NIST 800-53 System and Communications Protection SC-24 Fail in Known State Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your…
NIST 800-53 System and Services Acquisitions SA-4(9) Acquisition Process Functions Ports Protocols and Services in Use Require the developer of the system system component or system service to identify the functions ports protocols and services intended for organizational use. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of…
NERC CIP-002 through CIP-014 Revision 6_CIP-011-2 2.1
NERC CIP-002 through CIP-014 Revision 6 BES Cyber Asset Reuse and Disposal CIP-011-2 2.1 2.1 Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information (except for reuse within other systems identified in the ?Applicable Systems? column) the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset data storage media. M2. Evidence must include each of…
CIS Framework Controls V8_14.7
CIS Framework Controls V8 Security Awareness and Skills Training 14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools. Click here to Start your FREE trial today!…
CIS Framework Controls V8_14.4
CIS Framework Controls V8 Security Awareness and Skills Training 14.4 Train Workforce on Data Handling Best Practices Train workforce members on how to identify and properly store transfer archive and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices such as locking their screen when they step away from their enterprise asset erasing physical and virtual whiteboards at the end of meetings and storing data…
NIST 800-53 System and Communications Protection SC-5(2) Denial-of-service Protection Capacity Bandwidth and Redundancy Manage capacity bandwidth or other redundancy to limit the effects of information flooding denial-of-service attacks. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a…
NERC CIP-002 through CIP-014 Revision 6_CIP-008-5 2.2
NERC CIP-002 through CIP-014 Revision 6 Cyber Security Incident Response Plan Implementation and Testing CIP-008-5 2.2 2.2 Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber Security Incident or performing an exercise of a Reportable Cyber Security Incident. Document deviations from the plan(s) taken during the response to the incident or exercise. M2. Evidence must include but is not limited to documentation that collectively demonstrates…
NIST 800-171 3.13 SYSTEM AND COMMUNICATIONS PROTECTION 3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e. split tunneling). Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However split tunneling allows unauthorized external connections making the system more vulnerable to attack and to exfiltration of organizational…
NIST 800-53 System and Communications Protection SC-7(5) Boundary Protection Deny by Default ? Allow by Exception Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number…
NIST 800-53 System and Services Acquisitions SA-8(2) Security and Privacy Engineering Principles Least Common Mechanism Implement the security design principle of least common mechanism in [Assignment: organization-defined systems or system components]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish…
PCI (Payment Card Industry Security Standard)_Req 12.10.5
PCI (Payment Card Industry Security Standard) Maintain a policy that addresses information security for all personnel Req 12.10.5 12.10.5 Include alerts from security monitoring systems including but not limited to intrusion-detection intrusion-prevention firewalls and file-integrity monitoring systems. These monitoring systems are designed to focus on potential risk to data are critical in taking quick action to prevent a breach and must be included in the incident-response processes. Click here to Start…
NIST 800-53 Access Control AC-6(4) Least Privilege Separate Processing Domains Provide separate processing domains to enable finer-grained allocation of user privileges. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor…
NIST 800-53 Personally Identifiable Information Processing and Transparency PT-8 Computer Matching Requirements When a system or organization processes information for the purpose of conducting a matching program:a. Obtain approval from the Data Integrity Board to conduct the matching program;b. Develop and enter into a computer matching agreement;c. Publish a matching notice in the Federal Register;d. Independently verify the information produced by the matching program before taking adverse action against an individual if…
NERC CIP-002 through CIP-014 Revision 6_CIP-014-2 2.1
NERC CIP-002 through CIP-014 Revision 6 Physical Security CIP-014-2 2.1 2.1. Each Transmission Owner shall select an unaffiliated verifying entity that is either:- A registered Planning Coordinator Transmission Planner or Reliability Coordinator; or-An entity that has transmission planning or analysis experience. M2. Examples of acceptable evidence may include but are not limited to dated written or electronic documentation that the Transmission Owner completed an unaffiliated third party verification of the Requirement R1…
NIST 800-171 3.10 PHYSICAL PROTECTION 3.10.1 Limit physical access to organizational systems equipment and the respective operating environments to authorized individuals This requirement applies to employees individuals with permanent physical access authorization credentials and visitors. Authorized individuals have credentials that include badges identification cards and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws directives policies regulations standards procedures and guidelines. This requirement applies only to areas…
HIPAA Administrative Safeguards 164.308(b) 4.9. Business Associate Contracts and Other Arrangements (? 164.308(b)(1)) Business associate contracts and other arrangements. A covered entity may permit a business associate to create receive maintain or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances in accordance with §?164.314(a) that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such…
NIST 800-53 Configuration Management CM-8(8) System Component Inventory Automated Location Tracking Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to…
NIST 800-53 Incident Response IR-4(2) Incident Handling Dynamic Reconfiguration Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more…
SOC 2 Privacy Additional Criteria for Privacy P4.2 The entity retains personal information consistent with the entity?s objectives related to privacy. Retains Personal Information—Personal information is retained for no longer than necessary to fulfill the stated purposes unless a law or regulation specifically requires otherwise.Protects Personal Information—Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information. Click here to…
NIST 800-53 Audit and Accountability AU-12 Audit Record Generation a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; andc. Generate audit records for the event types defined in AU-2c that include the audit record…