NIST 800-53 Audit and Accountability AU-7(2) Audit Record Reduction and Report Generation Automatic Sort and Search [Withdrawn: Incorporated into AU-7(1).] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any…
NERC CIP-002 through CIP-014 Revision 6_CIP-004-6 2.3
NERC CIP-002 through CIP-014 Revision 6 Cyber Security Training Program CIP-004-6 2.3 2.3 Require completion of the training specified in Part 2.1 at least once every 15 calendar months. M2. Evidence must include the training program that includes each of the applicable requirement parts in CIP-004-6 Table R2– Cyber Security Training Program and additional evidence to demonstrate implementation of the program(s).CIP-004-6 Table R2– Cyber Security Training Program Part Applicable Systems Requirements Measures…
NIST 800-53 Assessment, Authorization and Monitoring CA-4 Security Certification [Withdrawn: Incorporated into CA-2.] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and…
NIST 800-53 Program Management PM-17 Protecting Controlled Unclassified Information on External Systems a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed stored or transmitted on external systems are implemented in accordance with applicable laws executive orders directives policies regulations and standards; andb. Review and update the policy and procedures [Assignment: organization-defined frequency]. Click here to Start your FREE trial today! Explainer…
NIST 800-171 3.13 SYSTEM AND COMMUNICATIONS PROTECTION 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws Executive Orders policies directives regulations and standards specifying appropriate options levels and parameters.[SP 800-56A] and [SP 800-57-1] provide guidance on cryptographic key management and key…
NIST 800-53 System and Services Acquisitions SA-19 Component Authenticity [Withdrawn: Moved to SR-11.] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and…
NERC CIP-002 through CIP-014 Revision 6_CIP-011-2 2.2
NERC CIP-002 through CIP-014 Revision 6 BES Cyber Asset Reuse and Disposal CIP-011-2 2.2 2.2 Prior to the disposal of applicable Cyber Assets that contain BES Cyber System Information the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Asset or destroy the data storage media. M2. Evidence must include each of the applicable documented processes that collectively include each of the applicable…
NIST-CSF Supply Chain Risk Management (ID.SC) ID.SC-3 ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization?s cybersecurity program and Cyber Supply Chain Risk Management Plan. NULL Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools…
NIST 800-171 3.2 AWARENESS AND TRAINING 3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. Organizations determine the content and frequency of security training based on the assigned duties roles and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition organizations provide system developers enterprise architects security architects acquisition/procurement officials software developers system developers…
PCI (Payment Card Industry Security Standard)_Test 8.1.2
PCI (Payment Card Industry Security Standard) Identify and authenticate access to system components Test 8.1.2 8.1.2 For a sample of privileged user IDs and general user IDs examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. To ensure that user accounts granted access to systems are all valid and recognized users strong processes…
CMMC v2.0 3.1 ACCESS CONTROL AC.L2-3.1.5 Employ the principle of least privilege including for specific security functions and privileged accounts. Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes roles and system…
NIST-CSF Identity Management, Authentication and Access Control (PR.AC) PR.AC-5 PR.AC-5: Network integrity is protected (e.g. network segregation network segmentation) NULL Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any…
PCI (Payment Card Industry Security Standard)_Test 6.7
PCI (Payment Card Industry Security Standard) Develop and maintain secure systems and applications Test 6.7 6.7 Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are: – Documented – In use and – Known to all affected parties. Personnel need to be aware of and following security policies and operational procedures to ensure systems and applications are securely developed and…
NERC CIP-002 through CIP-014 Revision 6_CIP-010-2 3.2
NERC CIP-002 through CIP-014 Revision 6 Vulnerability Assessments CIP-010-2 3.2 3.2 Where technically feasible at least once every 36 calendar months: 3.2.1 Perform an active vulnerability assessment in a test environment or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects that models the baseline configuration of the BES Cyber System in a production environment; and3.2.2 Document the results of…
NIST 800-53 System and Services Acquisitions SA-9(1) External System Services Risk Assessments and Organizational Approvals (a) Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and(b) Verify that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t…
NIST 800-53 Assessment, Authorization and Monitoring CA-3(3) Information Exchange Unclassified Non-national Security System Connections [Withdrawn: Moved to SC-7(27).] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from…
PCI (Payment Card Industry Security Standard)_Req 8.6
PCI (Payment Card Industry Security Standard) Identify and authenticate access to system components Req 8.6 8.6 Where other authentication mechanisms are used (for example physical or logical security tokens smart cards certificates etc.) use of these mechanisms must be assigned as follows: – Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. – Physical and/or logical controls must be in place to ensure only the intended…
NIST 800-53 Identification and Authentication IA-9(1) Service Identification and Authentication Information Exchange [Withdrawn: Incorporated into IA-9.] Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones…
CIS Framework Controls V8_16.6
CIS Framework Controls V8 Application Software Security 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and…
NIST 800-171 3.7 MAINTENANCE 3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization This requirement applies to individuals who are performing hardware or software maintenance on organizational systems while 3.10.1 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g. custodial staff physical plant maintenance personnel). Individuals not previously identified as authorized maintenance personnel such as information technology manufacturers vendors…