NIST 800-53 Maintenance MA-6(2) Timely Maintenance Predictive Maintenance Perform predictive maintenance on [Assignment: organization-defined system components] at [Assignment: organization-defined time intervals]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor…
PCI (Payment Card Industry Security Standard)_Req 12.11
PCI (Payment Card Industry Security Standard) Maintain a policy that addresses information security for all personnel Req 12.11 12.11 Additional requirement for service providers only: perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: – Daily log reviews – Firewall rule-set reviews – Applying configuration standards to new systems – Responding to security alerts – Change management processes Note: This…
NIST 800-53 Audit and Accountability AU-5(4) Response to Audit Logging Process Failures Shutdown on Failure Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures] unless an alternate audit logging capability exists. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to…
NIST 800-53 System and Communications Protection SC-7(11) Boundary Protection Restrict Incoming Communications Traffic Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform…
NERC CIP-002 through CIP-014 Revision 6_CIP-014-2 6.2
NERC CIP-002 through CIP-014 Revision 6 Physical Security CIP-014-2 6.2 6.2. The Transmission Owner or Transmission Operator respectively shall ensure that the unaffiliated third party review is completed within 90 calendar days of completing the security plan(s) developed in Requirement R5. The unaffiliated third party review may but is not required to include recommended changes to the evaluation performed under Requirement R4 or the security plan(s) developed under Requirement R5. M6. Examples…
CIS Framework Controls V8_16.2
CIS Framework Controls V8 Application Software Security 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities Establish and maintain a process to accept and address reports of software vulnerabilities including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process responsible party for handling vulnerability reports and a process for intake assignment remediation and remediation testing. As…
NIST 800-53 System and Services Acquisitions SA-11(8) Developer Testing and Evaluation Dynamic Code Analysis Require the developer of the system system component or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an…
NIST-CSF Risk Assessment (ID.RA) ID.RA-4 ID.RA-4: Potential business impacts and likelihoods are identified NULL Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized…
NIST 800-53 Media Protection MP-6(3) Media Sanitization Nondestructive Techniques Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools…
NIST 800-53 System and Information Integrity SI-13(3) Predictable Failure Prevention Manual Transfer Between Components Manually initiate transfers between active and standby system components when the use of the active component reaches [Assignment: organization-defined percentage] of the mean time to failure. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number…
NIST 800-53 Configuration Management CM-2(3) Baseline Configuration Retention of Previous Configurations Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop…
NERC CIP-002 through CIP-014 Revision 6_CIP-010-2 2.1
NERC CIP-002 through CIP-014 Revision 6 Configuration Monitoring CIP-010-2 2.1 2.1 Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1 Part 1.1). Document and investigate detected unauthorized changes. M2. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-010-2 Table R2– Configuration Monitoring and additional evidence to demonstrate implementation as described in…
NIST 800-53 Access Control AC-2(4) Account Management Automated Audit Actions Automatically audit account creation modification enabling disabling and removal actions. Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any…
NIST 800-171 3.1 ACCESS CONTROL 3.1.12 Monitor and control remote access sessions Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g. the Internet). Remote access methods includedial-up broadband and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however the use of VPNs…
NIST-CSF Communications (RS.CO) RS.CO-3 RS.CO-3: Information is shared consistent with response plans NULL Click here to Start your FREE trial today! Explainer video What is a Cybersecurity Compliance Framework? You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and…
FTC-SFSCI (Part 314)_314.4(c)(6)(ii)
FTC-SFSCI (Part 314) Safeguards 314.4(c)(6)(ii) Periodically review your data retention policy to minimize the unnecessary retention of data. (i) Develop implement and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless such information is necessary for business operations…
SOC 2 Process Integrity Additional Criteria for Processing Integrity PI1.1 The entity obtains or generates uses and communicates relevant quality information regarding the objectives related to processing including definitions of data processed and product and service specifications to support the use of products and services. Identifies Information Specifications—The entity identifies information specifications required to support the use of products and services. Defines Data Necessary to Support a Product or Service—When data is…
NIST 800-53 System and Services Acquisitions SA-11(7) Developer Testing and Evaluation Verify Scope of Testing and Evaluation Require the developer of the system system component or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation]. Click here to Start your FREE trial today! Explainer video What…
CMMC v2.0 3.4 CONFIGURATION MANAGEMENT CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all permit-by-exception (whitelisting) policy to allow the execution of authorized software. The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting. The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting. Whitelisting is…
FTC-SFSCI (Part 314)_314.4(b)(1)(i)
FTC-SFSCI (Part 314) Risk assessment 314.4(b)(1)(i) The risk assessment shall be written and shall include: Criteria for the evaluation and categorization of identified security risks or threats you face; (b) Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security confidentiality and integrity of customer information that could result in the unauthorized disclosure misuse alteration destruction or other compromise of such information…