. 4 IR-5 (Page 265) | Rev. 5 IR-5 (Page 156)
- NIST SP 800-53 Rev. 4 IR-8 (Page 267) | Rev. 5 IR-8 (Page 158)
- NIST SP 800-53 Rev. 4 SI-4 (Page 377) | Rev. 5 SI-4 (Page 336)
- On a regular basis, review logs to identify anomalies or abnormal events.
- DE.AE-02
- DE.AE-04
- CIS – 4, 6
- ISO/IEC 27001:2013 A.16.1.4
- NIST SP 800-53 Rev. 4 CP-2 (Page 236) | Rev. 5 CP-2 (Page 116)
- NIST SP 800-53 Rev. 4 IR-4 (Page 263) | Rev. 5 IR-4 (Page 152)
- NIST SP 800-53 Rev. 4 RA-3 (Page 310) | Rev. 5 RA-3 (Page 240)
- NIST SP 800-53 Rev. 4 SI-4 (Page 377) | Rev. 5 SI-4 (Page 336)
- Incident alert thresholds are established
- DE.AE-08
- CIS CSC 6, 19
- ISO/IEC 27001:2013 A.16.1.4
- NIST SP 800-53 Rev. 4 IR-4 (Page 263) | Rev. 5 IR-4 (Page 152)
- NIST SP 800-53 Rev. 4 IR-5 (Page 265) | Rev. 5 IR-5 (Page 156)
- NIST SP 800-53 Rev. 4 IR-8 (Page 267) | Rev. 5 IR-8 (Page 158)
Business Continuity Plan
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information will inform a Business Continuity Plan.
- Identify key business areas and establish priorities for critical services
- GV.OC-01
- NIST SP 800-53 Rev. 4 PM-11 (page 398) | Rev. 5 PM-11 (Page 208)
- NIST SP 800-53 Rev. 4 SA-14 (page 331) | Rev. 5 RA-9 (Page 247)
- Define dependencies and critical functions for delivery of critical services
- GV.OC-04
- GV.OC-05
- ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3
- NIST SP 800-53 Rev. 4 CP-8 (page 243) | Rev. 5 CP-8 (Page 124)
- NIST SP 800-53 Rev. 4 PE-9 (page 291) | Rev. 5 PE-9 (Page 186)
- NIST SP 800-53 Rev. 4 PE-11 (page 292) | Rev. 5 PE-11 (Page 187)
- NIST SP 800-53 Rev. 4 PM-8 (page 397) | Rev. 5 PM-8 (Page 207)
- NIST SP 800-53 Rev. 4 SA-14 (page 331) | Rev. 5 RA-9 (Page 247)
- Determine acceptable downtime and resilience requirements for each critical function
- GV.OC-04
- ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1
- NIST SP 800-53 Rev. 4 CP-2 (page 236) | Rev. 5 CP-2 (Page 129)
- NIST SP 800-53 Rev. 4 CP-11 (page 246) | Rev. 5 CP-11 (Page 116)
- NIST SP 800-53 Rev. 4 SA-13 (page 331) | Rev. 5 SA-8 (Page 257)
- NIST SP 800-53 Rev. 4 SA-14 (page 331) | Rev. 5 RA-9 (Page 247)
- Develop and periodically review a Business Continuity Plan
- GV.OC – Organizational Context
- NIST SP 800-53 Rev. 4 CP (page 331) | Rev. 5 CP (Page 115)
- cyberconIQ benefit is deeply embedded and reinforced
Cybersecurity Policy Frameworks
A cybersecurity policy framework to manage and monitor the organization are understood and inform the management of cybersecurity risk.
- Perform a gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.
- GV.OC-03
- CIS – 19
- ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5
- NIST SP 800-53 Rev. 4/5 -1 controls from all security control families
- Establish cybersecurity roles and responsibilities
- GV.RR-02
- CIS – 19
- ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1
- NIST SP 800-53 Rev. 4 PS-7 (page 307) | Rev. 5 PS-7 (Page 227)
- NIST SP 800-53 Rev. 4 PM-1 (page 394) | Rev. 5 PM-1 (Page 203)
- NIST SP 800-53 Rev. 4 PM-2 (page 395) | Rev. 5 PM-2 (Page 204)
- Create and communicate an organizational cybersecurity policy
- GV.PO – Policies, Processes, and Procedures
- CIS – 19
- ISO/IEC 27001:2013 A.5.1.1
- NIST SP 800-53 Rev. 4/5 -1 controls from all security control families
- Define a cybersecurity policy development lifecycle
- cyberconIQ benefit is deeply embedded and reinforced
Cyber Hygiene Practices
Procedures and systems that organizations employ to keep their systems healthy and secure. Such as, Anti-malware, Backups, Patching, Monitoring, Secure Configurations and Least Privilege
- Utilize a centrally managed anti-malware software and clients are updated automatically
- DE.CM-01
- DE.CM-09
- CIS – 4, 7, 8, 12
- ISO/IEC 27001:2013 A.12.2.1
- NIST SP 800-53 Rev. 4 SI-3 (page 375) | Rev. 5 SI-3 (Page 334)
- NIST SP 800-53 Rev. 4 SI-8 (page 386) | Rev. 5 SI-8 (Page 348)
- Implement boundary defense that detects and prevents the flow of information transferring across networks of different security levels
- ID.AM-03
- ID.AM-04
- PR.AA-03
- PR.AA-05
- PR.IR-01
- CIS – 12
- ISO/IEC 27001:2013 A.13.2.1, A.13.2.2, A.11.2.6
- NIST SP 800-53 Rev. 4 AC-4 (page 172) | Rev. 5 AC-4 (Page 28)
- NIST SP 800-53 Rev. 4 CA-3 (page 216) | Rev. 5 CA-3 (Page 86)
- NIST SP 800-53 Rev. 4 CA-9 (page 221) | Rev. 5 CA-9 (Page 94)
- NIST SP 800-53 Rev. 4 PL-8 (page 300) | Rev. 5 PL-8 (Page 198)
- NIST SP 800-53 Rev. 4 SA-9 (page 320) | Rev. 5 SA-9 (Page 271)
- Establish secure configurations for hardware, software and network devices which enforce the principle of least privilege
- PR.PS-01
- PR.AA-05
- CIS – 3, 5, 9, 11
- ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
- NIST SP 800-53 Rev. 4 CM-2 (page 222) | Rev. 5 CM-2 (Page 97)
- NIST SP 800-53 Rev. 4 CM-6 (page 228) | Rev. 5 CM-6 (Page 103)
- NIST SP 800-53 Rev. 4 CM-7 (page 229) | Rev. 5 CM-7 (Page 104)
- NIST SP 800-53 Rev. 4 CM-9 (page 233) | Rev. 5 CM-9 (Page 110)
- NIST SP 800-53 Rev. 4 SA-10 (page 322) | Rev. 5 SA-10 (Page 273)
- Deploy an automated operating system patch management tool
Data Loss Prevention Practices
Information and data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
- Maintain an inventory of sensitive information
- ID.AM-05
- CIS 13, 14
- ISO/IEC 27001:2013 A.8.2.1
- NIST SP 800-53 Rev. 4 CP-2 (page 237) | Rev. 5 CP-2 (Page 116)
- NIST SP 800-53 Rev. 4 RA-2 (page 309) | Rev. 5 RA-2 (Page 239)
- NIST SP 800-53 Rev. 4 SA-14 (page 332) | Rev. 5 RA-9 (Page 247)
- NIST SP 800-53 Rev. 4 SC-6 (page 346) | Rev. 5 SC-6 (Page 297)
- Protect information through access control lists and access permissions/authorizations are managed, incorporating the principles of least privilege and separation of duties
- PR.AA-05
- CIS 3, 5, 12, 14, 15, 16, 18
- ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
- NIST SP 800-53 Rev. 4 AC-1 (page 165) | Rev. 5 AC-1 (Page 18)
- NIST SP 800-53 Rev. 4 AC-2 (page 165) | Rev. 5 AC-2 (Page 19)
- NIST SP 800-53 Rev. 4 AC-3 (page 169) | Rev. 5 AC-3 (Page 23)
- NIST SP 800-53 Rev. 4 AC-5 (page 176) | Rev. 5 AC-5 (Page 36)
- NIST SP 800-53 Rev. 4 AC-6 (page 176) | Rev. 5 AC-6 (Page 36)
- NIST SP 800-53 Rev. 4 AC-16 (page 183) | Rev. 5 AC-16 (Page 44)
- NIST SP 800-53 Rev. 4 AC-24 (page 193) | Rev. 5 AC-24 (Page 57)
- Segment the network based on sensitivity
- Implement protections against data leaks and enforce detailed logging for access or changes to sensitive data
- PR.DS-01
- PR.DS-02
- PR.DS-10
- CIS 13, 14
- ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3
- NIST SP 800-53 Rev. 4 AC-4 (page 172) | Rev. 5 AC-4 (Page 28)
- NIST SP 800-53 Rev. 4 AC-5 (page 176) | Rev. 5 AC-5 (Page 36)
- NIST SP 800-53 Rev. 4 AC-6 (page 176) | Rev. 5 AC-6 (Page 36)
- NIST SP 800-53 Rev. 4 PE-19 (page 296) | Rev. 5 PE-19 (Page 191)
- NIST SP 800-53 Rev. 4 SC-7 (page 347) | Rev. 5 SC-7 (Page 297)
- NIST SP 800-53 Rev. 4 SC-8 (page 351) | Rev. 5 SC-8 (Page 304)
- NIST SP 800-53 Rev. 4 SC-13 (page 354) | Rev. 5 SC-13 (Page 308)
- NIST SP 800-53 Rev. 4 SI-4 (page 377) | Rev. 5 SI-4 (Page 336)
- cyberconIQ benefit is deeply embedded and reinforced
Data Encryption Practices
The processes and tools used to mitigate the effects of exfiltrated data and ensure the privacy of sensitive information.
- Encrypt or hash all authentication credentials
- PR.AA-01
- PR.AA-05
- CIS 16
- ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
- NIST SP 800-53 Rev. 4/5 Identification and Authentication Family of Controls (page 248)
- Protect sensitive data-at-rest with encryption
- PR.DS-01
- CIS 13, 14
- ISO/IEC 27001:2013 A.8.2.3
- NIST SP 800-53 Rev. 4 SC-12 (page 353) | Rev. 5 SC-12 (Page 307)
- NIST SP 800-53 Rev. 4 SC-28 (page 361) | Rev. 5 SC-28 (Page 316)
- Protect sensitive data-in-transit with encryption
- Destroy sensitive data according to policy
Vulnerability/Penetration Testing
Test the overall strength of an organization’s defense (the technology, the processes, and the people).
- Perform automated vulnerability scans
- Establish incident alert thresholds
- DE.AE-08
- CIS – 6, 19
- ISO/IEC 27001:2013 A.16.1.4
- NIST SP 800-53 Rev. 4 IR-4 (page 262) | Rev. 5 IR-4 (Page 152)
- NIST SP 800-53 Rev. 4 IR-5 (page 265) | Rev. 5 IR-5 (Page 156)
- NIST SP 800-53 Rev. 4 IR-8 (page 265) | Rev. 5 IR-8 (Page 158)
- Utilize a risk-rating process to assess vulnerabilities while continuously comparing back-to-back scans
- ID.RA-06
- ID.RA-05
- ID.RA-01
- PR.PS-02
- CIS – 3, 4, 18, 20
- ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
- NIST SP 800-53 Rev. 4 RA-3 (page 310) | Rev. 5 RA-3 (Page 240)
- NIST SP 800-53 Rev. 4 RA-5 (page 347) | Rev. 5 RA-5 (Page 242)
- NIST SP 800-53 Rev. 4 SI-2 (page 373) | Rev. 5 SI-2 (Page 333)
- Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks
Incident Response Plan
Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
- Document an incident response policy with assigned job titles and duties
- ID.IM-04
- GV.RR-02
- PR.AT-01
- CIS – 19
- ISO/IEC 27001:2013 A.16.1.5
- NIST SP 800-53 Rev. 4 CP-2 (page 236) | Rev. 5 CP-2 (Page 116)
- NIST SP 800-53 Rev. 4 CP-10 (page 245) | Rev. 5 CP-10 (Page 128)
- NIST SP 800-53 Rev. 4 IR-4 (page 263) | Rev. 5 IR-4 (Page 152)
- NIST SP 800-53 Rev. 4 IR-8 (page 267) | Rev. 5 IR-8 (Page 158)
- Designate management personnel to support incident handling
- ID.IM-04
- GV.RR-02
- CIS – 19
- ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3
- NIST SP 800-53 Rev. 4 CP-2 (page 236) | Rev. 5 CP-2 (Page 116)
- NIST SP 800-53 Rev. 4 IR-7 (page 266) | Rev. 5 IR-7 (Page 158)
- NIST SP 800-53 Rev. 4 IR-8 (page 266) | Rev. 5 IR-8 (Page 158)
- Devise an organization-wide standard for reporting an incident
- RS.CO-02
- CIS – 19
- ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
- NIST SP 800-53 Rev. 4 AU-6 (page 203) | Rev. 5 AU-6 (Page 70)
- NIST SP 800-53 Rev. 4 IR-6 (page 265) | Rev. 5 IR-6 (Page 157)
- NIST SP 800-53 Rev. 4 IR-8 (page 266) | Rev. 5 IR-8 (Page 158)
- Conduct periodic incident scenarios
- ID.IM-02
- CIS – 19
- ISO/IEC 27001:2013 A.17.1.3
- NIST SP 800-53 Rev. 4 CP-4 (page 239) | Rev. 5 CP-4 (Page 119)
- NIST SP 800-53 Rev. 4 IR-3 (page 262) | Rev. 5 IR-3 (Page 151)
- NIST SP 800-53 Rev. 4 PM-14 (page 399) | PM-14 (Page 210)
- cyberconIQ benefit is deeply embedded and reinforced