NIST 800-53 System and Services Acquisitions SA-4(3) Acquisition Process Development Methods Techniques and Practices Require the developer of the system system component or system service to demonstrate the use of a system development life cycle process that includes:(a) [Assignment: organization-defined systems engineering methods];(b) organization-defined [Selection (one or more): systems security; privacy engineering methods]; and(c) [Assignment: organization-defined software development methods; testing evaluation assessment verification and validation methods; and quality control processes]. Click…
PCI (Payment Card Industry Security Standard)_Req 10.4.2
PCI (Payment Card Industry Security Standard) Track and monitor all access to network resources and cardholder data Req 10.4.2 10.4.2 Time data is protected. Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs their completeness accuracy and integrity cannot be guaranteed and the audit logs can be rendered useless as an investigation tool…
NIST 800-171 3.1 ACCESS CONTROL 3.1.3 Control the flow of CUI in accordance with approved authorizations.. Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from…
PCI (Payment Card Industry Security Standard)_Req 9.7.1
PCI (Payment Card Industry Security Standard) Restrict physical access to cardholder data Req 9.7.1 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. Without careful inventory methods and storage controls stolen or missing media could go unnoticed for an indefinite amount of time. If media is not inventoried stolen or lost media may not be noticed for a long time or at all. Click here…
NIST 800-53 System and Services Acquisitions SA-17(7) Developer Security and Privacy Architecture and Design Structure for Least Privilege Require the developer of the system system component or system service to structure security-relevant hardware software and firmware to facilitate controlling access with least privilege. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with…
PCI (Payment Card Industry Security Standard)_Test 11.6
PCI (Payment Card Industry Security Standard) Regularly test security systems and processes Test 11.6 11.6 Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are: – documented – in use and – known to all affected parties. Personnel need to be aware of and following security policies and operational procedures for security monitoring and testing on a continuous basis. Maintain an Information Security…
NIST 800-53 System and Services Acquisitions SA-15(3) Development Process Standards and Tools Criticality Analysis Require the developer of the system system component or system service to perform a criticality analysis:(a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision points in the system development life cycle]; and(b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis]. Click here to Start your…
NIST 800-53 Identification and Authentication IA-5(8) Authenticator Management Multiple System Accounts Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform…
NIST 800-53 Access Control AC-3 Access Enforcement Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to…
NIST 800-53 Audit and Accountability AU-2(2) Event Logging Selection of Audit Events by Component [Withdrawn: Incorporated into AU-12.] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from…
PCI (Payment Card Industry Security Standard)_Req 10.5
PCI (Payment Card Industry Security Standard) Track and monitor all access to network resources and cardholder data Req 10.5 10.5 Secure audit trails so they cannot be altered. Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs their completeness accuracy and integrity cannot be guaranteed and the audit logs can be rendered useless…
NIST 800-171 3.13 SYSTEM AND COMMUNICATIONS PROTECTION 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information the provision of digital signatures and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number…
NIST 800-53 System and Communications Protection SC-7(7) Boundary Protection Split Tunneling for Remote Devices Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become…
FTC-SFSCI (Part 314)_314.4(h)(7)(i)(1)
FTC-SFSCI (Part 314) Reporting 314.4(h)(7)(i)(1) The overall status of the information security program and your compliance with this part. (i) Require your Qualified Individual to report in writing regularly and at least annually to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists such report shall be timely presented to a senior officer responsible for your information security program. The report shall…
NERC CIP-002 through CIP-014 Revision 6_CIP-007-6 R5
NERC CIP-002 through CIP-014 Revision 6 System Access Control CIP-007-6 R5 R5. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R5 ? System Access Controls. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning]. M5. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-007-6 Table 5– System Access…
NIST 800-53 System and Information Integrity SI-4(20) System Monitoring Privileged Users Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress…
NIST 800-53 System and Services Acquisitions SA-8(32) Security and Privacy Engineering Principles Sufficient Documentation Implement the security design principle of sufficient documentation in [Assignment: organization-defined systems or system components]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers…
NIST 800-171 3.5 IDENTIFICATION AND AUTHENTICATION 3.5.5 Prevent reuse of identifiers for a defined period Identifiers are provided for users processes acting on behalf of users or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual group role or device identifiers to different individuals groups roles or devices. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You…
NIST 800-172 3.13 SYSTEM AND COMMUNICATIONS PROTECTION 3.13.3e Employ [Assignment: organization-defined technical and procedural means] to confuse and mislead adversaries. There are many techniques and approaches that can be used to confuse and mislead adversaries including misdirection tainting disinformation or a combination thereof. Deception is used to confuse and mislead adversaries regarding the information that the adversaries use for decision-making the value and authenticity of the information that the adversaries attempt to…
PCI (Payment Card Industry Security Standard)_Req 6.5.6
PCI (Payment Card Industry Security Standard) Develop and maintain secure systems and applications Req 6.5.6 6.5.6 All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1). All vulnerabilities identified by an organization’s vulnerability risk-ranking process (defined in Requirement 6.1) to be “high risk” and that could affect the application should be identified and addressed during application development. Note: Requirements 6.5.7 through 6.5.10 below apply to…