NIST 800-53 Configuration Management CM-3(1) Configuration Change Control Automated Documentation Notification and Prohibition of Changes Use [Assignment: organization-defined automated mechanisms] to:(a) Document proposed changes to the system;(b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;(c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];(d) Prohibit changes to the system until designated approvals are received;(e) Document all…
NIST 800-53 System and Communications Protection SC-4 Information in Shared System Resources Prevent unauthorized and unintended information transfer via shared system resources. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and…
PCI (Payment Card Industry Security Standard)_Req 12.10.4
PCI (Payment Card Industry Security Standard) Maintain a policy that addresses information security for all personnel Req 12.10.4 12.10.4 Provide appropriate training to staff with security breach response responsibilities. Without a trained and readily available incident response team extended damage to the network could occur and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation. Click here…
NIST-CSF Maintenance (PR.MA) PR.MA-2 PR.MA-2: Remote maintenance of organizational assets is approved logged and performed in a manner that prevents unauthorized access NULL Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress…
NIST 800-171 3.13 SYSTEM AND COMMUNICATIONS PROTECTION 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e. deny all permit by exception). This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. Click here to Start…
NIST 800-171 3.1 ACCESS CONTROL 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. Organizations may choose to define access privileges or other attributes by account by type of account or a combination of both. System account types include individual shared group system anonymous guest emergency developer manufacturer vendor and temporary. Other attributes required for authorizing access include restrictions on time-of-day day-of-week and…
NIST 800-53 Access Control AC-24(2) Access Control Decisions No User or Process Identity Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an…
CIS Framework Controls V8 Secure Configuration of Enterprise Assets and Software 4.1 Establish and Maintain a Secure Configuration Process Establish and maintain a secure configuration process for enterprise assets (end-user devices including portable and mobile non-computing/IoT devices and servers) and software (operating systems and applications). Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard. Click here to Start your FREE trial today! Explainer video…
PCI (Payment Card Industry Security Standard)_Req 11.3.4.1
PCI (Payment Card Industry Security Standard) Regularly test security systems and processes Req 11.3.4.1 11.3.4.1 Additional requirement for service providers only: if segmentation is used confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Note: This requirement is a best practice until January 31 2018 after which it becomes a requirement. For service providers validation of PCI DSS…
PCI (Payment Card Industry Security Standard)_Req 5.4
PCI (Payment Card Industry Security Standard) Protect all systems against malware and regularly update anti-virus software or programs Req 5.4 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented in use and known to all affected parties. Personnel need to be aware of and following security policies and operational procedures to ensure systems are protected from malware on a continuous basis. Requirement 6: Develop and maintain…
NIST 800-53 Risk Assessment RA-8 Privacy Impact Assessments Conduct privacy impact assessments for systems programs or other activities before:a. Developing or procuring information technology that processes personally identifiable information; andb. Initiating a new collection of personally identifiable information that:1. Will be processed using information technology; and2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual if identical questions have been posed to or identical reporting requirements…
NIST 800-53 System and Communications Protection SC-38 Operations Security Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish…
CIS Framework Controls V8 Email and Web Browser Protections 9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions Restrict either through uninstalling or disabling any unauthorized or unnecessary browser or email client plugins extensions and add-on applications. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools…
NIST 800-53 Program Management PM-30 Supply Chain Risk Management Strategy a. Develop an organization-wide strategy for managing supply chain risks associated with the development acquisition maintenance and disposal of systems system components and system services;1. Implement the supply chain risk management strategy consistently across the organization; and(a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency] or as required to address organizational changes. Click here to Start…
NERC CIP-002 through CIP-014 Revision 6_CIP-004-6 5.5
NERC CIP-002 through CIP-014 Revision 6 Access Revocation CIP-004-6 5.5 5.5 For termination actions change passwords for shared account(s) known to the user within 30 calendar days of the termination action. For reassignments or transfers change passwords for shared account(s) known to the user within 30 calendar days following the date that the Responsible Entity determines that the individual no longer requires retention of that access.If the Responsible Entity determines and documents…
NIST 800-53 System and Services Acquisitions SA-8(6) Security and Privacy Engineering Principles Minimized Sharing Implement the security design principle of minimized sharing in [Assignment: organization-defined systems or system components]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers…
PCI (Payment Card Industry Security Standard)_Test 2.6
PCI (Payment Card Industry Security Standard) Do not use vendor-supplied defaults for system passwords and other security measures Test 2.6 2.6 Perform testing procedures A1.1 through A1.4 detailed in appendix A1: additional PCI DSS requirements for shared hosting providers for PCI DSS assessments of shared hosting providers to verify that shared hosting providers protect their entities’ (merchants and service providers) hosted environment and data. This is intended for hosting providers that provide…
NIST 800-53 System and Communications Protection SC-13(1) Cryptographic Protection FIPS-validated Cryptography [Withdrawn: Incorporated into SC-13.] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to…
CMMC v2.0 3.13 SYSTEM AND COMMUNICATIONS PROTECTION SC.L1-3.13.1 Monitor control and protect communications (i.e. information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems Communications can be monitored controlled and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways routers firewalls guards network-based malicious code analysis and virtualization systems or encrypted tunnels implemented within a system…
NIST 800-53 Audit and Accountability AU-7(1) Audit Record Reduction and Report Generation Automatic Processing Provide and implement the capability to process sort and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing…