Security Logical and Physical Access Controls
The entity implements logical access security software infrastructure and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
Identifies and Manages the Inventory of Information Assets—The entity identifies inventories classifies and manages information assets. Restricts Logical Access—Logical access to information assets including hardware data (at-rest during processing or in transmission) software administrative authorities mobile devices output and offline system components is restricted through the use of access control software and rule sets. Identifies and Authenticates Users—Persons infrastructure and software are identified and authenticated prior to accessing information assets whether locally or remotely. Considers Network Segmentation—Network segmentation permits unrelated portions of the entity’s information system to be isolated from each other. Manages Points of Access—Points of access by outside entities and the types of data that flow through the points of access are identified inventoried and managed. The types of individuals and systems using each point of access are identified documented and managed. Restricts Access to Information Assets—Combinations of data classification separate data structures port restrictions access protocol restrictions user identification and digital certificates are used to establish access control rules for information assets. Manages Identification and Authentication—Identification and authentication requirements are established documented and managed for individuals and systems accessing entity information infrastructure and software.Manages Credentials for Infrastructure and Software—New internal and external infrastructure and software are registered authorized and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. Uses Encryption to Protect Data—The entity uses encryption to supplement other measures used to protect data-at-rest when such protections are deemed appropriate based on assessed risk.Protects Encryption Keys—Processes are in place to protect encryption keys during generation storage use and destruction.
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- CIS Framework Controls V8