| 1 |
1 |
ID.AM-1 |
IDENTIFY |
Asset Management |
Physical devices and systems within the organization are inventoried |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8, PM-5 |
| 2 |
2 |
ID.AM-2 |
IDENTIFY |
Asset Management |
Software platforms and applications within the organization are inventoried |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 2
· COBIT 5 BAI09.01, BAI09.02, BAI09.05
· ISA 62443-2-1:2009 4.2.3.4
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1
· NIST SP 800-53 Rev. 4 CM-8, PM-5 |
| 3 |
3 |
ID.AM-3 |
IDENTIFY |
Asset Management |
Organizational communication and data flows are mapped |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 12
· COBIT 5 DSS05.02
· ISA 62443-2-1:2009 4.2.3.4
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8 |
| 4 |
4 |
ID.AM-4 |
IDENTIFY |
Asset Management |
External information systems are catalogued |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 12
· COBIT 5 APO02.02, APO10.04, DSS01.02
· ISO/IEC 27001:2013 A.11.2.6
· NIST SP 800-53 Rev. 4 AC-20, SA-9 |
| 5 |
5 |
ID.AM-5 |
IDENTIFY |
Asset Management |
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 13, 14
· COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02
· ISA 62443-2-1:2009 4.2.3.6
· ISO/IEC 27001:2013 A.8.2.1
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6 |
| 6 |
6 |
ID.AM-6 |
IDENTIFY |
Asset Management |
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
· CIS CSC 17, 19
· COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 |
| 7 |
7 |
ID.BE-1 |
IDENTIFY |
Business Environment |
The organization’s role in the supply chain is identified and communicated |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. |
· COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 CP-2, SA-12 |
| 8 |
8 |
ID.BE-2 |
IDENTIFY |
Business Environment |
The organization’s place in critical infrastructure and its industry sector is identified and communicated |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. |
· COBIT 5 APO02.06, APO03.01
· ISO/IEC 27001:2013 Clause 4.1
· NIST SP 800-53 Rev. 4 PM-8 |
| 9 |
9 |
ID.BE-3 |
IDENTIFY |
Business Environment |
Priorities for organizational mission, objectives, and activities are established and communicated |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. |
· COBIT 5 APO02.01, APO02.06, APO03.01
· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
· NIST SP 800-53 Rev. 4 PM-11, SA-14 |
| 10 |
10 |
ID.BE-4 |
IDENTIFY |
Business Environment |
Dependencies and critical functions for delivery of critical services are established |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. |
· COBIT 5 APO10.01, BAI04.02, BAI09.02
· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 |
| 11 |
11 |
ID.BE-5 |
IDENTIFY |
Business Environment |
Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) |
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. |
· COBIT 5 BAI03.02, DSS04.02
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-13, SA-14 |
| 12 |
12 |
ID.GV-1 |
IDENTIFY |
Governance |
Organizational cybersecurity policy is established and communicated |
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. |
· CIS CSC 19
· COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02
· ISA 62443-2-1:2009 4.3.2.6
· ISO/IEC 27001:2013 A.5.1.1
· NIST SP 800-53 Rev. 4 -1 controls from all security control families |
| 13 |
13 |
ID.GV-2 |
IDENTIFY |
Governance |
Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners |
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. |
· CIS CSC 19
· COBIT 5 APO01.02, APO10.03, APO13.02, DSS05.04
· ISA 62443-2-1:2009 4.3.2.3.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2 |
| 14 |
14 |
ID.GV-3 |
IDENTIFY |
Governance |
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed |
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. |
· CIS CSC 19
· COBIT 5 BAI02.01, MEA03.01, MEA03.04
· ISA 62443-2-1:2009 4.4.3.7
· ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5
· NIST SP 800-53 Rev. 4 -1 controls from all security control families |
| 15 |
15 |
ID.GV-4 |
IDENTIFY |
Governance |
Governance and risk management processes address cybersecurity risks |
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. |
· COBIT 5 EDM03.02, APO12.02, APO12.05, DSS04.02
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
· ISO/IEC 27001:2013 Clause 6
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-9, PM-10, PM-11 |
| 16 |
16 |
ID.RA-1 |
IDENTIFY |
Risk Assessment |
Asset vulnerabilities are identified and documented |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 |
| 17 |
17 |
ID.RA-2 |
IDENTIFY |
Risk Assessment |
Cyber threat intelligence is received from information sharing forums and sources |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 BAI08.01
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16 |
| 18 |
18 |
ID.RA-3 |
IDENTIFY |
Risk Assessment |
Threats, both internal and external, are identified and documented |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 |
| 19 |
19 |
ID.RA-4 |
IDENTIFY |
Risk Assessment |
Potential business impacts and likelihoods are identified |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 DSS04.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11 |
| 20 |
20 |
ID.RA-5 |
IDENTIFY |
Risk Assessment |
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16 |
| 21 |
21 |
ID.RA-6 |
IDENTIFY |
Risk Assessment |
Risk responses are identified and prioritized |
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. |
· CIS CSC 4
· COBIT 5 APO12.05, APO13.02
· ISO/IEC 27001:2013 Clause 6.1.3
· NIST SP 800-53 Rev. 4 PM-4, PM-9 |
| 22 |
22 |
ID.RM-1 |
IDENTIFY |
Risk Management Strategy |
Risk management processes are established, managed, and agreed to by organizational stakeholders |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· CIS CSC 4
· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
· ISA 62443-2-1:2009 4.3.4.2
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3, Clause 9.3
· NIST SP 800-53 Rev. 4 PM-9 |
| 23 |
23 |
ID.RM-2 |
IDENTIFY |
Risk Management Strategy |
Organizational risk tolerance is determined and clearly expressed |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.2.6.5
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
· NIST SP 800-53 Rev. 4 PM-9 |
| 24 |
24 |
ID.RM-3 |
IDENTIFY |
Risk Management Strategy |
The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
· NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11 |
| 25 |
25 |
ID.SC-1 |
IDENTIFY |
Supply Chain Risk Management |
Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· CIS CSC 4
· COBIT 5 APO10.01, APO10.04, APO12.04, APO12.05, APO13.02, BAI01.03, BAI02.03, BAI04.02
· ISA 62443-2-1:2009 4.3.4.2
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9 |
| 26 |
26 |
ID.SC-2 |
IDENTIFY |
Supply Chain Risk Management |
Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· COBIT 5 APO10.01, APO10.02, APO10.04, APO10.05, APO12.01, APO12.02, APO12.03, APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12, 4.2.3.13, 4.2.3.14
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-14, SA-15, PM-9 |
| 27 |
27 |
ID.SC-3 |
IDENTIFY |
Supply Chain Risk Management |
Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· COBIT 5 APO10.01, APO10.02, APO10.03, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3
· NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12, PM-9 |
| 28 |
28 |
ID.SC-4 |
IDENTIFY |
Supply Chain Risk Management |
Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· COBIT 5 APO10.01, APO10.03, APO10.04, APO10.05, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05
· ISA 62443-2-1:2009 4.3.2.6.7
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12 |
| 29 |
29 |
ID.SC-5 |
IDENTIFY |
Supply Chain Risk Management |
Response and recovery planning and testing are conducted with suppliers and third-party providers |
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. |
· CIS CSC 19, 20
· COBIT 5 DSS04.04
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9 |
| 30 |
30 |
PR.AC-1 |
PROTECT |
Identity Management, Authentication and Access Control |
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC 1, 5, 15, 16
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11 |
| 31 |
31 |
PR.AC-2 |
PROTECT |
Identity Management, Authentication and Access Control |
Physical access to assets is managed and protected |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8 |
| 32 |
32 |
PR.AC-3 |
PROTECT |
Identity Management, Authentication and Access Control |
Remote access is managed |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC 12
· COBIT 5 APO13.01, DSS01.04, DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15 |
| 33 |
33 |
PR.AC-4 |
PROTECT |
Identity Management, Authentication and Access Control |
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC 3, 5, 12, 14, 15, 16, 18
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.7.3
· ISA 62443-3-3:2013 SR 2.1
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24 |
| 34 |
34 |
PR.AC-5 |
PROTECT |
Identity Management, Authentication and Access Control |
Network integrity is protected (e.g., network segregation, network segmentation) |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC 9, 14, 15, 18
· COBIT 5 DSS01.05, DSS05.02
· ISA 62443-2-1:2009 4.3.3.4
· ISA 62443-3-3:2013 SR 3.1, SR 3.8
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7 |
| 35 |
35 |
PR.AC-6 |
PROTECT |
Identity Management, Authentication and Access Control |
Identities are proofed and bound to credentials and asserted in interactions |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC, 16
· COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3 |
| 36 |
36 |
PR.AC-7 |
PROTECT |
Identity Management, Authentication and Access Control |
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. |
· CIS CSC 1, 12, 15, 16
· COBIT 5 DSS05.04, DSS05.10, DSS06.10
· ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11 |
| 37 |
37 |
PR.AT-1 |
PROTECT |
Awareness and Training |
All users are informed and trained |
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. |
· CIS CSC 17, 18
· COBIT 5 APO07.03, BAI05.07
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
· NIST SP 800-53 Rev. 4 AT-2, PM-13 |
| 38 |
38 |
PR.AT-2 |
PROTECT |
Awareness and Training |
Privileged users understand their roles and responsibilities |
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. |
· CIS CSC 5, 17, 18
· COBIT 5 APO07.02, DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13 |
| 39 |
39 |
PR.AT-3 |
PROTECT |
Awareness and Training |
Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities |
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. |
· CIS CSC 17
· COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16 |
| 40 |
40 |
PR.AT-4 |
PROTECT |
Awareness and Training |
Senior executives understand their roles and responsibilities |
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. |
· CIS CSC 17, 19
· COBIT 5 EDM01.01, APO01.02, APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13 |
| 41 |
41 |
PR.AT-5 |
PROTECT |
Awareness and Training |
Physical and cybersecurity personnel understand their roles and responsibilities |
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. |
· CIS CSC 17
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13 |
| 42 |
42 |
PR.DS-1 |
PROTECT |
Data Security |
Data-at-rest is protected |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 13, 14
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06
· ISA 62443-3-3:2013 SR 3.4, SR 4.1
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28 |
| 43 |
43 |
PR.DS-2 |
PROTECT |
Data Security |
Data-in-transit is protected |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 13, 14
· COBIT 5 APO01.06, DSS05.02, DSS06.06
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12 |
| 44 |
44 |
PR.DS-3 |
PROTECT |
Data Security |
Assets are formally managed throughout removal, transfers, and disposition |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 1
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16 |
| 45 |
45 |
PR.DS-4 |
PROTECT |
Data Security |
Adequate capacity to ensure availability is maintained |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 1, 2, 13
· COBIT 5 APO13.01, BAI04.04
· ISA 62443-3-3:2013 SR 7.1, SR 7.2
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5 |
| 46 |
46 |
PR.DS-5 |
PROTECT |
Data Security |
Protections against data leaks are implemented |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 13
· COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02
· ISA 62443-3-3:2013 SR 5.2
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4 |
| 47 |
47 |
PR.DS-6 |
PROTECT |
Data Security |
Integrity checking mechanisms are used to verify software, firmware, and information integrity |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 2, 3
· COBIT 5 APO01.06, BAI06.01, DSS06.02
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
· NIST SP 800-53 Rev. 4 SC-16, SI-7 |
| 48 |
48 |
PR.DS-7 |
PROTECT |
Data Security |
The development and testing environment(s) are separate from the production environment |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· CIS CSC 18, 20
· COBIT 5 BAI03.08, BAI07.04
· ISO/IEC 27001:2013 A.12.1.4
· NIST SP 800-53 Rev. 4 CM-2 |
| 49 |
49 |
PR.DS-8 |
PROTECT |
Data Security |
Integrity checking mechanisms are used to verify hardware integrity |
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. |
· COBIT 5 BAI03.05
· ISA 62443-2-1:2009 4.3.4.4.4
· ISO/IEC 27001:2013 A.11.2.4
· NIST SP 800-53 Rev. 4 SA-10, SI-7 |
| 50 |
50 |
PR.IP-1 |
PROTECT |
Information Protection Processes and Procedures |
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. |
· CIS CSC 3, 9, 11
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 |
