Upload
others
View
40
Download
1
Embed Size (px)
Citation preview
NIST Special Publication 800-171
The protection of unclassified federal information in nonfederal systems and organizations is dependent on the federal government providing a disciplined and structured process for identifying the different types of information that are routinely used by federal agencies. On November 4, 2010, the President signed Executive Order 13556, Controlled Unclassified Information. The Executive Order established a government wide Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection and designated the National Archives and Records Administration (NARA) as the Executive Agent to implement that program. Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or government wide policy may be designated as CUI.
The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry. The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Among other information, the CUI Registry identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information.
Executive Order 13556 also required that the CUI Program emphasize openness, transparency, and uniformity of government wide practices, and that the implementation of the program take place in a manner consistent with applicable policies established by the Office of Management and Budget (OMB) and federal standards and guidelines issued by the National Institute of Standards and Technology (NIST). The federal CUI regulation,5 developed by the CUI Executive Agent, provides guidance to federal agencies on the designation, safeguarding, dissemination, marking, decontrolling, and disposition of CUI, establishes self-inspection and oversight requirements, and delineates other facets of the program.
NIST Special Publication 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and Communications Protection
14. System and Information Integrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 2
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and Communications Protection
14. System and Information Integrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Purpose and ApplicabilityThe purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;6 and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.
Target AudienceThe publication SP 800-171 and this document serves a diverse group of individuals and organizations in both the public and private sectors including, but not limited to individuals with:
• System development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, systems integrators);
• Acquisition or procurement responsibilities (e.g., contracting officers);
• System, security, or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, system owners, information security managers); and
• Security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts).
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
NIST Special Publication 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Page 3
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Development of Security Requirements
The security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations have a well-defined structure that consists of a basic security requirements section and a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:
• Uniquely federal (i.e., primarily the responsibility of the federal government);
• Not directly related to protecting the confidentiality of CUI; or
• Expected to be routinely satisfied by nonfederal organizations without specification.
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
NIST Special Publication 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Page 4
Security Requirement Families
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
For ease of use, the security requirements are organized into fourteen families:
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 5
Course Description
Key Outcomes
Course Outline
Exam Information
Course Description
Key Outcomes
Course Outline
Exam Information
EC-Council at a GlanceEC-Council Group is a multidisciplinary institution of global Information Security professional services.
EC-Council Group is a dedicated Information Security organization that aims at creating knowledge, facilitating innovation, executing research, implementing development, and nurturing subject matter experts in order to provide their unique skills and niche expertise in cybersecurity.
Some of the �nest organizations around the world such as the US Army, US Navy, DoD, the FBI, Microsoft, IBM, and the United Nations have trusted EC-Council to develop and advance their security infrastructure.
ICECCInternational Council of E-Commerce
ConsultantsEC-Council Group
ECCEC-Council Training & Certi�cation
Division of Professional WorkforceDevelopment
EGSEC-Council Global Services
Division of Corporate Consulting &Advisory Services
ECCUEC-Council University
Division of Academic Education
EGEEC-Council Global Events
Division of Conferences, Forums, Summits,Workshops & Industry Awards
ECFEC-Council Foundation
Non-Pro�t Organization for Cyber SecurityAwareness Increase.
CERTIFIED MEMBERS220,000+
YEARSEXPERIENCE
15+TRAINING &CERTIFICATIONPROGRAMS
40+COUNTRIES145+
SUBJECT MATTEREXPERTS
350+TRAINING PARTNERSWORLDWIDE
700+TOOLS &TECHNOLOGIES
3000+
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 6
Course Description
Key Outcomes
Course Outline
Exam Information
Your Learning Options
Instructor-led Training
facility in your city.
Online Training iLearn online training is a distance learning program designed for those who cannot attend a live course. The program is for the people who have a very busy schedule and want to learn at their own pace through self-study. This modality is also available from our enterprise teams.
Mobile LearningOur world class content is also available on a mobile device, allowing our students to learn on the go. This program is designed for those who are cannot attend a live course, but are keen to improve their cyber security skills. This modality is also available from our enterprise teams.
Computer-based Training
base iLearn program and are not sold independently. This modality is also available from our enterprise teams.
channel. Let us know where and when you want the training delivered, and we will arrange for an instructor and all that’s required for a course to be taught at a location of your choice. Contact our accredited training partners for a custom solution.EC-Council client-site training includes o�cial courseware, certi�cation exam (ECC-Exam or VUE), iLabs, online labs (wherever available), and our test-pass guarantee.
Customized Learning
Live Online Training
With iWeek, an instructor will teach you live online while you are seated in the comfort of your home. This training method gives you the freedom to get trained from a location of your choice. Individuals who choose this delivery method consistently attribute their choice to the preference of having a live instructor available for which questions can be asked and answered. We o�er early-bird rates, group rates, and get even private courses delivered anytime.
Hands-on Experience with the EC-Council Cyber Range ( iLabs)EC-Council iLabs allows students to dynamically access a host of virtual machines precon�gured with vulnerabilities, exploits, tools, and scripts from anywhere. Our simplistic web portal enables the student to launch an entire range of target machines and access them remotely with one simple click. It is the most cost-e�ective, easy to use, live range lab solution available. Most of our courses are equipped with iLabs, but iLabs can be purchased independently as well.
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 7
CND is the world’s most advanced network defense course with 14 of the most current network security domains any individuals will ever want to know when they are planning to protect, detect, and respond to the network attacks.
The course contains hands-on labs, based on major network security tools and techniques which will provide network administrators real world expertise on current network security technologies and operations.
• Knowledge on how to protect, detect, andrespond to network attacks
• Network defense fundamentals
• Application of network security controls,protocols, perimeter appliances, secure IDS,VPN, and firewall configuration
• Intricacies of network traffic signature,analysis, and vulnerability scanning
• Exam title: CND
• Exam code: 312-38
• Number of questions: 100
• Duration: 4 hours
• Availability: ECC Exam
• Test format: Interactive Multiple ChoiceQuestions
1. Computer network and defensefundamentals
2. Network security threats, vulnerabilities,and attacks
3. Network security controls, protocols, anddevices
4. Network security policy design andimplementation
5. Physical security
6. Host security
7. Secure firewall configuration andmanagement
8. Secure IDS configuration and management
9. Secure VPN configuration andmanagement
10. Wireless network defense
11. Network traffic monitoring and analysis
12. Network risk and vulnerabilitymanagement
13. Data backup and recovery
14. Network incident response andmanagement
Certified Network Defender (CND)
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 8
CND Course Objecives
Module 01: Computer Network and Defense Fundamentals1.1. Understand computer network fundamentals
1.2. Understand TCP/IP Networking
1.3. Describe TCP/IP Protocol Stack
1.4. Understand use of basic network administration utilities
1.5. Explain IP addressing concept
1.6. Understand Computer Network Defense(CND)
1.7. Describe CND layers
1.8. Describe CND process
Module 02: Network Security Threats, Vulnerabilities, and Attacks2.1. Discuss network security concerns
2.2. Discuss network security vulnerabilities
2.3. Understand classification of network attacks
2.4. Discuss Network Reconnaissance Attacks
2.5. Discuss Network Access Attacks
2.6. Discuss Network DoS Attacks
2.7. Discuss Malware Attacks
Module 03: Network Security Controls, Protocols, and Devices3.1. Understand fundamental elements of network security
3.2. Understand different types of network security controls
3.3. Explain network access control
3.4. Explain Identification, Authentication, Authorization and Accounting
3.5. Explain cryptography
3.6. Understand network security policy
3.7. Describe network security devices
3.8. Describe network security protocols
Module 04: Network Security Policy Design and Implementation4.1. Understand security policy
4.2. Discuss the design and implementation of policy
4.3. Classification of security policies
4.4. Discuss the design of various security polices
4.5. Discuss about Security Policy Training and Awareness
4.6. Discuss various information security related standards, laws and acts
Module 05: Physical Security5.1. Understand physical security
5.2. Describe types of physical security controls
5.3. Describe various physical security controls
5.4. Describe various access control authentication techniques
5.5. Understand workplace security
5.6. Understand personnel security
5.7. Describe environment controls
5.8. Physical security awareness and training
5.9. Discuss physical security checklist
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 9
CND Course Objecives
Module 06: Host Security6.1. Understand host security
6.2. Understand OS security
6.3. Discuss Windows Security
6.4. Discuss Windows Patch Management
6.5. Discuss Windows log review and Audit
6.6. Discuss Linux security
6.7. Discuss Linux log review and audit
6.8. Discuss Servers security
6.9. Discuss router and switch security
6.10. Discuss Log review, audit, and management
6.11. Discuss application security
6.12. Discuss data security
6.13. Discuss virtualization security
Module 07: Secure Firewall Configuration and Management7.1. Understand firewall security and their working
7.2. Understand firewalls security concerns
7.3. Describe types of firewalls
7.4. Describe various firewalls technologies
7.5. Explain different firewalls topologies and their appropriate selection
7.6. Discuss firewall rules and policies
7.7. Explain firewall implementation and deployment
7.8. Explain firewall administration
7.9. Discuss firewall logging and auditing
7.10. Discuss firewall anti-evasion techniques
7.11. Discuss Firewall Security Recommendations
7.12. Discuss firewall and firewall security auditing tools
Module 08: Secure IDS Configuration and Management8.1. Understand intrusions
8.2. Describe Intrusion Detection and Prevention System(IDPS)
8.2. Explain Intrusion Detection System(IDS)
8.3. Explain IDS Implementation
8.4. Explain IDS deployment
8.5. Explain fine tuning of IDS alerts
8.6. Discuss IDS Recommendations
8.7. Explain Intrusion Prevention System(IPS)
8.8. Describe IDPS Product Selection Considerations
8.9. Explain technologies for complementing IDS functionality
8.10 Introduce various IDS/IPS Solutions and Vendors
Module 09: Secure VPN Configuration and Management9.1. Understand Virtual Private Network (VPN)
9.2. Discuss various types of VPN
9.3. Discuss VPN Categories
9.4. Explain VPN Core Functions
9.5. Describe VPN technologies
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 10
CND Course Objecives
9.6. Explain various VPN topology
9.7. Discuss common threats and flaws in VPN implementation
9.8. Discuss security in VPN implementation
9.9. Discuss Quality of Service and Performance in VPNs
9.10. Discuss Auditing and Testing of VPN
9.11. Discuss VPN Security Recommendations
Module 10: Wireless Network Defense10.1. Introduce various wireless terminologies
10.2. Introduce wireless networks
10.3. Discuss various wireless standards
10.4. Describe various wireless network topologies
10.5. Describe typical Use of Wireless Networks
10.6. Discuss various wireless network components
10.7. Discuss the use of various types of antenna
10.8. Explain Wireless Encryption technologies
10.9. Describe various methods for wireless authentication
10.10. Discuss various threats on wireless network
10.11. Implement security for wireless networks
10.12. Assess wireless network security
10.12. Discuss Wireless IDS/IPS deployment
10.13. Implement security on wireless routers
10.14 Discuss Wireless Network Security Guidelines
Module 11: Network Monitoring and Analysis11.1. Introduction to network traffic monitoring and analysis
11.2. Discuss various techniques for network traffic monitoring and analysis
11.3. Describe position of machine for network monitoring
11.4. Understand network traffic signatures
11.5. Understand Wireshark components, working and features
11. 6. Demonstrate the use of various Wireshark filters
11.7. Demonstrate the monitoring LAN traffic against policy violation
11.8. Demonstrate the detection of various attacks using Wireshark
11.9. Discuss network bandwidth monitoring and performance improvement
Module 12: Network Risk and Vulnerability Management12.1. Understand risk
12.2. Discuss Risk Management
12.3. Describe Risk Management phases
12.4. Discuss Enterprise Network Risk Management
12.5. Explain Vulnerability management and its phases
12.6. Demonstrate Vulnerability Assessment/scanning
Module 13: Data Backup and Recovery13.1. Introduction to Data Backup
13.2. Explain RAID backup technology
13.3. Explain SAN backup technology
13.3. Explain NAS backup technology
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 11
CND Course Objecives
13.4. Explain NAS backup technology
13.5. Describe various backup methods
13.6. Describe various locations for backup
13.7. Demonstrate various types of backup
13.8. Describe various backup solutions
13.9. Discuss the need of recovery drill test
13.10. Demonstrate data recovery
Module 14: Network Incident Response and Management14.1. Understand Incident Handling and Response (IH&R)
14.2. Describe role of first responder in incident response
14.3. Describe Incident Handling and Response (IH&R) process
14.4. Overview of forensic investigation
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Page 12
Mapping Methodology1. This document provides a mapping of the security requirements to the relevant security controls in NIST Special Publication 800-53 to the
relevant controls in ISO/IEC 270011. This document also provides mapping of the security requirements to the relevant security controls in NIST Special Publication 800-53 to
EC-Council Course Objectives2. Mapping of each security requirements to EC-Council course objectives is determined to a correlation of ±5%3. Validation of relevance of EC-Council course objectives with reference to security requirements based on SME reviews, student feedback, and
industry acceptance of the trained workforce4. Mapping the training proficiency level for EC-Council course
Mapping References• NIST Special Publication 800-171 Revision 1• NIST Special Publication 800-53 Revision 1• FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION 200
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Mapping Methodology
Page 13
Level Proficiency Category Description
0 No ProficiencyThis training is intended for someone with insufficient knowledge, skill, or ability level necessary for use in simple or routine work situations. Knowledge, skill, or ability level provided would be similar to the knowledge of a layperson. Considered “no proficiency” for purposes of accomplishing specialized, or technical, work.
1 BasicThis training is intended for individuals who need basic knowledge, skills, or abilities necessary for use and the application in simple work situations with specific instructions and/or guidance.
2 IntermediateThis training is intended for individuals who need intermediate knowledge, skills, or abilities for independent use and application in straightforward, routine work situations with limited need for direction.
3 AdvancedThis training is intended for individuals who need advanced knowledge, skills, or abilities for independent use and application in complex or novel work situations.
4 ExpertThis training is intended for individuals who need expert knowledge, skills, or abilities for independent use and application in highly complex, difficult, or ambiguous work situations, or the trainee is an acknowledged authority, advisor, or key resource.
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
About NIST SP 800-171 About EC-Council EC-Council Career Tracks EC-Council Programs Mapping Methodology
Proficiency Levels
Page146
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (in-cluding other systems).
3.1.2 Limit system access to the types of transactions and func-tions that authorized users are permitted to execute.
AC-2 Account Management
AC-2(1) Automated System Account Management
A.9.2.1A.9.2.2A.9.2.3A.9.2.5A.9.2.6
User registration and de-registrationUser access provisioningManagement of privileged access rightsReview of user access rightsRemoval or adjustment of access rights
N/A N/A N/A
AC-2(2) Removal Of Temporary / Emergency Accounts 4.4 4 100% or 1
AC-2(3) Disable Inactive Accounts 6.3 4 100% or 1
AC-2(4) Automated Audit Actions 6.1 4 100% or 1
AC-2(5) Inactivity Logout N/A N/A N/A
AC-2(6) Dynamic Privilege Management N/A N/A N/A
AC-2(7) Role-Based Schemes 3.3 4 100% or 1
AC-2(8) Dynamic Account Creation 4.4 3 80% or .8
AC-2(9) "Restrictions On Use Of Shared / Group Accounts" 4.4 3 80% or .8
AC-2(10) Shared / Group Account Credential Termination 4.4 3 80% or .8
AC-2(11) Usage Conditions 4.4 3 80% or .8
AC-2(12) Account Monitoring / A typical Usage 6.1 4 100% or 1
AC-2(13)Disable Accounts For High-Risk Individuals
4.4 3 80% or .8
AC-3 Access Enforcement
AC-3(1) Restricted Access To Privileged Functions
A.6.2.2A.9.1.2A.9.4.1A.9.4.4A.9.4.5A.13.1.1A.14.1.2
A.14.1.3
A.18.1.3
TeleworkingAccess to networks and network servicesInformation access restrictionUse of privileged utility programsAccess control to program source codeNetwork controlsSecuring application services on public networksProtecting application services transac-tionsProtection of records
4.4 3 80% or .8
AC-3(2) Dual Authorization 3.4 4 100% or 1
AC-3(3) Mandatory Access Control 3.3 4 100% or 1
AC-3(4) Discretionary Access Control 3.3 4 100% or 1
AC-3(5) Security-Relevant Information 4.4 3 80% or .8
AC-3(6) Protection Of User And System Information
4.4 3 80% or .8
AC-3(7) Role-Based Access Control 3.3 4 100% or 1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 15
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (in-cluding other systems).
3.1.2 Limit system access to the types of transactions and func-tions that authorized users are permitted to execute.
AC-3 Access Enforcement
AC-3(8) Revocation Of Access Authorizations 3.4 4 100% or 1
AC-3(9) Controlled Release N/A N/A N/A
AC-3(10) Audited Override Of Access Control Mechanisms N/A N/A N/A
AC-17 Remote Access
AC-17(1) Automated Monitoring / Control
A.6.2.1A.6.2.2A.13.1.1A.13.2.1
A.14.1.2
Mobile device policyTeleworkingNetwork controlsInformation transfer policies and proce-duresSecuring application services on public networks
4.4 4 100% or 1
AC-17(2) Protection Of Confidentiality / Integrity Using Encryption 3.5 4 100% or 1
AC-17(3) Managed Access Control Points 3.3 4 100% or 1
AC-17(4) Privileged Commands / Access 3.4 4 100% or 1
AC-17(5) Monitoring For Unauthorized Connections 6.1 4 100% or 1
AC-17(6) Protection Of Information 4.4 3 80% or .8
AC-17(7) Additional Protection For Security Function Access 4.4 3 80% or .8
AC-17(8) Disable Nonsecure Network Protocols 3.8 2 50% or .5
AC-17(9) Disconnect / Disable Access 7.8 3 80% or .8
Summary 4 90% or .9
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 16
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.1.3 Control the flow of CUI in accordance with approved authori-zations.
AC-4Information Flow Enforcement
AC-4(1) Object Security Attributes
A.13.1.3A.13.2.1
A.14.1.2
A.14.1.3
Segregation in networksInformation transfer policies and proce-duresSecuring application services on public networksProtecting application services transac-tions
N/A N/A N/A
AC-4(2) Processing Domains N/A N/A N/A
AC-4(3) Dynamic Information Flow Control N/A N/A N/A
AC-4(4) Content Check Encrypted Information N/A N/A N/A
AC-4(5) Embedded Data Types N/A N/A N/A
AC-4(6) Metadata N/A N/A N/A
AC-4(7) One-Way Flow Mechanisms N/A N/A N/A
AC-4(8) Security Policy Filters N/A N/A N/A
AC-4(9) Human Reviews N/A N/A N/A
AC-4(10) Enable / Disable Security Policy Filters 3.7, 6.3, 7.4, 7.6, 10.11 4 100% or 1
AC-4(11) Configuration Of Security Policy Filters 6.3, 7.4, 7.6 4 100% or 1
AC-4(12) Data Type Identifiers 4.4 4 100% or 1
AC-4(13) Decomposition Into Policy- Relevant Subcomponents N/A N/A N/A
AC-4(14) Security Policy Filter Constraints3.7, 6.3, 7.4, 7.6,
10.11 4 100% or 1
AC-4(15) Detection Of Unsanctioned Information N/A N/A N/A
AC-4(16)Information Transfers On Interconnected Systems N/A N/A N/A
AC-4(17) Domain Authentication 3.4 3 80% or .8
AC-4(18) Security Attribute Binding N/A N/A N/A
AC-4(19) Validation Of Metadata N/A N/A N/A
AC-4(20) Approved Solutions N/A N/A N/A
AC-4(21) Physical / Logical Separation Of Informa-tion Flows 4.4 3 80% or .8
AC-4(22) Access Only N/A N/A N/A
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 17
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.1.4 Separate the duties of individuals to reduce the risk of ma-levolent activity without collusion.
AC-5 Separation of Duties A.6.1.2 Segregation of duties 3.4 4 100% or 1
3.1.5 Employ the prin-ciple of least privilege, including for specific security functions and privileged accounts.
AC-6 Least Privilege
AC-6(1) Authorize Access To Security Functions A.9.1.2A.9.2.3A.9.4.4A.9.4.5
Access to networks and network servicesManagement of privileged access rightsUse of privileged utility programsAccess control to program source code
3.4 4 100% or 1
AC-6(5) Privileged Accounts 3.4 4 100% or 1
3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
AC-6 Least Privilege AC-6(2) Non-Privileged Access For Nonsecurity Functions N/A 3.4 4 100% or 1
3.1.7 Prevent non-priv-ileged users from executing privileged functions and capture the execution of such functions in audit logs.
AC-6 Least Privilege
AC-6(9) Auditing Use Of Privileged Functions N/A 3.4 4 100% or 1
AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions
N/A 3.4 4 100% or 1
3.1.8 Limit unsuccessful logon attempts.
AC-7Unsuccess-ful Logon Attempts
AC-7(1) Automatic Account Lock A.9.4.2 Secure logon procedures N/A N/A N/A
AC-7(2) Purge / Wipe Mobile Device 5.5 2 50% or .5
3.1.9 Provide privacy and security notices consistent with applica-ble CUI rules.
AC-8System Use Notification
A.9.4.2 Secure logon procedures N/A N/A N/A
3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
AC-11 Session Lock AC-11(1) Pattern-Hiding Displays A.11.2.8 Unattended user equipment N/A N/A N/A
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 18
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
A.11.2.9 Clear desk and clear screen policy N/A N/A N/A
3.1.11 Terminate (automatically) a user session after a defined condition.
AC-12 Session Termination AC-12(1) User-Initiated Logouts / Message Displays N/A N/A N/A N/A
3.1.12 Monitor and control remote access sessions.
AC-17 Remote Access AC-17(1) Automated Monitoring / Control N/A Module 09 4 100% or 1
3.1.13 Employ cryp-tographic mechanisms to protect the confi-dentiality of remote access sessions.
AC-17 Remote Access AC-17(2) Protection Of Confidentiality / Integrity Using Encryption N/A Module 09 4 100% or 1
3.1.14 Route remote access via managed access control points.
AC-17 Remote Access AC-17(3) Managed Access Control Points N/A 4.4, 9.2 4 100% or 1
3.1.15 Authorize remote execution of privileged commands and remote access to security- relevant information.
AC-17 Remote Access AC-17(4) Privileged Commands / Access N/A Module 09 4 100% or 1
3.1.16 Authorize wireless access prior to allowing such con-nections.
AC-18 Wireless Access
AC-18(1) Authentication And Encryption
A.6.2.1A.13.1.1A.13.2.1
Mobile device policyNetwork controlsInformation transfer policies and proce-dures
10.8, 10.9 4 100% or 1
AC-18(2) Monitoring Unauthorized Connections 10.12 3 80% or .8
AC-18(3) Disable Wireless Networking 10.14 3 80% or .8
AC-18(4) Restrict Configurations By Users 4.4, 10.14 4 100% or 1
AC-18(5) Antennas / Transmission Power Levels 10.7 4 100% or 1
3.1.17 Protect wireless access using authentica-tion and encryption.
AC-18 Wireless Access AC-18(1) Authentication And Encryption N/A 10.8, 10.9 4 100% or 1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 19
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.1.18 Control connec-tion of mobile devices. AC-19
Access Control for Mobile Devices
AC-19(1) Use Of Writable /Portable Storage Devices
A.6.2.1A.11.2.6
A.13.2.1
Mobile device policySecurity of equipment and assets off-premisesInformation transfer policies and proce-dures
4.4 3 80% or .8
AC-19(2) Use Of Personally Owned Portable Storage Devices 4.4 3 80% or .8
AC-19(3) Use Of Portable Storage Devices With No Identifiable Owner 4.4 3 80% or .8
AC-19(4) Restrictions For Classified Information 4.4 3 80% or .8
AC-19(5) Full Device / Container- Based Encryption 5.5 3 80% or .8
3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
AC-19Access Control for Mobile Devices
AC-19(5) Full Device / Container- Based Encryption N/A 5.5 3 80% or .8
3.1.20 Verify and con-trol/limit connections to and use of external systems.
AC-20Use of External Systems
AC-20(1) Limits On Authorized Use
A.11.2.6
A.13.1.1A.13.2.1
Security of equipment and assets off-premisesNetwork controlsInformation transfer policies and proce-dures
4.4 3 80% or .8
3.1.21 Limit use of organizational portable storage devices on external systems.
AC-20Use of External Systems
AC-20(2) Portable Storage Devices N/A 4.4 3 80% or .8
3.1.22 Control CUI posted or processed on publicly accessible systems.
AC-22Publicly Accessible Content
AC-22 Publicly Accessible Content N/A 4.4 3 80% or .8
Summary 3 90% or .9
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.1 Access Control (AC)
Page 20
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.2.1 Ensure that man-agers, systems admin-istrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
3.2.2 Ensure that orga-nizational personnel are adequately trained to carry out their assigned information securi-ty-related duties and responsibilities.
AT-2Security Awareness Training
AT-2(1) Practical ExercisesA.7.2.2
A.12.2.1
Information security awareness, educa-tion, and trainingControls against malware
4.5, 5.8, 14.3 4 100% or 1
AT-2(2) Insider Threat N/A N/A N/A
AT-3Role-Based Security Training
AT-3(1) Environmental Controls
A.7.2.2* Information security awareness, educa-tion, and training
5.7 4 100% or 1
AT-3(2) Physical Security Controls 5.3 4 100% or 1
AT-3(3) Practical Exercises N/A N/A N/A
AT-3(4) Suspicious Communications And Anoma-lous System Behavior 8.7 3 80% or .8
Summary 3 90% or .9
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.2 Awareness and Training
Page 21
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.2.3 Provide security awareness training on recognizing and report-ing potential indicators of insider threat.
AT-2Security Awareness Training
AT-2(2) Insider Threat N/A N/A N/A N/A N/A
Summary N/A N/A
3.2 Awareness and Training
Page 22
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
AU-2 Audit Events
AU-2(1) Compilation Of Audit Records From Multiple Sources N/A N/A N/A N/A
AU-2(2) Selection Of Audit Events By Component N/A N/A N/A
AU-2(3) Reviews And Updates 6.5, 6.7, 6.10, 7.9, 9.10, 4 100% or 1
AU-2(4) Privileged Functions N/A N/A N/A
AU-3 Content of Audit Records AU-3(1) Additional Audit Information A.12.4.1* Event logging N/A N/A N/A
AU-6
Audit Record Review, Analysis, and Reporting
AU-6(1) Process Integration
A.12.4.1A.16.1.2A.16.1.4
Event loggingReporting information security eventsAssessment of and decision on informa-tion security events
6.5, 6.7, 6.10 4 100% or 1
AU-6(2) Automated Security Alerts 6.1 4 100% or 1
AU-6(3) Correlate Audit Repositories N/A N/A N/A
AU-6(4) Central Review And Analysis 6.1 4 100% or 1
AU-6(5) Integration / Scanning And Monitoring Capabilities 6.1 4 100% or 1
AU-6(6) Correlation With Physical Monitoring N/A N/A N/A
AU-6(7) Permitted Actions N/A N/A N/A
AU-6(8) Full Text Analysis Of Privileged Com-mands
N/A N/A N/A
AU-6(9)Correlation With Information From Nontechnical Sources
N/A N/A N/A
AU-6(10) Audit Level Adjustment N/A N/A N/A
AU-11Audit Record Retention
AU-11(1) Long-Term Retrieval CapabilityA.12.4.1A.12.4.3
Event loggingAdministrator and operator logs
N/A N/A N/A
AU-12Audit Generation
AU-12(1) System-Wide / Time-Correlated Audit Trail A.12.4.1
A.16.1.7Event loggingCollection of evidence
N/A N/A N/A
AU-12(2) Standardized Formats N/A N/A N/A
AU-12(3) Changes By Authorized Individuals N/A N/A N/A
Summary 4 30% or .3
3.3 Audit and Accountability
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 23
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.3.3 Review and up-date logged events. AU-2 Audit Events AU-2(3) Reviews And Updates N/A 6.5, 6.7, 6.10,
7.9, 9.10, 4 100% or 1
3.3.4 Alert in the event of an audit logging process failure.
AU-5
Response to Audit Logging Process Failures
AU-5(1) Audit Storage Capacity
N/A N/A N/A N/A N/AAU-5(2) Real-Time Alerts
AU-5(3) Configurable Traffic Volume Thresholds
AU-5(4) Shutdown On Failure
3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and re-sponse to indications of unlawful, unauthorized, suspicious, or unusual activity.
AU-6
Audit Record Review, Analysis, and Reporting
AU-6(3) Correlate Audit Repositories N/A N/A N/A N/A N/A
3.3.6 Provide audit record reduction and report generation to support on- demand analysis and reporting.
AU--7
Audit Record Reduction and Report Generation
AU-7(1) Automatic Processing
N/A N/A
N/A N/A N/A
AU-7(2) Automatic Sort And Search N/A N/A N/A
3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
AU-8 Time Stamps AU-8(1)Synchronization With Authoritative Time Source
A.12.4.4 Clock synchronization N/A N/A N/A
3.3.8 Protect audit information and audit logging tools from un-authorized access, mod-ification, and deletion.
AU-9Protection of Audit Information
AU-9(1) Hardware Write-Once MediaA.12.4.2A.12.4.3A.18.1.3
Protection of log informationAdministrator and operator logsProtection of records
N/A N/A N/AAU-9(2) Audit Backup On Separate Physical Systems / Components
AU-9(3) Cryptographic Protection
3.3 Audit and Accountability
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 24
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.3.8 Protect audit information and audit logging tools from un-authorized access, mod-ification, and deletion.
AU-9Protection of Audit Information
AU-9(4) Access By Subset Of Privileged Users
N/A N/A N/A N/A N/AAU-9(5) Dual Authorization
AU-9(6) Read-Only Access
3.3.9 Limit manage-ment of audit logging functionality to a subset of privileged users.
AU-9Protection of Audit Information
AU-9(4) Access By Subset Of Privileged Users N/A N/A N/A N/A N/A
Summary 4 10% or .1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.3 Audit and Accountability
Page 25
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.4.1 Establish and maintain baseline con-figurations and inven-tories of organizational systems (including hardware, software, firmware, and docu-mentation) throughout the respective system development life cycles.
3.4.2 Establish and enforce security con-figuration settings for information technology products employed in organizational systems.
CM-2
CM-2(1) Reviews And Updates
N/A N/A
6.4 4 100% or 1
CM-2(2) Automation Support For Accuracy / Currency 6.4 4 100% or 1
CM-2(3) Retention Of Previous Configurations N/A N/A N/A
CM-2(4) Unauthorized Software N/A N/A N/A
CM-2(5) Authorized Software N/A N/A N/A
CM-2(6) Development And Test Environments 6.4 4 100% or 1
CM-2(7) Configure Systems, Components, Or Devices For High-Risk Areas 6.3, 6.4, 7.7 4 100% or 1
CM-6
CM-6(1) Automated Central Management / Appli-cation / Verification
N/A
6.4, 6.10, 6.11 4 100% or 1
CM-6(2) Respond To Unauthorized Changes N/A N/A N/A
CM-6(3) Unauthorized Change Detection 6.3 4 100% or 1
CM-6(4) Conformance Demonstration N/A N/A N/A
CM-8 CM-8(1) Updates During Installations / Removals A.8.1.1A.8.1.2
Inventory of assetsOwnership of assets 6.4 4 100% or 1
Summary 4 60% or .6
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.4 Configuration Management
Page 26
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
CM-3Configura-tion Change Control
CM-3(1) Automated Document / Notification / Prohibition Of Changes
A.12.1.2A.14.2.2A.14.2.3
A.14.2.4
Change managementSystem change control proceduresTechnical review of applications after operating platform changesRestrictions on changes to software packages
N/A N/A N/A
CM-3(2) Test / Validate / Document Changes N/A N/A N/A
CM-3(3) Automated Change Implementation N/A N/A N/A
CM-3(4) Security Representative N/A N/A N/A
CM-3(5) Automated Security Response N/A N/A N/A
CM-3(6) Cryptography Management 3.5 3 80% or .8
3.4.4 Analyze the secu-rity impact of changes prior to implementa-tion.
CM-4 Security Impact Analysis
CM-4(1) Separate Test EnvironmentsA.14.2.3 Technical review of applications after
operating platform changes
N/A N/A N/A
CM-4(2) Verification Of Security Functions N/A N/A N/A
3.4.5 Define, document, approve, and enforce physical and logical access restrictions asso-ciated with changes to organizational systems.
CM-5Access Restrictions for Change
CM-5(1) Automated Access Enforcement / Auditing
A.9.2.3A.9.4.5A.12.1.2A.12.1.4
A.12.5.1
Management of privileged access rightsAccess control to program source codeChange managementSeparation of development, testing, and operational environmentsInstallation of software on operational systems
N/A N/A N/A
CM-5(2) Review System Changes N/A N/A N/A
CM-5(3) Signed Components N/A N/A N/A
CM-5(4) Dual Authorization N/A N/A N/A
CM-5(5) Limit Production / Operational Privileges N/A N/A N/A
CM-5(6) Limit Library Privileges N/A N/A N/A
CM-5(7) Automatic Implementation Of Security Safeguards
N/A N/A N/A
3.4.6 Employ the princi-ple of least functionality by configuring orga-nizational systems to provide only essential capabilities.
CM-7 Least Functionality
CM-7(1) Periodic Review
A.12.5.1*Installation of software on operational systems
N/A N/A N/A
CM-7(2) Prevent Program Execution N/A N/A N/A
CM-7(3) Registration Compliance N/A N/A N/A
CM-7(4) Unauthorized Software / Blacklisting N/A N/A N/A
CM-7(5) Authorized Software / Whitelisting N/A N/A N/A
3.4 Configuration Management
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 27
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, proto-cols, and services.
CM-7 Least Functionality
CM-7(1) Periodic Review
N/A N/A
N/A N/A N/A
CM-7(2) Prevent Program Execution N/A N/A N/A
3.4.8 Apply deny-by- exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by- exception (whitelisting) policy to allow the execution of authorized software.
CM-7 Least Functionality
CM-7(4) Unauthorized Software / Blacklisting
N/A N/A
4.4, 7.6 3 80% or .8
CM-7(5) Authorized Software / Whitelisting 4.4, 7.6 3 80% or .8
3.4.9 Control and monitor user- installed software.
CM-11 User-Installed Software
CM-11(1) Alerts For Unauthorized Installations A.12.5.1
A.12.6.2
Installation of software on operational systemsRestrictions on software installation
4.4 3 80% or .8
CM-11(2) Prohibit Installation Without Privileged Status 4.4 3 80% or .8
Summary 3 15% or .15
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.4 Configuration Management
Page 28
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prereq-uisite to allowing access to organizational systems.
IA-2
Identification and Au-thentication (Organizational Users)
IA-2(1) Network Access To Privileged Accounts
A.9.2.1 User registration and de-registration
3.3, 3.4, 4.4 4 100% or 1
IA-2(2) Network Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1
IA-2(3) Local Access To Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1
IA-2(4) Local Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1
IA-2(5) Group Authentication 3.3, 3.4, 4.4 4 100% or 1
IA-2(6) Network Access To Privileged Accounts - Separate Device 3.3, 3.4, 4.4 4 100% or 1
IA-2(7) Network Access To Non-Privileged Accounts - Separate Device 3.3, 3.4, 4.4 4 100% or 1
IA-2(8) Network Access To Privileged Accounts - Replay Resistant N/A N/A N/A
IA-2(9) Network Access To Non-Privileged Accounts - Replay Resistant N/A N/A N/A
IA-2(10) Single Sign-On 3.3, 3.4, 4.4 4 100% or 1
IA-2(11) Remote Access - Separate Device 3.3, 3.4, 4.4 4 100% or 1
IA-2(12) Acceptance Of Piv Credentials N/A N/A N/A
IA-2(13)Identification And Authentication | Out-Of-Band Authentication
N/A N/A N/A
IA-3Device Iden-tification and Authentication
IA-3(1)Cryptographic Bidirectional Authentica-tion
N/A N/A
3.5, 3.7, 4.4 4 100% or 1
IA-3(2) Cryptographic Bidirectional Network Authentication 3.5, 3.7, 4.4 4 100% or 1
IA-3(3) Dynamic Address Allocation 4.4 4 100% or 1
IA-3(4) Device Attestation 4.4 4 100% or 1
IA-5 Authenticator Management
IA-5(1) Password-Based AuthenticationA.9.2.1A.9.2.4
User registration and de-registrationManagement of secret authentication information of users
3.4 4 100% or 1
IA-5(2) Pki-Based Authentication 3.5 4 100% or 1
3.5 Identification and Authentication
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 29
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prereq-uisite to allowing access to organizational systems.
IA-5 Authenticator Management
IA-5(3) In-Person Or Trusted Third- Party Reg-istration
A.9.3.1A.9.4.3
Use of secret authentication informationPassword management system
3.5 4 100% or 1
IA-5(4) Automated Support For Password Strength Determination 4.4 4 100% or 1
IA-5(5) Change Authenticators Prior To Delivery 4.4 4 100% or 1
IA-5(6) Protection Of Authenticators N/A N/A N/A
IA-5(7) No Embedded Unencrypted Static Authenticators N/A N/A N/A
IA-5(8) Multiple Information System Accounts N/A N/A N/A
IA-5(9) Cross-Organization Credential Management N/A N/A N/A
IA-5(10) Dynamic Credential Association N/A N/A N/A
IA-5(11) Hardware Token-Based Authentication N/A N/A N/A
IA-5(12) Biometric-Based Authentication 3.4 4 100% or 1
IA-5(13) Expiration Of Cached Authenticators N/A N/A N/A
IA-5(14) Managing Content Of PKI Trust Stores N/A N/A N/A
IA-5(15) Ficam-Approved Products And Services N/A N/A N/A
Summary 4 90% or .9
3.5 Identification and Authentication
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 30
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
IA-2
Identification and Au-thentication (Organizational Users)
IA-2(1) Network Access To Privileged Accounts
N/A
3.3, 3.4, 4.4 4 100% or 1
IA-2(2) Network Access To Non-Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1
IA-2(3) Local Access To Privileged Accounts 3.3, 3.4, 4.4 4 100% or 1
3.5.4 Employ replay- resistant authentica-tion mechanisms for network access to privileged and non-privileged accounts.
IA-2
Identification and Au-thentication (Organizational Users)
IA-2(8) Network Access To Privileged Accounts - Replay Resistant
N/A
N/A N/A N/A
IA-2(9) Network Access To Non-Privileged Accounts - Replay Resistant N/A N/A N/A
3.5.5 Prevent reuse of identifiers for a defined period.
3.5.6 Disable identifiers after a defined period of inactivity.
IA-4 Identifier Management
IA-4(1) Prohibit Account Identifiers As Public Identifiers
A.9.2.1 User registration and de-registration
N/A N/A N/A
IA-4(2) Supervisor Authorization N/A N/A N/A
IA-4(3) Multiple Forms Of Certification N/A N/A N/A
IA-4(4) Identify User Status N/A N/A N/A
IA-4(5) Dynamic Management N/A N/A N/A
IA-4(6) Cross-Organization Management N/A N/A N/A
IA-4(7) In-Person Registration N/A N/A N/A
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created. IA-5
Authenticator Management
IA-5(1) Password-Based Authentication N/A 3.4 4 100% or 1
3.5.8 Prohibit password reuse for a specified number of generations.
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.5 Identification and Authentication
Page 31
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.5.9 Allow tempo-rary password use for system logons with an immediate change to a permanent password. IA-5 Authenticator
Management IA-5(1) Password-Based Authentication3.5.10 Store and transmit only cryp-tographically-protected passwords.
3.5.11 Obscure feed-back of authentication information.
IA-6 Authenticator Feedback A.9.4.2 Secure logon procedures N/A N/A N/A
Summary 4 30% or .3
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.5 Identification and Authentication
Page 32
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.6.1 Establish an oper-ational incident-handling capability for organi-zational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
IR-2Incident Response Training
IR-2(1) Simulated EventsA.7.2.2* Information security awareness, educa-
tion, and training
14.3 4 100% or 1
IR-2(2) Automated Training Environments 14.3 4 100% or 1
IR-4 Incident Handling
IR-4(1) Automated Incident Handling Processes
A.16.1.4
A.16.1.5
A.16.1.6
Assessment of and decision on informa-tion security eventsResponse to information security inci-dentsLearning from information security incidents
14.3 4 100% or 1
IR-4(2) Dynamic Reconfiguration 14.3 4 100% or 1
IR-4(3) Continuity Of Operations 14.3 4 100% or 1
IR-4(4) Information Correlation 14.3 4 100% or 1
IR-4(5) Automatic Disabling Of Information System 14.3 4 100% or 1
IR-4(6) Insider Threats - Specific Capabilities 14.3 4 100% or 1
IR-4(7) Insider Threats - Intra-Organization Coordination 14.3 4 100% or 1
IR-4(8) Correlation With External Organizations 14.3 4 100% or 1
IR-4(9) Dynamic Response Capability 14.3 4 100% or 1
IR-4(10) Supply Chain Coordination 14.3 4 100% or 1
IR-5 Incident Monitoring IR-5(1) Automated Tracking / Data Collection /
Analysis N/A N/A 14.3 4 100% or 1
IR-6Incident Reporting
IR-6(1) Automated Reporting A.6.1.3A.16.1.2
Contact with authorities"Reporting information security events"
14.3 4 100% or 1
IR-6(2) Vulnerabilities Related To Incidents 14.3 4 100% or 1
IR-6(3) Coordination With Supply Chain 14.3 4 100% or 1
IR-7Incident Response Assistance
IR-7(1)Automation Support For Availability Of Information / Support N/A N/A 14.3 4 100% or 1
IR-7(2) Coordination With External Providers 14.3 4 100% or 1
Summary 4 100% or 1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
3.6 Incident Response
Basic Security Requirements Derived Security Requirements
Page 33
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.6.3 Test the organiza-tional incident response capability.
IR-3Incident Response Testing
IR-3(1) Automated TestingN/A N/A
14.3 4 100% or 1
IR-3(2) Coordination With Related Plans 14.3 4 100% or 1
Summary 4 100% or 1
3.6 Incident Response
Page 34
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.7.1 Perform mainte-nance on organizational systems.
3.7.2 Provide controls on the tools, techniques, mechanisms, and per-sonnel used to conduct system maintenance.
MA-2 Controlled Maintenance
MA-2(1) Record ContentA.11.2.4*A.11.2.5*
Equipment maintenanceRemoval of assets
N/A N/A N/A
MA-2(2) Automated Maintenance Activities 7.7 3 80% or .8
MA-3 Maintenance Tools
MA-3(1) Inspect Tools N/A N/A N/A N/A N/A
MA-3(2) Inspect Media N/A N/A N/A N/A N/A
Summary 3 20% or .2
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.7 Maintenance
Page 35
3.7 Maintenance
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
MA-2 Controlled Maintenance
MA-2(1) Record Content A.11.2.4* Equipment maintenance
MA-2(2) Automated Maintenance Activities A.11.2.5* Removal of assets 7.7 3 80% or .8
3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
MA-3 Maintenance Tools MA-3(2) Inspect Media N/A N/A N/A N/A N/A
3.7.5 Require multifac-tor authentication to establish nonlocal main-tenance sessions via external network con-nections and terminate such connections when nonlocal maintenance is complete.
MA-4 Nonlocal Maintenance
MA-4(1) Auditing And Review
N/A N/A
6.3, 6.7, 6.10, 7.12, 9.10,
10.124 100% or 1
MA-4(2) Document Nonlocal Maintenance N/A N/A N/A
MA-4(3) Comparable Security / Sanitization N/A N/A N/A
MA-4(4) Authentication / Separation Of Mainte-nance Sessions N/A N/A N/A
MA-4(5) Approvals And Notifications N/A N/A N/A
MA-4(6) Cryptographic Protection N/A N/A N/A
MA-4(7) Remote Disconnect Verification N/A N/A N/A
3.7.6 Supervise the maintenance activities of maintenance person-nel without required access authorization.
MA-5 Maintenance Personnel
MA-5(1) Individuals Without Appropriate Access
N/A N/A
N/A N/A N/A
MA-5(2) Security Clearances For Classified Systems N/A N/A N/A
MA-5(3) Citizenship Requirements For Classified Systems
N/A N/A N/A
MA-5(4) Foreign Nationals N/A N/A N/A
MA-5(5) Non-System-Related Maintenance N/A N/A N/A
Summary 3 10% or .1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 36
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
3.8.2 Limit access to CUI on system media to authorized users.
3.8.3 Sanitize or destroy system media contain-ing CUI before disposal or release for reuse.
MP-2 Media AccessMP-2(1) Automated Restricted Access A.8.2.3
A.8.3.1A.11.2.9
Handling of AssetsManagement of removable mediaClear desk and clear screen policy
5.5 3 80% or .8
MP-2(2) Cryptographic Protection 3.5 4 100% or 1
MP-4 Media StorageMP-4(1) Cryptographic Protection A.8.2.3
A.8.3.1A.11.2.9
Handling of AssetsManagement of removable mediaClear desk and clear screen policy
3.5 4 100% or 1
MP-4(2) Automated Restricted Access 5.5 3 80% or .8
MP-6 Media Sanitization
MP-6(1) Review / Approve / Track / Document / Verify
A.8.2.3A.8.3.1A.8.3.2A.11.2.7
Handling of AssetsManagement of removable mediaDisposal of mediaSecure disposal or reuse of equipment
14.2 3 80% or .8
MP-6(2) Equipment Testing 14.2 3 80% or .8
MP-6(3) Nondestructive Techniques 14.2 3 80% or .8
MP-6(4) Controlled Unclassified Information 14.2 3 80% or .8
MP-6(5) Classified Information 14.2 3 80% or .8
MP-6(6) Media Destruction N/A N/A N/A
MP-6(7) Dual Authorization N/A N/A N/A
MP-6(8) Remote Purging / Wiping Of Information N/A N/A N/A
Summary 3 80% or .8
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.8 Media Protection
Page 37
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
3.8 Media Protection
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.8.4 Mark media withnecessary CUI markings and distribution limita-tions.
MP-3 Media Marking A.8.2.2 Labelling of Information
3.8.5 Control access to media containing CUI and maintain account-ability for media during transport outside of controlled areas.
MP-5 Media Transport
MP-5(1) Protection Outside Of Controlled Areas A.8.2.3A.8.3.1A.8.3.3A.11.2.5A.11.2.6
Handling of AssetsManagement of removable mediaPhysical media transferRemoval of assets Security of equipment and assets off-premises
14.2 3 80% or .8
MP-5(2) Documentation Of Activities 14.2 3 80% or .8
MP-5(3) Custodians 14.2 3 80% or .8
MP-5(4) Cryptographic Protection 3.5 4 100% or 1
3.8.6 Implement cryptographic mech-anisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
MP-5 Media Transport MP-5(4) Cryptographic Protection N/A 3.5 4 100% or 1
3.8.7 Control the use ofremovable media on system components.
MP-7 Media UseMP-7(1) Prohibit Use Without Owner
A.8.2.3A.8.3.1
Handling of AssetsManagement of removable media
4.4 3 80% or .8
MP-7(2) Prohibit Use Of Sanitization-Resistant Media 4.4 3 80% or .8
3.8.8 Prohibit the use of portable storage devic-es when such devices have no identifiable owner.
MP-7 Media Use MP-7(1) Prohibit Use Without Owner N/A 4.4 3 80% or .8
3.8.9 Protect the confi-dentiality of backup CUI at storage locations.
CP-9 System Backup
CP-9(1) Testing For Reliability / IntegrityA.12.3.1A.17.1.2
A.18.1.3
Information backupImplementing information security continuityProtection of records
4.4, 13.1 3 80% or .8
CP-9(2) Test Restoration Using Sampling 13.9 3 80% or .8
CP-9(3) Separate Storage For Critical Information 13.7 4 100% or 1
Basic Security Requirements Derived Security Requirements
Page 38
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.8.9 Protect the confi-dentiality of backup CUI at storage locations.
CP-9 System Backup
CP-9(4) Protection From Unauthorized Modifi-cation 4.4 3 80% or .8
CP-9(5) Transfer To Alternate Storage Site 13.6 4 100% or 1
CP-9(6) Redundant Secondary System 13.2 4 100% or 1
CP-9(7) Dual Authorization 13.2 4 100% or 1
Summary 3 90% or .9
3.8 Media Protection
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
Page 39
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements There are No Derived Security Requirements for this Security Requirement Family
3.9 Personnel Security
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
PS-3 Personnel Screening
PS-3(1) Classified Information
A.7.1.1 Screening
4.4, 5.6 4 100% or 1
PS-3(2) Formal Indoctrination 4.4, 5.6 4 100% or 1
PS-3(3) Information With Special Protection Measures 4.4, 5.6 4 100% or 1
PS-4 Personnel Termination
PS-4(1) Post-Employment Requirements A.7.3.1
A.8.1.4
Termination or change of employment responsibilitiesReturn of assets
4.4, 5.6 4 100% or 1
PS-4(2) Automated Notification 4.4, 5.6 4 100% or 1
PS-5 Personnel Transfer
A.7.3.1
A.8.1.4
Termination or change of employment responsibilitiesReturn of assets
4.4, 5.6 4 100% or 1
4.4, 5.6 4 100% or 1
Summary 4 100% or 1
Page 40
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to autho-rized individuals.
3.10.2 Protect and monitor the physical facility and support infrastructure for orga-nizational systems.
PE-2 Physical Access Authorizations
PE-2(1) Access By Position / Role
A.11.1.2* Physical entry controls
4.4, 5.2, 5.3 4 100% or 1
PE-2(2) Two Forms Of Identification 4.4, 5.2, 5.3 4 100% or 1
PE-2(3) Restrict Unescorted Access 4.4, 5.2, 5.3 4 100% or 1
PE-4
Access Control for Transmission Medium
A.11.1.2A.11.2.3
Physical entry controlsCabling security
5.3, 5.4 4 100% or 1
5.5 4 100% or 1
PE-5Access Con-trol for Output Devices
PE-5(1) Access To Output By Authorized Indi-viduals A.11.1.2
A.11.1.3Physical entry controlsSecuring offices, rooms, and facilities
5.3, 5.4 4 100% or 1
PE-5(2) Access To Output By Individual Identity 5.3, 5.4 4 100% or 1
PE-5(3) Marking Output Devices 5.3, 5.4 4 100% or 1
PE-6 Monitoring Physical Access
PE-6(1) Intrusion Alarms / Surveillance Equipment
N/A N/A
5.3, 5.4 4 100% or 1
PE-6(2) Automated Intrusion Recognition / Responses 5.3, 5.4 4 100% or 1
PE-6(3) Video Surveillance 5.3, 5.4 4 100% or 1
PE-6(4) Monitoring Physical Access To Information Systems 5.3, 5.4 4 100% or 1
Summary 4 100% or 1
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
3.10 Physical Protection
Page 41
3.10 Physical Protection
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.10.3 Escort visitors and monitor visitor activity.
PE-3 Physical Access Control
PE-3(1) Information System Access A.11.1.1 Physical security perimeter 5.3, 5.4 4 100% or 1
PE-3(2) Facility / Information System Boundaries A.11.1.2 Physical entry controls 5.3, 5.4 4 100% or 1
3.10.4 Maintain audit logs of physical access.
PE-3(3) Continuous Guards / Alarms / Monitoring 5.3, 5.4 4 100% or 1
PE-3(4) Lockable Casings 5.3, 5.4 4 100% or 1
3.10.5 Control and manage physical access devices.
PE-3(5) Tamper Protection A.11.1.3 Securing offices, rooms, and facilities 5.3, 5.4 4 100% or 1
PE-3(6) Facility Penetration Testing 5.3, 5.4 4 100% or 1
3.10.6 Enforce safe-guarding measures for CUI at alternate work sites.
PE-17 Alternate Work Site
A.6.2.2A.11.2.6
A.13.2.1
TeleworkingSecurity of equipment and assets off-premisesInformation transfer policies and proce-dures
4.4 3 80% or .8
4.4 3 80% or .8
4.4 3 80% or .8
Summary 4 90% or .9
Page 42
3.11 Risk Assessment
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.11.1 Periodically assess the risk to organizational opera-tions (including mission, functions, image, or rep-utation), organizational assets, and individuals, resulting from the operation of organiza-tional systems and the associated processing, storage, or transmission of CUI.
RA-3 Risk Assess-ment A.12.6.1* Management of technical vulnerabilities 12.1, 12.2, 12.3,
12.4 4 100% or 1
Summary 4 100% or 1
Page 43
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
3.11 Risk Assessment
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.11.2 Scan for vulnerabilities in organizational systems and applications peri-odically and when new vulnerabilities affecting those systems and applications are identified.
RA-5 Vulnerability Scanning RA-5 (5) Privileged Access A.12.6.1* Management of technical vulnerabilities 12.5, 12.6 4 100% or 1
3.11.3 Remediate vulnerabilities in accordance with risk assessments.
RA-5 Vulnerability Scanning
RA-5(1) Update Tool Capability
A.12.6.1* Management of technical vulnerabilities
12.6 4 100% or 1
RA-5(2) Update By Frequency / Prior To New Scan / When Identified 12.6 4 100% or 1
RA-5(3) Breadth / Depth Of Coverage 12.6 4 100% or 1
RA-5(4) Discoverable Information 12.6 4 100% or 1
RA-5(5) Privileged Access 12.6 4 100% or 1
RA-5(6) Automated Trend Analyses 12.6 4 100% or 1
RA-5(7) Automated Detection And Notification Of Unauthorized Components 12.6 4 100% or 1
RA-5(8) Review Historic Audit Logs 12.6 4 100% or 1
RA-5(9) Penetration Testing And Analyses 12.6 4 100% or 1
RA-5(10) Correlate Scanning Information 12.6 4 100% or 1
Summary 4 100% or 1
Page 44
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements There are No Derived Security Requirements for this Security Requirement Family
3.12 Security Assessment
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.12.1 Periodically assess the security con-trols in organizational systems to determine if the controls are effec-tive in their application.
3.12.2 Develop and im-plement plans of action designed to correct deficiencies and reduce or eliminate vulnerabil-ities in organizational systems.
3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, docu-ment, and periodically update system security plans that describe system boundaries, system environments of operation, how se-curity requirements are implemented, and the relationships with or connections to other systems.
CA-2
CA-2(1) Independent Assessors
A.14.2.8A.18.2.2
A.18.2.3
System security testingCompliance with security policies and standardsTechnical compliance review
6.3, 6.6, 6.8, 6.9, 6.11, 6.13,
10.114 100% or 1
CA-2(2) Specialized Assessments 12.6 4 100% or 1
CA-2(3) External Organizations 9.8 4 100% or 1
CA-5 CA-5(1) Automation Support For Accuracy / Currency N/A N/A 12.6 4 100% or 1
CA-7
CA-7(1) Independent Assessment
N/A
11.1-11.9, 12.6 4 100% or 1
CA-7(2) Types Of Assessments 12.6 4 100% or 1
CA-7(3) Trend Analyses 11.1-11.9 4 100% or 1
PL-2
PL-2(1) Concept Of Operations
A.6.1.2 Information security coordination
N/A N/A N/A
PL-2(2) Functional Architecture N/A N/A N/A
PL-2(3) Plan / Coordinate With Other Organiza-tional Entities N/A N/A N/A
Summary 4 70% or 7
Page 45
3.13 System and Communications Protection
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.1 Monitor, control, and protect communi-cations (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
SC-7 Boundary Protection
SC-7(1) Physically Separated Subnetworks
A.13.1.1A.13.1.3A.13.2.1
A.14.1.3
Network controlsSegregation in networksInformation transfer policies and proce-duresProtecting application services transac-tions
1.5 3 80% or .8
SC-7(2) Public Access 7.8 3 80% or .8
SC-7(3) Access Points 10.5, 10.6 4 100% or 1
SC-7(4) External Telecommunications Services N/A N/A N/A
SC-7(5) Deny By Default / Allow By Exception 7.8 3 80% or .8
SC-7(6) Response To Recognized Failures N/A N/A N/A
SC-7(7) Prevent Split Tunneling For Remote Devices 9.1 4 100% or 1
SC-7(8) Route Traffic To Authenticated Proxy Servers 3.7 3 80% or .8
SC-7(9) Restrict Threatening Outgoing Communi-cations Traffic 11.1-11.9 4 100% or 1
SC-7(10) Prevent Unauthorized Exfiltration 7.8 3 80% or .8
SC-7(11) Restrict Incoming Communications Traffic 11.1-11.9 4 100% or 1
SC-7(12) Host-Based Protection 6.3 4 100% or 1
SC-7(13)Isolation Of Security Tools / Mechanisms / Support Components N/A N/A N/A
SC-7(14) Protects Against Unauthorized Physical Connections 5.3 4 100% or 1
SC-7(15) Route Privileged Network Accesses 3.3 4 100% or 1
SC-7(16) Prevent Discovery Of Components / Devices N/A N/A N/A
SC-7(17) Automated Enforcement Of Protocol Formats
3.8 4 100% or 1
SC-7(18) Fail Secure N/A N/A N/A
SC-7(19) Blocks Communication From Non- Orga-nizationally Configured Hosts
7.1 4 100% or 1
SC-7(20) Dynamic Isolation / Segregation N/A N/A N/A
Page 46
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
SC-7 Boundary Protection
SC-7(21) Isolation Of Information System Components N/A N/A N/A
SC-7(22) Separate Subnets For Connecting To Different Security Domains N/A N/A N/A
SC-7(23) Disable Sender Feedback On Protocol Validation Failure N/A N/A N/A
SA-8Security Engineering Principles
A.14.2.5 Secure system engineering principles N/A N/A N/A
Summary 4 50% or .5
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements
3.13 System and Communications Protection
Page 47
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.3 Separate user functionality from system management functionality.
SC-2 Application Partitioning SC-2(1) Interfaces For Non-Privileged Users N/A N/A 4.4, 6.11 4 100% or 1
3.13.4 Prevent unautho-rized and unintended information transfer via shared system resources.
SC-4Information in Shared Resources
SC-4(1) Security Levels
N/A N/A
N/A N/A N/A
SC-4(2) Periods Processing N/A N/A N/A
3.13.5 Implement subnetworks for pub-licly accessible system components that are physically or logically separated from internal networks.
SC-7Boundary Protection
SC-7(1) Physically Separated Subnetworks
A.13.1.1A.13.1.3A.13.2.1
A.14.1.3
Network controlsSegregation in networksInformation transfer policies and proce-duresProtecting application services transac-tions
1.5 3 80% or .8
SC-7(2) Public Access 7.8 3 80% or .8
SC-7(3) Access Points 10.5, 10.6 4 100% or 1
SC-7(4) External Telecommunications Services N/A N/A N/A
SC-7(5) Deny By Default / Allow By Exception 7.8 3 80% or .8
SC-7(6) Response To Recognized Failures N/A N/A N/A
SC-7(7) Prevent Split Tunneling For Remote Devices
9.1 4 100% or 1
SC-7(8)Route Traffic To Authenticated Proxy Servers
3.7 3 80% or .8
SC-7(9)Restrict Threatening Outgoing Communi-cations Traffic 11.1-11.9 4 100% or 1
SC-7(10) Prevent Unauthorized Exfiltration 7.8 3 80% or .8
SC-7(11) Restrict Incoming Communications Traffic 11.1-11.9 4 100% or 1
SC-7(12) Host-Based Protection 6.3 4 100% or 1
SC-7(13) Isolation Of Security Tools / Mechanisms / Support Components
N/A N/A N/A
SC-7(14)Protects Against Unauthorized Physical Connections
5.3 4 100% or 1
Basic Security Requirements Derived Security Requirements
3.13 System and Communications Protection
Page 48
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.5 Implement subnetworks for pub-licly accessible system components that are physically or logically separated from internal networks.
SC-7 Boundary Protection
SC-7(15) Route Privileged Network Accesses 3.3 4 100% or 1
SC-7(16) Prevent Discovery Of Components / Devices N/A N/A N/A
SC-7(17) Automated Enforcement Of Protocol Formats 3.8 4 100% or 1
SC-7(18) Fail Secure N/A N/A N/A
SC-7(19) Blocks Communication From Non- Orga-nizationally Configured Hosts 7.1 4 100% or 1
SC-7(20) Dynamic Isolation / Segregation N/A N/A N/A
SC-7(21) Isolation Of Information System Com-ponents N/A N/A N/A
SC-7(22) Separate Subnets For Connecting To Different Security Domains N/A N/A N/A
SC-7(23) Disable Sender Feedback On Protocol Validation Failure N/A N/A N/A
3.13.6 Deny networkcommunications traffic by default and allow network com-munications traffic by exception (i.e., deny all, permit by exception).
SC-7 Boundary Protection
SC-7(5) Deny By Default / Allow By Exception N/A N/A 7.8 3 80% or .8
3.13 System and Communications Protection
Page 49
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.7 Prevent remote devices from simulta-neously establishing non-remote connec-tions with organiza-tional systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
SC-7 Boundary Protection SC-7(7) Prevent Split Tunneling For Remote
Devices N/A N/A 9.1 4 100% or 1
3.13.8 Implement cryp-tographic mechanisms to prevent unautho-rized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
SC-8Transmission Confidentiality and Integrity
SC-8(1) Cryptographic Or Alternate Physical Protection
A.8.2.3A.13.1.1A.13.2.1
A.13.2.3A.14.1.2
A.14.1.3
Handling of AssetsNetwork controlsInformation transfer policies and proceduresElectronic messagingSecuring application services on public networksProtecting application services transactions
3.4, 3.5, 3.8 4 100% or 1
3.13.9 Terminate network connections associated with commu-nications sessions at the end of the sessions or after a defined period of inactivity.
SC-10Network Disconnect A.13.1.1 Network controls N/A N/A N/A
3.13.10 Establish and managecryptographic keys for cryptography employed in organizational systems.
SC-12
Cryptographic Key Establishment and Management
SC-12(1) Availability
A.10.1.2 Key Management
3.5 4 100% or 1
SC-12(2) Symmetric Keys 3.5 4 100% or 1
SC-12(3) Asymmetric Keys 3.5 4 100% or 1
SC-12(4) PKI Certificates 3.5 4 100% or 1
SC-12(5) PKI Certificates / Hardware Tokens 3.5 4 100% or 1
3.13 System and Communications Protection
Page 50
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.11 Employ FIPS-validated cryptog-raphy when used to protect the confidenti-ality of CUI.
SC-13 Cryptographic Protection
SC-13(1) FIPS-Validated Cryptography A.10.1.1
A.14.1.2
A.14.1.3
A.18.1.5
Policy on the use of cryptographic controlsSecuring application services on public networksProtecting application services transac-tionsRegulation of cryptographic controls
4.4 4 100% or 1
SC-13(2) NSA-Approved Cryptography 4.4 4 100% or 1
SC-13(3) Individuals Without Formal Access Approvals 4.4 4 100% or 1
SC-13(4) Digital Signatures 3.5 4 100% or 1
3.13.12 Prohibit remote activation of collabora-tive computing devices and provide indication of devices in use to users present at the device.
SC-15Collaborative Computing Devices
SC-15(1) Physical Disconnect
A.13.2.1* Information transfer policies and proce-dures
N/A N/A N/A
SC-15(2) Blocking Inbound / Outbound Communi-cations Traffic 7.1 4 100% or 1
SC-15(3) Disabling / Removal In Secure Work Areas N/A N/A N/A
SC-15(4) Explicitly Indicate Current Participants 9.1 3 80% or .8
3.13.13 Control and monitor the use of mobile code.
SC-18 Mobile Code
SC-18(1) Identify Unacceptable Code / Take Cor-rective Actions
N/A N/A
N/A N/A N/A
SC-18(2) Acquisition / Development / Use N/A N/A N/A
SC-18(3) Prevent Downloading / Execution N/A N/A N/A
SC-18(4) Prevent Automatic Execution N/A N/A N/A
SC-18(5) Allow Execution Only In Confined Environments N/A N/A N/A
3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) tech-nologies.
SC-19Voice over Internet Protocol
N/A N/A N/A N/A N/A
3.13.15 Protect the authenticity of commu-nications sessions.
SC-23 Session Authenticity
SC-23(1) Invalidate Session Identifiers At Logout
N/A N/A
N/A N/A N/A
SC-23(2) User-Initiated Logouts / Message Displays N/A N/A N/A
SC-23(3) Unique Session Identifiers With Random-ization N/A N/A N/A
3.13 System and Communications Protection
Page 51
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.13.15 Protect the authenticity of commu-nications sessions.
SC-23 Session Authenticity
SC-23(4) Unique Session Identifiers With Random-ization N/A N/A N/A
SC-23(5) Allowed Certificate Authorities N/A N/A N/A
3.13.16 Protect the confidentiality of CUI at rest.
SC-28Protection of Information at Rest
SC-28(1) Cryptographic ProtectionA.8.2.3* Handling of Assets
3.5 4 100% or 1
SC-28(2) Off-Line Storage 13.5 4 100% or 1
Summary 4 50% or .5
3.13 System and Communications Protection
Page 52
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
3.14 System and Information Integrity
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.14.1 Identify, report, and correct system flaws in a timely manner.
3.14.2 Provide protection from malicious code at designated locations within organizational systems.
3.14.3 Monitor system security alerts and advisories and take action in response.
SI-2 Flaw Remediation
SI-2(1) Central Management
A.12.6.1A.14.2.2A.14.2.3
A.16.1.3
Management of technical vulnerabilitiesSystem change control proceduresTechnical review of applications after operating platform changesReporting information security weak-nesses
12.5 4 100% or 1
SI-2(2) Automated Flaw Remediation Status 12.5 4 100% or 1
SI-2(3) Time To Remediate Flaws / Benchmarks For Corrective Actions 12.5 4 100% or 1
SI-2(4) Automated Patch Management Tools 6.4 4 100% or 1
SI-2(5) Automatic Software / Firmware Updates 6.4 4 100% or 1
SI-2(6) Removal Of Previous Versions Of Software / Firmware 6.4 4 100% or 1
SI-3Malicious Code Protection
SI-3(1) Central Management
A.12.2.1 Controls against malware
6.10, 6.11 4 100% or 1
SI-3(2) Automatic Updates 6.1-6.13 4 100% or 1
SI-3(3) Non-Privileged Users 6.1-6.13 4 100% or 1
SI-3(4) Updates Only By Privileged Users 6.1-6.13 4 100% or 1
SI-3(5) Portable Storage Devices 4.4 4 100% or 1
SI-3(6) Testing / Verification 6.1-6.13 4 100% or 1
SI-3(7) Nonsignature-Based Detection 8.3 4 100% or 1
SI-3(8) Detect Unauthorized Commands N/A N/A N/A
SI-3(9) Authenticate Remote Commands N/A N/A N/A
SI-3(10) Malicious Code Analysis N/A N/A N/A
SI-5Security Alerts, Advisories, and Directives
SI-5(1) Automated Alerts And Advisories A.6.1.4* Contact with special interest groups 14.1-14.4 4 100% or 1
Summary 4 80% or .8
Basic Security Requirements Derived Security Requirements
Page 53
3.14 System and Information Integrity
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
Basic Security Requirements Derived Security Requirements
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.14.4 Update malicious code protection mechanisms when new releases are available.
3.14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
SI-3Malicious Code Protection
SI-3(1) Central Management
A.12.2.1 Controls against malware
6.10, 6.11 4 100% or 1
SI-3(2) Automatic Updates 6.1-6.13 4 100% or 1
SI-3(3) Non-Privileged Users 6.1-6.13 4 100% or 1
SI-3(4) Updates Only By Privileged Users 6.1-6.13 4 100% or 1
SI-3(5) Portable Storage Devices 4.4 4 100% or 1
SI-3(6) Testing / Verification 6.1-6.13 4 100% or 1
SI-3(7) Nonsignature-Based Detection 8.3 4 100% or 1
SI-3(8) Detect Unauthorized Commands N/A N/A N/A
SI-3(9) Authenticate Remote Commands N/A N/A N/A
SI-3(10) Malicious Code Analysis N/A N/A N/A
3.14.6 Monitor or-ganizational systems, including inbound and outbound communica-tions traffic, to detect attacks and indicators of potential attacks.
SI-4 System Monitoring SI-4(4) Inbound And Outbound Communications
Traffic N/A N/A 11.1-11.9 4 100% or 1
3.14.7 Identify unautho-rized use of organiza-tional systems.
SI-4System Monitoring
SI-4(1) System-Wide Intrusion Detection System
N/A N/A
8.1-8.10 4 100% or 1
SI-4(2) Automated Tools For Real- Time Analysis 11.1-11.9 4 100% or 1
SI-4(3) Automated Tool Integration 11.1-11.9, 6.4 4 100% or 1
SI-4(4)Inbound And Outbound Communications Traffic
11.1-11.9 4 100% or 1
SI-4(5) System-Generated Alerts 8.2, 8.5 4 100% or 1
SI-4(6) Restrict Non-Privileged Users 6.1-6.13 4 100% or 1
SI-4(7) Automated Response To Suspicious Events
4.4, 8.2 4 100% or 1
SI-4(8) Protection Of Monitoring Information 4.4 4 100% or 1
SI-4(9) Testing Of Monitoring Tools 11.1-11.9 4 100% or 1
Page 54
SECURITY REQUIREMENTS
NIST SP 800-53 Relevant Security Controls
ISO/IEC 27001 Relevant Security Controls
CND EXAM Objectives Proficiency Relational
Coefficient
3.14.7 Identify unautho-rized use of organiza-tional systems.
SI-4 System Monitoring
SI-4(10) Visibility Of Encrypted Communications
N/A N/A
3.5 4 100% or 1
SI-4(11) Analyze Communications Traffic Anom-alies 11.1-11.9 4 100% or 1
SI-4(12) Automated Alerts 6.4, 8.2, 8.4 4 100% or 1
SI-4(13) Analyze Traffic / Event Patterns 11.1-11.9 4 100% or 1
SI-4(14) Wireless Intrusion Detection 10.8 4 100% or 1
SI-4(15) Wireless To Wireline Communications 10.5 4 100% or 1
SI-4(16) Correlate Monitoring Information 11.1-11.9 4 100% or 1
SI-4(17) Integrated Situational Awareness 4.5, 14.3 4 100% or 1
SI-4(18) Analyze Traffic / Covert Exfiltration 11.1-11.9 4 100% or 1
SI-4(19) Individuals Posing Greater Risk 12.2 4 100% or 1
SI-4(20) Privileged User 4.4, 6.3, 6.10 4 100% or 1
SI-4(21) Probationary Periods N/A N/A N/A
SI-4(22) Unauthorized Network Services 6.3 4 100% or 1
SI-4(23) Host-Based Devices 6.3, 6.6, 8.7 4 100% or 1
SI-4(24) Indicators Of Compromise N/A N/A N/A
Summary 4 90% or .9
8. Media Protection 9. Personnel Security 10. Physical Protection 11. Risk Assessment 12. Security Assessment 13. System and CommunicationsProtection
14. System and InformationIntegrity
About NIST 800-171 and EC-Council 1. Access Control 2. Awareness and Training 3. Audit and Accountability 4. Configuration
Management5. Identification and
Authentication 6. Incident Response 7. Maintenance
3.14 System and Information Integrity
Basic Security Requirements Derived Security Requirements
Page 55