SANS Critical Function Category Subcategory Subcategory … · €€€€€€ ccs csc 1 1 · €€€€€€ cobit 5 dss05.02 €€€€€€ isa 62443-2-1:2009 4.2.3.4

Function Category Subcategory Subcategory Informative References

SANS Critical

Security

Control

Number

· CCS CSC 1 1

· COBIT 5 BAI09.01, BAI09.02

· ISA 62443-2-1:2009 4.2.3.4

· ISA 62443-3-3:2013 SR 7.8

· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

· NIST SP 800-53 Rev. 4 CM-8

· CCS CSC 2

2

· COBIT 5 BAI09.01, BAI09.02, BAI09.05

· ISA 62443-2-1:2009 4.2.3.4

· ISA 62443-3-3:2013 SR 7.8

· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

· NIST SP 800-53 Rev. 4 CM-8

ID.AM-1.1 Ensure that physical devices and systems within the organization are inventoried and

managed.

ID.AM-1.2 Deploy an automated asset inventory discovery tool and use it to build a preliminary

asset inventory of systems connected to an organization’s public and private network(s). Both

active tools that scan through network address ranges and passive tools that identify hosts based

on analyzing their traffic should be employed.

ID.AM-1.3 If the organization is dynamically assigning addresses using DHCP, then deploy

dynamic host configuration protocol (DHCP) server logging, and use this information to improve

the asset inventory and help detect unknown systems.

ID.AM-1.4 Ensure that all equipment acquisitions automatically update the inventory system as

new, approved devices are connected to the network.

ID.AM-1.5 Maintain an asset inventory of all systems connected to the network and the network

devices themselves, recording at least the network addresses, machine name(s), purpose of each

system, an asset owner responsible for each device, and the department associated with each

device. The inventory should include every system that has an Internet protocol (IP) address on

the network, including but not limited to desktops, laptops, servers, network equipment (routers,

switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed

addresses, virtual addresses, etc. The asset inventory created must also include data on whether

the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops,

and other portable electronic devices that store or process data must be identified, regardless of

whether they are attached to the organization’s network.

ID.AM-1.6 Deploy network level authentication via 802.1x to limit and control which devices can

be connected to the network. The 802.1x must be tied into the inventory data to determine

authorized versus unauthorized systems.

ID.AM-1.7 Use client certificates to validate and authenticate systems prior to connecting to the

private network.

ID.AM-2.1 Ensure that software platforms and applications within the organization are

inventoried and managed.

ID.AM-2.2 Devise a list of authorized software and version that is required in the enterprise for

each type of system, including servers, workstations, and laptops of various kinds and uses. This

list should be monitored by file integrity checking tools to validate that the authorized software

has not been modified.

ID.AM-2.3 Deploy application whitelisting technology that allows systems to run software only if

it is included on the whitelist and prevents execution of all other software on the system. The

whitelist may be very extensive (as is available from commercial whitelist vendors), so that users

are not inconvenienced when using common software. Or, for some special-purpose systems

(which require only a small number of programs to achieve their needed business functionality),

the whitelist may be quite narrow. When protecting systems with customized software that may

be seen as difficult to whitelist, use item 8 below (isolating the custom software in a virtual

operating system that does not retain infections.

ID.AM-2.4 Deploy software inventory tools throughout the organization covering each of the

operating system types in use, including servers, workstations, and laptops. The software

inventory system should track the version of the underlying operating system as well as the

applications installed on it. The software inventory systems must be tied into the hardware asset

inventory so all devices and associated software are tracked from a single location.

Asset Management

(ID.AM): The data,

personnel, devices, systems,

and facilities that enable the

organization to achieve

business purposes are

identified and managed

consistent with their relative

importance to business

objectives and the

organization’s risk strategy.

ID.AM-1: Physical devices and systems within the organization are

inventoried

ID.AM-2: Software platforms and applications within the organization

are inventoried

IDENTIFY

(ID)

· CCS CSC 1

1

· COBIT 5 DSS05.02

· ISA 62443-2-1:2009 4.2.3.4

· ISO/IEC 27001:2013 A.13.2.1

· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

· COBIT 5 APO02.02

· ISO/IEC 27001:2013 A.11.2.6

· NIST SP 800-53 Rev. 4 AC-20, SA-9

· COBIT 5 APO03.03, APO03.04, BAI09.02

· ISA 62443-2-1:2009 4.2.3.6

· ISO/IEC 27001:2013 A.8.2.1

· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14

ID.AM-3.1 Ensure that organizational communication and data flows are mapped and systems

are designed or configured to regulate information flow based on data classification.

ID.AM-3.2 Establish procedures that ensure only agency-owned or approved IT resources are

connected to the agency internal network and resources.

ID.AM-3.3 Design and document its information security architecture using a defense-in-breadth

approach. Design and documentation shall be assessed and updated periodically based on an

agency defined, risk-driven frequency that considers potential threat vectors (i.e., paths or tools

that a threat actor may use to attack a target).

ID.AM-3.4 Consider diverse suppliers when designing the information security architecture.

ID.AM-4.1 Each agency shall ensure that interdependent external information systems are

catalogued.

ID.AM-4.2 Verify or enforce required security controls on interconnected external IT resources in

accordance with the information security policy or security plan.

ID.AM-4.3 Implement service level agreements for non-agency provided technology services to

ensure appropriate security controls are established and maintained.

ID.AM-4.4 For non-interdependent external IT resources, execute information sharing or

processing agreements with the entity receiving the shared information or hosting the external

system in receipt of shared information.

ID.AM-4.5 Restrict or prohibit portable storage devices either by policy or a technology that

enforces security controls for such devices.

ID.AM-4.6 Authorize and document inter-agency system connections.

ID.AM-4.7 Require external service providers adhere to agency security policies.

ID.AM-4.8 Document agency oversight expectations, and periodically monitor provider

compliance.

ID.AM-5.1 Each agency shall ensure that IT resources (hardware, devices, and software) are

categorized, prioritized, and documented based on their classification, criticality, and business

value.

ID.AM-5.2 Perform a criticality analysis for each categorized IT resource and document the

findings of the analysis conducted.

ID.AM-5.3 Designate an authorizing official for each categorized IT resource and document the

authorizing official’s approval of the security categorization.

ID.AM-5.4 Create a contingency plan for each categorized IT resource. The contingency plan

shall be based on resource classification and identify related cybersecurity roles and

responsibilities.

ID.AM-5.5 Identify and maintain a reference list of exempt, and confidential and exempt agency

information or software and the associated applicable state and federal statutes and rules.

ID.AM-5.6 Perform an assessment of data to identify sensitive information that requires the

application of encryption and integrity controls.

Asset Management

(ID.AM): The data,








objectives and the


ID.AM-3: Organizational communication and data flows are mapped

ID.AM-4: External information systems are catalogued

ID.AM-5: Resources (e.g., hardware, devices, data, and software) are

prioritized based on their classification, criticality, and business value

IDENTIFY

(ID)

· COBIT 5 APO01.02, DSS06.03

· ISA 62443-2-1:2009 4.3.2.3.3

· ISO/IEC 27001:2013 A.6.1.1

· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11

· COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05

· ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2

· NIST SP 800-53 Rev. 4 CP-2, SA-12

ID.AM-6.1 Establish cybersecurity roles and responsibilities for the entire workforce and third-

party stakeholders.

ID.AM-6.2 Inform workers that they are responsible for safeguarding their passwords and other

authentication methods.

ID.AM-6.3 Inform workers that they shall not share their agency accounts, passwords, personal

identification numbers, security tokens, smart cards, identification badges, or other devices used

for identification and authentication purposes.

ID.AM-6.4 Inform workers that use, or orversee or manage workers that use, IT equipment that

they shall immediately report suspected unauthorized activity, in accordance with agency-

established incident reporting procedures.

ID.AM-6.5 Inform users that they shall take precautions that are appropriate to protect IT

resources in their possession from loss, theft, tampering, unauthorized access, and damage.

Consideration will be given to the impact that may result if the IT resource is lost, and safety

issues relevant to protections identified in this subsection.

ID.AM-6.6 Inform users of the extent that they will be held accountable for their activities.

ID.AM-6.7 Inform workers that they have no reasonable expectation of privacy with respect to

agency-owned or agency-managed IT resources.

ID.AM-6.8 Ensure that monitoring, network sniffing, and related security activities are only be

performed by workers who have been assigned security-related responsibilities either via their

approved position descriptions or tasks assigned to them.

ID.AM-6.9 "Appoint an Information Security Managers (ISM). Agency responsibilities related to

ISMs include:

a. Notifying the Agency for State Technology (AST) of ISM appointments and reappointments.

b. Specifying ISM responsibilities in the ISM’s position description.

c. Establishing an information security program that includes information security policies,

procedures, standards, and guidelines; an information security awareness program; an

information security risk management process, including the comprehensive risk assessment

required by section 282.318, F.S.; a Computer Security Incident Response Team; and a disaster

recovery program that aligns with the agency’s Continuity of Operations (COOP) Plan.

d. Each agency ISM shall be responsible for the information security program plan."

ID.AM-6.10 "Performing background checks and ensuring that a background investigation is

performed on all individuals hired as IT workers with access to information processing facilities,

or who have system, database, developer, network, or other administrative capabilities for

systems, applications, or servers with risk categorization of moderate-impact or higher. See rule

74A-1.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in

addition to agency required background screening, background checks conducted by agencies

shall include a federal criminal history check that screens for felony convictions that convern or

involve the following:

a. Computer related or IT crimes;

b. Identity theft crimes;

c. Financially-related crimes, such as: fraudulent practices, false pretenses and frauds, credit card

crimes;

d. Forgery and counterfeiting;

e. Violations involving checks and drafts;

f. Misuse of medical or personnel records; and

g. Theft."

ID.AM-6.11 Each agency shall establish appointment selection disqualifying criteria for

individuals hired as IT workers that will have access to information processing facilities, or who

have system, database, developer, network, or other administrative capabilities for systems,

applications, or servers with risk categorization of moderate-impact or higher.

ID.BE-1.1 Identify and communicate the agency’s role in the business mission of the state.

Business Environment

(ID.BE): The organization’s

mission, objectives,

stakeholders, and activities

are understood and

prioritized; this information

is used to inform

cybersecurity roles,

responsibilities, and risk

management decisions.

ID.BE-1: The organization’s role in the supply chain is identified and

communicated

Asset Management

(ID.AM): The data,








objectives and the


ID.AM-6: Cybersecurity roles and responsibilities for the entire

workforce and third-party stakeholders (e.g., suppliers, customers,

partners) are established

IDENTIFY

(ID)

· COBIT 5 APO02.06, APO03.01

· NIST SP 800-53 Rev. 4 PM-8

· COBIT 5 APO02.01, APO02.06, APO03.01

· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6

· NIST SP 800-53 Rev. 4 PM-11, SA-14

· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3

· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14

· COBIT 5 DSS04.02

· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1

· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14

· COBIT 5 APO01.03, EDM01.01, EDM01.02

· ISA 62443-2-1:2009 4.3.2.6

· ISO/IEC 27001:2013 A.5.1.1

· NIST SP 800-53 Rev. 4 -1 controls from all families

· COBIT 5 APO13.12

· ISA 62443-2-1:2009 4.3.2.3.3

· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1

· NIST SP 800-53 Rev. 4 PM-1, PS-7

· COBIT 5 MEA03.01, MEA03.04

· ISA 62443-2-1:2009 4.4.3.7

· ISO/IEC 27001:2013 A.18.1

· NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1)

· COBIT 5 DSS04.02

· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3,

4.3.2.6.3

· NIST SP 800-53 Rev. 4 PM-9, PM-11

· CCS CSC 4 4

· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04

· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12

· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3

· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-

2, SI-4, SI-5

· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

· ISO/IEC 27001:2013 A.6.1.4

· NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5

· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04

· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16

· COBIT 5 DSS04.02

· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14

· COBIT 5 APO12.02

· ISO/IEC 27001:2013 A.12.6.1

ID.GV-1.1 Establish or adopt a comprehensive information security policy.

ID.GV-2.1 Coordinate and align information security roles and responsibilities with internal roles

and external partners.

ID.GV-3.1 Document and manage legal and regulatory requirements regarding cybersecurity,

including privacy and civil liberties obligations.

ID.GV-4.1 Ensure governance and risk management processes address cybersecurity risks.

ID.RA-1.1 Identify and document asset vulnerabilities, business processes and protection

requirements. Establish procedures to analyze systems and applications to ensure security

controls are effective and appropriate.

ID.RA-1.2 Run automated vulnerability scanning tools against all systems on the network on a

weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to

each responsible system administrator along with risk scores that compare the effectiveness of

system administrators and departments in reducing risk. Use a SCAP-validated vulnerability

scanner that looks for both code-based vulnerabilities (such as those described by Common

Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by

the Common Configuration Enumeration Project).

ID.RA-3.1 Identify and document threats, both internal and external.

ID.RA-4.1 Identify potential business impacts and likelihoods.

ID.RM-5.1 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.

ID.BE-2.1 Identify and communicate the agency’s place in critical infrastructure and its industry

sector to inform internal stakeholders of IT strategy and direction.Business Environment

(ID.BE): The organization’s

mission, objectives,

stakeholders, and activities

are understood and

prioritized; this information

is used to inform

cybersecurity roles,

responsibilities, and risk

management decisions.

ID.BE-2: The organization’s place in critical infrastructure and its

industry sector is identified and communicated

ID.BE-3: Priorities for organizational mission, objectives, and

activities are established and communicated

ID.BE-4: Dependencies and critical functions for delivery of critical

services are established

ID.BE-5: Resilience requirements to support delivery of critical

services are established

ID.BE-3.1 Establish and communicate priorities for agency mission, objectives, and activities.

ID.BE-4.1 Identify system dependencies and critical functions for delivery of critical services.

ID.BE-5.1 Implement information resilience requirements to support the delivery of critical

services.

ID.RA-4: Potential business impacts and likelihoods are identified

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to

determine risk

Governance (ID.GV): The

policies, procedures, and

processes to manage and

monitor the organization’s

regulatory, legal, risk,

environmental, and

operational requirements are

understood and inform the

management of

cybersecurity risk.

ID.GV-1: Organizational information security policy is established

ID.GV-2: Information security roles & responsibilities are coordinated

and aligned with internal roles and external partners

ID.GV-3: Legal and regulatory requirements regarding cybersecurity,

including privacy and civil liberties obligations, are understood and

managed

ID.GV-4: Governance and risk management processes address

cybersecurity risks

ID.RA-1: Asset vulnerabilities are identified and documented

ID.RA-2: Threat and vulnerability information is received from

information sharing forums and sources

ID.RA-3: Threats, both internal and external, are identified and

documented

IDENTIFY

(ID)

Risk Assessment (ID.RA):

The organization

understands the

cybersecurity risk to

organizational operations

(including mission,

functions, image, or

reputation), organizational

assets, and individuals.

· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

· COBIT 5 APO12.05, APO13.02

· NIST SP 800-53 Rev. 4 PM-4, PM-9

· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02

· ISA 62443-2-1:2009 4.3.4.2

· NIST SP 800-53 Rev. 4 PM-9

· COBIT 5 APO12.06

· ISA 62443-2-1:2009 4.3.2.6.5

· NIST SP 800-53 Rev. 4 PM-9

ID.RM-3: The organization’s determination of risk tolerance is

informed by its role in critical infrastructure and sector specific risk

analysis

ID.RM-3.1 Determine risk tolerance as informed by its role in the state’s mission and

performance of a sector specific risk analysis.

ID.RM-3.2 Establish a process to risk-rate vulnerabilities based on the exploitability and potential

impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ

servers, internal network servers, desktops, laptops). Apply patches for the riskiest

vulnerabilities first. A phased rollout can be used to minimize the impact to the organization.

Establish expected patching timelines based on the risk rating level.

· NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14

ID.RA-6.1 Identify and prioritize risk responses, implement risk mitigation plans, and monitor

and document plan implementation.

ID.RM-1.1 Establish a risk management workgroup that ensures that risk management processes

are authorized by agency stakeholders.

ID.RM-1.2 Establish parameters for IT staff participation in procurement activities.

ID.RM-1.3 Identify the IT issues IT staff must address during procurement activities (e.g., system

hardening, logging, performance, service availability, incident notification, and recovery

expectations).

ID.RM-1.4 Implement appropriate security controls for software applications obtained,

purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability

of the application, its data, and other IT resources.

ID.RM-1.5 Prior to introducing new IT resources or modifying current IT resources, perform an

impact analysis. The purpose of this analysis is to assess the effects of the technology or

modifications on the existing environment. Validate that IT resources conform to agency standard

configurations prior to implementation into the production environment.

ID.RM-1.6 The Form AST 1000 (##/16) contains terms and conditions that shall be included in

agency IT services contracts that have any IT risk associated with the services provided.

ID.RM-1.7 Deploy automated patch management tools and software update tools for operating

system and software/applications on all systems for which such tools are available and safe.

Patches should be applied to all systems, even systems that are properly air gapped.

ID.RM-1.8 Monitor logs associated with any scanning activity and associated administrator

accounts to ensure that this activity is limited to the timeframes of legitimate scans.

ID.RM-2.1 Determine and clearly document organizational risk tolerance based on the

confidential and exempt nature of the data created, received, maintained, or transmitted by the

agency, by the agency’s role in critical infrastructure and sector specific analysis.

ID.RM-2.2 Compare the results from back-to-back vulnerability scans to verify that

vulnerabilities were addressed, either by patching, implementing a compensating control, or

documenting and accepting a reasonable business risk. Such acceptance of business risks for

existing vulnerabilities should be periodically reviewed to determine if newer compensating

controls or subsequent patches can address vulnerabilities that were previously accepted, or if

conditions have changed, increasing the risk.

ID.RM-5.1 Use threats, vulnerabilities, likelihoods, and impacts to determine risk.ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to

determine risk

ID.RA-6: Risk responses are identified and prioritized

Risk Management

Strategy (ID.RM): The

organization’s priorities,

constraints, risk tolerances,

and assumptions are

established and used to

support operational risk

decisions.

ID.RM-1: Risk management processes are established, managed, and

agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined and clearly

expressed

IDENTIFY

(ID)

Risk Assessment (ID.RA):

The organization

understands the

cybersecurity risk to

organizational operations

(including mission,

functions, image, or

reputation), organizational

assets, and individuals.

· CCS CSC 16

16

· COBIT 5 DSS05.04, DSS06.03

· ISA 62443-2-1:2009 4.3.3.5.1

· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR

1.8, SR 1.9

· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3

· NIST SP 800-53 Rev. 4 AC-2, IA Family

PR.AC-1.1 Each agency shall manage identities and credentials for authorized devices and users.

PR.AC-1.2 Require that all agency-owned or approved computing devices, including mobile

devices, use unique user authentication.

PR.AC-1.3 Require users to log off or lock their workstations prior to leaving the work area.

PR.AC-1.4 Require inactivity timeouts that terminate or secure sessions with a complex password.

PR.AC-1.5 Secure workstations with a password-protected screensaver, set at no more than 15

minutes.

PR.AC-1.6 Force users to change their passwords at least every 30-90 days, based on assessed risk

of the system.

PR.AC-1.7 Address responsibilities of information stewards that include administering access to

systems and data based on the documented authorizations and facilitate periodic review of access

rights with information owners. Frequency of reviews shall be based on system categorization or

assessed risk.

PR.AC-1.8 Establish access disablement and notification timeframes for worker separations. The

agency will identify the appropriate person in the IT unit to receive notifications. Notification

timeframes shall consider risks associated with system access post-separation.

PR.AC-1.9 Ensure IT access is removed when the IT resource is no longer required.

PR.AC-1.10 Consider the use of multi-factor authentication (MFA) for any application that has a

categorization of moderate or contains exempt, or confidential and exempt information. This

excludes externally hosted systems designed to deliver services to customers, where MFA is not

necessary or viable.

PR.AC-1.11 Require multifactor authentication (MFA) for any application that has a

categorization of high or is administered by remote connection to the internal network.

PR.AC-1.12 Require multifactor authentication (MFA) for network access to privileged accounts.

PR.AC-1.13 All enterprise devices remotely logging into the internal network should be managed

by the enterprise, with remote control of their configuration, installed software, and patch levels.

For third-party devices (e.g., subcontractors/vendors), publish minimum security standards for

access to the enterprise network and perform a security scan before allowing access.

PR.AC-1.14 Ensure that each wireless device connected to the network matches an authorized

configuration and security profile, with a documented owner of the connection and a defined

business need. Organizations should deny access to those wireless devices that do not have such a

configuration and profile.

PR.AC-1.15 Review all system accounts and disable any account that cannot be associated with a

business process and owner.

PR.AC-1.16 Ensure that all accounts have an expiration date that is monitored and enforced.

PR.AC-1.17 Use and configure account lockouts such that after a set number of failed login

attempts the account is locked for a standard period of time.

PR.AC-1.18 Configure access for all accounts through a centralized point of authentication, for

example Active Directory or LDAP. Configure network and security devices for centralized

authentication as well.

PR.AC-1.19 Require multi-factor authentication for all user accounts that have access to sensitive

data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One

Time Password (OTP) tokens, or biometrics.

PR.AC-1.20 Where multi-factor authentication is not supported, user accounts shall be required

to use long passwords on the system (longer than 14 characters).

PR.AC-1.21 Ensure that all account usernames and authentication credentials are transmitted

across networks using encrypted channels.

PR.AC-1.22 Verify that all authentication files are encrypted or hashed and that these files cannot

be accessed without root or administrator privileges. Audit all access to password files in the

system.

PROTECT (PR)

Access Control (PR.AC):

Access to assets and

associated facilities is

limited to authorized users,

processes, or devices, and to

authorized activities and

transactions.

PR.AC-1: Identities and credentials are managed for authorized devices

and users

· COBIT 5 DSS01.04, DSS05.05

· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8

· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3

· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9

· COBIT 5 APO13.01, DSS01.04, DSS05.03

· ISA 62443-2-1:2009 4.3.3.6.6

· ISA 62443-3-3:2013 SR 1.13, SR 2.6

· ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1

· NIST SP 800-53 Rev. 4 AC‑17, AC-19, AC-20

· CCS CSC 12, 15

12, 15

· ISA 62443-2-1:2009 4.3.3.7.3

· ISA 62443-3-3:2013 SR 2.1

PR.AC-2.1 Address protection of IT resources from environmental hazards (e.g., temperature,

humidity, air movement, dust, and faulty power) in accordance with manufacturers’

specifications.

PR.AC-2.2 Implement procedures to manage physical access to information technology facilities

and/or equipment.

PR.AC-2.3 Identify physical controls that are appropriate for the size and criticality of the

information technology resources.

PR.AC-2.4 Specify physical access to central information resource facilities and/or equipment

that is restricted to authorized personnel.

PR.AC-2.5 Detail visitor access protocols, including recordation procedures, and in locations

housing systems categorized as moderate-impact or high-impact, require that visitors be

supervised.

PR.AC-2.6 Address how the agency will protect network integrity by incorporating network

segregation.

PR.AC-2.7 Configure screen locks on systems to limit access to unattended workstations.

PR.AC-3.1 Address how the agency will securely manage and document remote access.

PR.AC-3.2 Specify that only agency-managed, secure remote access methods may be used to

remotely connect computing devices to the agency internal network.

PR.AC-3.3 For systems containing exempt, or confidential and exempt data, ensure written

agreements and procedures are in place to ensure security for sharing, handling or storing

confidential data with entities outside the agency.

PR.AC-3.4 Deny communications with (or limit data flow to) known malicious IP addresses (black

lists), or limit access only to trusted sites (whitelists). Tests can be periodically carried out by

sending packets from bogon source IP addresses (non-routable or otherwise unused IP addresses)

into the network to verify that they are not transmitted through network perimeters. Lists of

bogon addresses are publicly available on the Internet from various sources, and indicate a series

of IP addresses that should not be used for legitimate traffic traversing the Internet.

PR.AC-3.5 Require all remote login access (including VPN, dial-up, and other forms of access that

allow login to internal systems) to use two-factor authentication.

PR.AC-4.1 Each agency shall ensure that access permissions are managed, incorporating the

principles of least privilege and separation of duties.

PR.AC-4.2 Execute interconnection security agreements to authorize, document, and support

continual management of inter-agency connected systems.

PR.AC-4.3 Manage access permissions by incorporating the principles of least privilege and

segregation of duties.

PR.AC-4.4 Specify that all workers be granted access to agency IT resources based on the

principles of “least privilege” and “need to know determination.”

PR.AC-4.5 Specify that system administrators restrict and tightly control the use of system

development utility programs that may be capable of overriding system and application controls.

PR.AC-4.6 Minimize administrative privileges and only use administrative accounts when they

are required. Implement focused auditing on the use of administrative privileged functions and

monitor for anomalous behavior.

PR.AC-4.7 Use automated tools to inventory all administrative accounts and validate that each

person with administrative privileges on desktops, laptops, and servers is authorized by a senior

executive.

PR.AC-4.8 Before deploying any new devices in a networked environment, change all default

passwords for applications, operating systems, routers, firewalls, wireless access points, and other

systems to have values consistent with administration-level accounts.

PR.AC-4.9 Configure systems to issue a log entry and alert when an account is added to or

removed from a domain administrators’ group, or when a new local administrator account is

added on a system.

PR.AC-4.10 Configure systems to issue a log entry and alert on any unsuccessful login to an

administrative account.

PR.AC-4.11 Use multi-factor authentication for all administrative access, including domain

administrative access. Multi-factor authentication can include a variety of techniques, to include

the use of smart cards,certificates, One Time Password (OTP) tokens, biometrics, or other similar


PR.AC-4.12 Administrators should be required to access a system using a fully logged and non-

administrative account. Then, once logged on to the machine without administrative privileges,

the administrator should transition to administrative privileges using tools such as Sudo on

Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.

PR.AC-4.13 Administrators shall use a dedicated machine for all administrative tasks or tasks

requiring elevated access. This machine shall be isolated from the organization's primary network

and not be allowed Internet access. This machine shall not be used for reading e-mail, composing

documents, or surfing the Internet.

PR.AC-4.14 Where a specific business need for wireless access has been identified, configure

wireless access on client machines to allow access only to authorized wireless networks. For

devices that do not have an essential wireless business purpose, disable wireless access in the

hardware configuration (basic input/output system or extensible firmware interface).

PROTECT (PR)







transactions.

PR.AC-2: Physical access to assets is managed and protected

PR.AC-3: Remote access is managed

PR.AC-4: Access permissions are managed, incorporating the

principles of least privilege and separation of duties

· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4

· NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16

· ISA 62443-2-1:2009 4.3.3.4

· ISA 62443-3-3:2013 SR 3.1, SR 3.8

· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1

PR.AC-4.1 Each agency shall ensure that access permissions are managed, incorporating the

principles of least privilege and separation of duties.

PR.AC-4.2 Execute interconnection security agreements to authorize, document, and support

continual management of inter-agency connected systems.

PR.AC-4.3 Manage access permissions by incorporating the principles of least privilege and

segregation of duties.

PR.AC-4.4 Specify that all workers be granted access to agency IT resources based on the

principles of “least privilege” and “need to know determination.”

PR.AC-4.5 Specify that system administrators restrict and tightly control the use of system

development utility programs that may be capable of overriding system and application controls.

PR.AC-4.6 Minimize administrative privileges and only use administrative accounts when they

are required. Implement focused auditing on the use of administrative privileged functions and

monitor for anomalous behavior.

PR.AC-4.7 Use automated tools to inventory all administrative accounts and validate that each

person with administrative privileges on desktops, laptops, and servers is authorized by a senior

executive.

PR.AC-4.8 Before deploying any new devices in a networked environment, change all default

passwords for applications, operating systems, routers, firewalls, wireless access points, and other

systems to have values consistent with administration-level accounts.

PR.AC-4.9 Configure systems to issue a log entry and alert when an account is added to or

removed from a domain administrators’ group, or when a new local administrator account is

added on a system.

PR.AC-4.10 Configure systems to issue a log entry and alert on any unsuccessful login to an

administrative account.

PR.AC-4.11 Use multi-factor authentication for all administrative access, including domain

administrative access. Multi-factor authentication can include a variety of techniques, to include

the use of smart cards,certificates, One Time Password (OTP) tokens, biometrics, or other similar


PR.AC-4.12 Administrators should be required to access a system using a fully logged and non-

administrative account. Then, once logged on to the machine without administrative privileges,

the administrator should transition to administrative privileges using tools such as Sudo on

Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems.

PR.AC-4.13 Administrators shall use a dedicated machine for all administrative tasks or tasks




PR.AC-4.14 Where a specific business need for wireless access has been identified, configure

wireless access on client machines to allow access only to authorized wireless networks. For

devices that do not have an essential wireless business purpose, disable wireless access in the

hardware configuration (basic input/output system or extensible firmware interface).

PR.AC-5.1 Each agency shall ensure that network integrity is protected, incorporating network

segregation where appropriate.

PR.AC-5.2 Uninstall or disable any unnecessary or unauthorized browser or email client plugins

or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the

use of the application for pre-approved domains.

PR.AC-5.3 Limit the use of unnecessary scripting languages in all web browsers and email clients.

This includes the use of languages such as ActiveX and JavaScript on systems where it is

unnecessary to support such capabilities.

PR.AC-5.4 Ensure that only ports, protocols, and services with validated business needs are

running on each system.

PR.AC-5.5 Apply host-based firewalls or port filtering tools on end systems, with a default-deny

rule that drops all traffic except those services and ports that are explicitly allowed.

PR.AC-5.6 Perform automated port scans on a regular basis against all key servers and compare

to a known effective baseline. If a change that is not listed on the organization’s approved

baseline is discovered, an alert should be generated and reviewed.

PR.AC-5.7 Verify any server that is visible from the Internet or an untrusted network, and if it is

not required for business purposes, move it to an internal VLAN and give it a private address.

PR.AC-5.8 Operate critical services on separate physical or logical host machines, such as DNS,

file, mail, web, and database servers.

PR.AC-5.9 Place application firewalls in front of any critical servers to verify and validate the

traffic going to the server. Any unauthorized services or traffic should be blocked and an alert

generated.

PR.AC-5.10 Network engineers shall use a dedicated machine for all administrative tasks or tasks




PR.AC-5.11 Design and implement network perimeters so that all outgoing network traffic to the

Internet must pass through at least one application layer filtering proxy server. The proxy should

support decrypting network traffic, logging individual TCP sessions, blocking specific URLs,

domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites

that can be accessed through the proxy while blocking all other sites. Organizations should force

outbound traffic to the Internet through an authenticated proxy server on the enterprise

perimeter.

PR.AC-5.12 Disable peer-to-peer wireless network capabilities on wireless clients.

PR.AC-5.13 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is

required for a documented business need.

PROTECT (PR)







transactions.

PR.AC-4: Access permissions are managed, incorporating the

principles of least privilege and separation of duties

PR.AC-5: Network integrity is protected, incorporating network

segregation where appropriate

· NIST SP 800-53 Rev. 4 AC-4, SC-7

· CCS CSC 9

9

· COBIT 5 APO07.03, BAI05.07

· ISA 62443-2-1:2009 4.3.2.4.2

· ISO/IEC 27001:2013 A.7.2.2

PR.AC-5.1 Each agency shall ensure that network integrity is protected, incorporating network

segregation where appropriate.

PR.AC-5.2 Uninstall or disable any unnecessary or unauthorized browser or email client plugins

or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the

use of the application for pre-approved domains.

PR.AC-5.3 Limit the use of unnecessary scripting languages in all web browsers and email clients.

This includes the use of languages such as ActiveX and JavaScript on systems where it is

unnecessary to support such capabilities.

PR.AC-5.4 Ensure that only ports, protocols, and services with validated business needs are

running on each system.

PR.AC-5.5 Apply host-based firewalls or port filtering tools on end systems, with a default-deny

rule that drops all traffic except those services and ports that are explicitly allowed.

PR.AC-5.6 Perform automated port scans on a regular basis against all key servers and compare

to a known effective baseline. If a change that is not listed on the organization’s approved

baseline is discovered, an alert should be generated and reviewed.

PR.AC-5.7 Verify any server that is visible from the Internet or an untrusted network, and if it is

not required for business purposes, move it to an internal VLAN and give it a private address.

PR.AC-5.8 Operate critical services on separate physical or logical host machines, such as DNS,

file, mail, web, and database servers.

PR.AC-5.9 Place application firewalls in front of any critical servers to verify and validate the

traffic going to the server. Any unauthorized services or traffic should be blocked and an alert

generated.

PR.AC-5.10 Network engineers shall use a dedicated machine for all administrative tasks or tasks




PR.AC-5.11 Design and implement network perimeters so that all outgoing network traffic to the

Internet must pass through at least one application layer filtering proxy server. The proxy should

support decrypting network traffic, logging individual TCP sessions, blocking specific URLs,

domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites

that can be accessed through the proxy while blocking all other sites. Organizations should force

outbound traffic to the Internet through an authenticated proxy server on the enterprise

perimeter.

PR.AC-5.12 Disable peer-to-peer wireless network capabilities on wireless clients.

PR.AC-5.13 Disable wireless peripheral access of devices (such as Bluetooth), unless such access is

required for a documented business need.

PR.AT-1.1 Inform and train all workers.

PR.AT-1.2 Appoint a worker to coordinate the agency information security awareness program.

If an IT security worker does not coordinate the security awareness program, they shall be

consulted for content development purposes. Agencies will ensure that all workers (including

volunteer workers) are clearly notified of applicable obligations, established via agency policies, to

maintain compliance with such controls.

PR.AT-1.3 Establish a program that includes, at a minimum, annual security awareness training

and on-going education and reinforcement of security practices.

PR.AT-1.4 Provide training to workers within 30 days of start date.

PR.AT-1.5 Include security policy adherence expectations for the following, at a minimum:

disciplinary procedures and implications, acceptable use restrictions, data handling (procedures

for handling exempt and confidential and exempt information), telework and computer security

incident reporting procedures.

PR.AT-1.6 Establish requirements for workers to immediately report loss of mobile devices,

security tokens, smart cards, identification badges, or other devices used for identification and

authentication purposes according to agency reporting procedures.

PR.AT-1.7 Where technology permits, provide training prior to system access. For specialized

agency workers (e.g., law enforcement officers), who are required to receive extended off-site

training prior to reporting to their permanent duty stations, initial security awareness training

shall be provided within 30 days of the date they report to their permanent duty station.

PR.AT-1.8 Require, prior to access, workers verify in writing that they will comply with agency

IT security policies and procedures.

PR.AT-1.9 Document parameters that govern personal use of agency IT resources and define

what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the

normal performance of any worker’s duties, or consume significant or unreasonable amounts of

state information technology resources (e.g. bandwidth, storage).

PR.AT-1.10 "Inform workers of what constitutes inappropriate use of IT resources.

Inappropriate use shall include, but may not be limited to, the following:

1. Distribution of malware

2. Disablement or circumvention of security controls

3. Forging headers

4. Propagating “chain” letters

5. Political campaigning or unauthorized fund raising

6. Use for personal profit, benefit or gain

Offensive, indecent, or obscene access or activities, unless required by job duties

8. Harassing, threatening, or abusive activity

9. Any activity that leads to performance degradation

10. Auto-forwarding to external e-mail addresses

Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating

services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal

drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and

sites containing obscene materials."

PR.AT-1.11 Perform gap analysis to see which skills employees need and which behaviors

employees are not adhering to, using this information to build a baseline training and awareness

roadmap for all employees.

PR.AT-1.12 Implement an security awareness program that (1) focuses only on the methods

commonly used in intrusions that can be blocked through individual action, (2) is delivered in

short online modules convenient for employees (3) is updated frequently (at least annually) to

represent the latest attack techniques, (4) is mandated for completion by all employees at least

annually, and (5) is reliably monitored for employee completion.

PR.AT-1.13 Validate and improve awareness levels through periodic tests to see whether

employees will click on a link from suspicious e-mail or provide sensitive information on the

telephone without following appropriate procedures for authenticating a caller; targeted training

should be provided to those who fall victim to the exercise.

PR.AT-1.14 Ensure that all software development personnel receive training in writing secure

code for their specific development environment.

PROTECT (PR)







transactions.

PR.AC-5: Network integrity is protected, incorporating network

segregation where appropriate

Awareness and Training

(PR.AT): The

organization’s personnel and

partners are provided

cybersecurity awareness

education and are adequately

trained to perform their

information security-related

duties and responsibilities

consistent with related


agreements.

PR.AT-1: All users are informed and trained

· NIST SP 800-53 Rev. 4 AT-2, PM-13

· CCS CSC 9 9

· COBIT 5 APO07.02, DSS06.03

· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3

· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

· NIST SP 800-53 Rev. 4 AT-3, PM-13

· CCS CSC 9 9

· COBIT 5 APO07.03, APO10.04, APO10.05

· ISA 62443-2-1:2009 4.3.2.4.2

· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

· NIST SP 800-53 Rev. 4 PS-7, SA-9

· CCS CSC 9 9

· COBIT 5 APO07.03

· ISA 62443-2-1:2009 4.3.2.4.2

· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

· NIST SP 800-53 Rev. 4 AT-3, PM-13

· CCS CSC 9 9

· COBIT 5 APO07.03

· ISA 62443-2-1:2009 4.3.2.4.2

· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

· NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-2.1 Ensure that privileged users understand their roles and

PR.AT-2.2 Use security skills assessments for each of the mission-critical roles to identify skills

gaps. Use hands-on, real-world examples to measure mastery. If you do not have such

assessments, use one of the available online competitions that simulate real-world scenarios for

each of the identified jobs in order to measure skills mastery.

PR.AT-3.1 Ensure that third-party stakeholders understand their roles and responsibilities.

PR.AT-4.1 Ensure that senior executives understand their roles and responsibilities.

PR.AT-4.2 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the

training. A second option is to have outside teachers provide training onsite so the examples used

will be directly relevant. If you have small numbers of people to train, use training conferences or

online training to fill the gaps.

PR.AT-5.1 Ensure that physical and information security personnel understand their roles and

responsibilities.

PR.AT-1.1 Inform and train all workers.

PR.AT-1.2 Appoint a worker to coordinate the agency information security awareness program.

If an IT security worker does not coordinate the security awareness program, they shall be

consulted for content development purposes. Agencies will ensure that all workers (including

volunteer workers) are clearly notified of applicable obligations, established via agency policies, to

maintain compliance with such controls.

PR.AT-1.3 Establish a program that includes, at a minimum, annual security awareness training

and on-going education and reinforcement of security practices.

PR.AT-1.4 Provide training to workers within 30 days of start date.

PR.AT-1.5 Include security policy adherence expectations for the following, at a minimum:

disciplinary procedures and implications, acceptable use restrictions, data handling (procedures

for handling exempt and confidential and exempt information), telework and computer security

incident reporting procedures.

PR.AT-1.6 Establish requirements for workers to immediately report loss of mobile devices,

security tokens, smart cards, identification badges, or other devices used for identification and

authentication purposes according to agency reporting procedures.

PR.AT-1.7 Where technology permits, provide training prior to system access. For specialized

agency workers (e.g., law enforcement officers), who are required to receive extended off-site

training prior to reporting to their permanent duty stations, initial security awareness training

shall be provided within 30 days of the date they report to their permanent duty station.

PR.AT-1.8 Require, prior to access, workers verify in writing that they will comply with agency

IT security policies and procedures.

PR.AT-1.9 Document parameters that govern personal use of agency IT resources and define

what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the

normal performance of any worker’s duties, or consume significant or unreasonable amounts of

state information technology resources (e.g. bandwidth, storage).

PR.AT-1.10 "Inform workers of what constitutes inappropriate use of IT resources.

Inappropriate use shall include, but may not be limited to, the following:

1. Distribution of malware

2. Disablement or circumvention of security controls

3. Forging headers

4. Propagating “chain” letters

5. Political campaigning or unauthorized fund raising

6. Use for personal profit, benefit or gain

Offensive, indecent, or obscene access or activities, unless required by job duties

8. Harassing, threatening, or abusive activity

9. Any activity that leads to performance degradation

10. Auto-forwarding to external e-mail addresses

Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating

services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal

drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and

sites containing obscene materials."

PR.AT-1.11 Perform gap analysis to see which skills employees need and which behaviors

employees are not adhering to, using this information to build a baseline training and awareness

roadmap for all employees.

PR.AT-1.12 Implement an security awareness program that (1) focuses only on the methods

commonly used in intrusions that can be blocked through individual action, (2) is delivered in

short online modules convenient for employees (3) is updated frequently (at least annually) to

represent the latest attack techniques, (4) is mandated for completion by all employees at least

annually, and (5) is reliably monitored for employee completion.

PR.AT-1.13 Validate and improve awareness levels through periodic tests to see whether

employees will click on a link from suspicious e-mail or provide sensitive information on the

telephone without following appropriate procedures for authenticating a caller; targeted training

should be provided to those who fall victim to the exercise.

PR.AT-1.14 Ensure that all software development personnel receive training in writing secure

code for their specific development environment.

PROTECT (PR)

Awareness and Training

(PR.AT): The

organization’s personnel and

partners are provided

cybersecurity awareness

education and are adequately

trained to perform their

information security-related

duties and responsibilities

consistent with related


agreements.

PR.AT-1: All users are informed and trained

PR.AT-2: Privileged users understand roles & responsibilities

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers,

partners) understand roles & responsibilities

PR.AT-4: Senior executives understand roles & responsibilities

PR.AT-5: Physical and information security personnel understand roles

& responsibilities

· CCS CSC 17

17

· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06

· ISA 62443-3-3:2013 SR 3.4, SR 4.1

· ISO/IEC 27001:2013 A.8.2.3

· NIST SP 800-53 Rev. 4 SC-28

· CCS CSC 17

17

· COBIT 5 APO01.06, DSS06.06

· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2

· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2,

A.14.1.3

· NIST SP 800-53 Rev. 4 SC-8

· COBIT 5 BAI09.03

· ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1

· ISA 62443-3-3:2013 SR 4.2

· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.7

· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16

· COBIT 5 APO13.01

· ISA 62443-3-3:2013 SR 7.1, SR 7.2

· ISO/IEC 27001:2013 A.12.3.1

· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5

· CCS CSC 17

17

· COBIT 5 APO01.06

PR.DS-1.1 Procedures that ensure only agency-owned or approved IT resources are used to store

confidential or exempt information.

PR.DS-1.2 Procedures that ensure agency-owned or approved portable IT resources containing

confidential or mission critical data are encrypted.

PR.DS-1.3 Procedures that ensure agency-owned or approved portable IT resources that connect

to the agency internal network use agency-managed security software.

PR.DS-1.4 Inform users not to store unique copies of agency data on workstations or mobile

devices.

PR.DS-2.1 Encrypt confidential and exempt information during transmission, except when the

transport medium is owned or managed by the agency and controls are in place to protect the

data during transit.

PR.DS-2.2 Ensure that wireless transmissions of agency data employ cryptography for

authentication and transmission.

PR.DS-2.3 Make passwords unreadable during transmission and storage.

PR.DS-2.4 Encrypt mobile IT resources that store, process, or transmit exempt, or confidential

and exempt agency data.

PR.DS-2.5 Monitor all traffic leaving the organization and detect any unauthorized use of

encryption. Attackers often use an encrypted channel to bypass network security devices.

Therefore it is essential that organizations be able to detect rogue connections, terminate the

connection, and remediate the infected system.

PR.DS-2.6 Block access to known file transfer and e-mail exfiltration websites.

PR.DS-2.7 Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied

off a server. In most organizations, access to the data is controlled by ACLs that are implemented

on the server. Once the data have been copied to a desktop system, the ACLs are no longer

enforced and the users can send the data to whomever they want.

PR.DS-3.1 Before equipment is disposed of or released for reuse, sanitize or destroy media in

accordance with the State of Florida General Records Schedule GS1-SL for State and Local

Government Agencies.

PR.DS-3.2 Destruction of confidential or exempt information shall be conducted such that the

information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or

reconstruction.

PR.DS-3.3 Document procedures for sanitization of agency-owned IT resources prior to

reassignment or disposal.

PR.DS-3.4 Equipment sanitization shall be performed such that confidential or exempt

information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or

reconstruction. File deletion and media formatting are not acceptable methods of sanitization.

Acceptable methods of sanitization include using software to overwrite data on computer media,

degaussing, or physically destroying media.

PR.DS-4.1 Ensure adequate audit/log capacity.

PR.DS-4.2 Protect against or limit the effects of denial of service attacks.

PR.DS-5.1 Establish a policy and processes that addresses appropriate handling and protecting of

exempt, and confidential and exempt information. The policy shall be reviewed and acknowledged

by all workers.

PR.DS-5.2 Retention and destruction of confidential and exempt information in accordance with

the records retention requirements as provided in the State of Florida General Records Schedule

GS1-SL for State and Local Government Agencies.

PR.DS-5.3 Develop and document access agreements for agency information systems.

PR.DS-5.4 Boundary protection.

PR.DS-5.5 Transmission confidentiality & integrity.

PROTECT (PR)

Data Security (PR.DS):

Information and records

(data) are managed

consistent with the

organization’s risk strategy

to protect the confidentiality,

integrity, and availability of

information.

PR.DS-1: Data-at-rest is protected

PR.DS-2: Data-in-transit is protected

PR.DS-3: Assets are formally managed throughout removal, transfers,

and disposition

PR.DS-4: Adequate capacity to ensure availability is maintained

PR.DS-5: Protections against data leaks are implemented

· ISA 62443-3-3:2013 SR 5.2

· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3,

A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1,

A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3

· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-

8, SC-13, SC-31, SI-4

· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8

· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3

· NIST SP 800-53 Rev. 4 SI-7

· COBIT 5 BAI07.04

· ISO/IEC 27001:2013 A.12.1.4

· NIST SP 800-53 Rev. 4 CM-2

· CCS CSC 3, 10

3, 10

· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05

PR.DS-6.1 Application controls shall be established to ensure the accuracy and completeness of

data, including validation and integrity checks, to detect data corruption that may occur through

processing errors or deliberate actions.

PR.DS-6.2 Deploy approved hard drive encryption software to mobile devices and systems that

hold sensitive data.

PR.DS-6.3 For in-house developed software, ensure that explicit error checking is performed and

documented for all input, including for size, data type, and acceptable ranges or formats.

PR.DS-6.4 Test in-house-developed and third-party-procured web applications for common

security weaknesses using automated remote web application scanners prior to deployment,

whenever updates are made to the application, and on a regular recurring basis. In particular,

input validation and output encoding routines of application software should be reviewed and

tested.

PR.DS-6.5 For in-house developed applications, ensure that development artifacts (sample data

and scripts; unused libraries, components, debug code; or tools) are not included in the deployed

software, or accessible in the production environment.

PR.DS-7.1 Physically or logically separate development and testing environment(s) from the

production environment and ensure that production exempt, or confidential and exempt data is

not used for development where technology permits. Production exempt, or confidential and

exempt data may be used for testing if the data owner authorizes the use and regulatory

prohibitions do not exist; the test environment limits access and access is audited; and production

exempt, and confidential and exempt data is removed from the system when testing is completed.

Data owner authorization shall be managed via technical means, to the extent practical.

PR.DS-7.2 Maintain separate environments for production and nonproduction systems.

Developers should not typically have unmonitored access to production environments.

PR.IP-1.1 Specify standard hardware and secure standard configurations.

PR.IP-1.2 Include documented firewall and router configuration standards, and include a current

network diagram.

PR.IP-1.3 Require that vendor default settings, posing security risks, are changed or disabled for

agency-owned or managed IT resources, including encryption keys, accounts, passwords, and

SNMP (Simple Network Management Protocol) community strings, and ensure device security

settings are enabled where appropriate.

PR.IP-1.4 Allow only agency-approved software to be installed on agency-owned IT resources.

PR.IP-1.5 Establish standard secure configurations of operating systems and software

applications. Standardized images should represent hardened versions of the underlying

operating system and the applications installed on the system. These images should be validated

and refreshed on a regular basis to update their security configuration in light of recent

vulnerabilities and attack vectors.

PR.IP-1.6 Follow strict configuration management, building a secure image that is used to build

all new systems that are deployed in the enterprise. Any existing system that becomes

compromised should be re-imaged with the secure build. Regular updates or exceptions to this

image should be integrated into the organization’s change management processes. Images should

be created for workstations, servers, and other system types used by the organization.

PR.IP-1.7 Store the master images on securely configured servers, validated with integrity

checking tools capable of continuous inspection, and change management to ensure that only

authorized changes to the images are possible. Alternatively, these master images can be stored in

offline machines, air-gapped from the production network, with images copied via secure media

to move them between the image storage servers and the production network.

PR.IP-1.8 Perform all remote administration of servers, workstation, network devices, and

similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not

actively support strong encryption should only be used if they are performed over a secondary

encryption channel, such as SSL, TLS or IPSEC.

PR.IP-1.9 Use file integrity checking tools to ensure that critical system files (including sensitive

system and application executables, libraries, and configurations) have not been altered. The

reporting system should: have the ability to account for routine and expected changes; highlight

and alert on unusual or unexpected alterations; show the history of configuration changes over

time and identify who made the change (including the original logged-in account in the event of a

user ID switch, such as with the su or sudo command). These integrity checks should identify

suspicious system alterations such as: owner and permissions changes to files or directories; the

use of alternate data streams which could be used to hide malicious activities; and the

introduction of extra files into key system areas (which could indicate malicious payloads left by

attackers or additional files inappropriately added during batch distribution processes).

PR.IP-1.10 Implement and test an automated configuration monitoring system that verifies all

remotely testable secure configuration elements, and alerts when unauthorized changes occur.

This includes detecting new listening ports, new administrative users, changes to group and local

policy objects (where applicable), and new services running on a system. Whenever possible use

tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline

reporting and integration.

PR.IP-1.11 Deploy system configuration management tools, such as Active Directory Group

Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will

automatically enforce and redeploy configuration settings to systems at regularly scheduled

intervals. They should be capable of triggering redeployment of configuration settings on a

scheduled, manual, or event-driven basis.

PR.IP-1.12 Include at least two synchronized time sources from which all servers and network

equipment retrieve time information on a regular basis so that timestamps in logs are consistent.

PR.IP-1.13 Validate audit log settings for each hardware device and the software installed on it,

ensuring that logs include a date, timestamp, source addresses, destination addresses, and various

other useful elements of each packet and/or transaction. Systems should record logs in a

standardized format such as syslog entries or those outlined by the Common Event Expression

initiative. If systems cannot generate logs in a standardized format, log normalization tools can be

deployed to convert logs into such a format.

PR.IP-1.14 Configure network boundary devices, including firewalls, network-based IPS, and

inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at

the device.

PR.IP-1.15 All new configuration rules beyond a baseline-hardened configuration that allow

traffic to flow through network security devices, such as firewalls and network-based IPS, should

be documented and recorded in a configuration management system, with a specific business

reason for each change, a specific individual’s name responsible for that business need, and an

expected duration of the need.

PR.IP-1.16 Use automated tools to verify standard device configurations and detect changes. All

alterations to such files should be logged and automatically reported to security personnel.

PR.IP-1.17 To help identify covert channels exfiltrating data through a firewall, configure the

built-in firewall session tracking mechanisms included in many commercial firewalls to identify

TCP sessions that last an unusually long time for the given organization and firewall device,

alerting personnel about the source and destination addresses associated with these long sessions.

PR.IP-1.18 For all acquired application software, check that the version you are using is still

supported by the vendor. If not, update to the most current version and install all relevant patches

and vendor security recommendations.

PR.IP-1.19 Do not display system error messages to end-users (output sanitization).

PR.IP-1.20 For applications that rely on a database, use standard hardening configuration

templates. All systems that are part of critical business processes should also be tested.

PR.DS-5.1 Establish a policy and processes that addresses appropriate handling and protecting of

exempt, and confidential and exempt information. The policy shall be reviewed and acknowledged

by all workers.

PR.DS-5.2 Retention and destruction of confidential and exempt information in accordance with

the records retention requirements as provided in the State of Florida General Records Schedule

GS1-SL for State and Local Government Agencies.

PR.DS-5.3 Develop and document access agreements for agency information systems.

PR.DS-5.4 Boundary protection.

PR.DS-5.5 Transmission confidentiality & integrity.

PROTECT (PR)

Data Security (PR.DS):

Information and records

(data) are managed

consistent with the

organization’s risk strategy

to protect the confidentiality,

integrity, and availability of

information.

PR.DS-5: Protections against data leaks are implemented

PR.DS-6: Integrity checking mechanisms are used to verify software,

firmware, and information integrity

PR.DS-7: The development and testing environment(s) are separate

from the production environment

Information Protection

Processes and Procedures

(PR.IP): Security policies

(that address purpose, scope,

roles, responsibilities,

management commitment,

and coordination among

organizational entities),

processes, and procedures

are maintained and used to

manage protection of

information systems and

assets.

PR.IP-1: A baseline configuration of information technology/industrial

control systems is created and maintained

· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

· ISA 62443-3-3:2013 SR 7.6

· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,

A.14.2.4



network diagram.
























































the device.


















PROTECT (PR)













assets.



· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9,

SA-10

· COBIT 5 APO13.01 6

· ISA 62443-2-1:2009 4.3.4.3.3

· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5

· NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15,

SA-17, PL-8

· COBIT 5 BAI06.01, BAI01.06

6

· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

· ISA 62443-3-3:2013 SR 7.6

· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3,

A.14.2.4



network diagram.
























































the device.


















PR.IP-2.1 Develop and implement processes that include reviews of security requirements and

controls to ascertain effectiveness and appropriateness relative to new technologies and applicable

state and federal regulations.

PR.IP-2.2 Ensure security reviews are approved by the ISM and Chief Information Officer (or

designee) before new or modified applications or technologies are moved into production. For IT

resources housed in a state data center, the security review shall also be approved by the data

center before the new or modified applications or technologies are moved into production.

PR.IP-2.3 The application development team at each agency shall implement appropriate security

controls to minimize risks to agency information technology resources and meet the security

requirements of the application owner. Agencies will identify in their policies, processes and

procedures the security coding guidelines the agency will follow when obtaining, purchasing,

leasing or developing software.

PR.IP-2.4 Where technology permits, the agency shall ensure anti-malware software is

maintained on agency IT resources.

PR.IP-3.1 Determine types of changes that are configuration-controlled (e.g. emergency patches,

releases, and other out-of-band security packages).

PR.IP-3.2 Develop a process to review and approve or disapprove proposed changes based on a

security impact analysis (e.g., implementation is commensurate with the risk associated with the

weakness or vulnerability).

PR.IP-3.3 Develop a process to document change decisions.

PR.IP-3.4 Develop a process to implement approved changes and review implemented changes.

PR.IP-3.5 Develop an oversight capability for change control activities.

PR.IP-3.6 Develop procedures to ensure security requirements are incorporated into the change

control process.

PR.IP-3.7 Compare firewall, router, and switch configuration against standard secure

configurations defined for each type of network device in use in the organization. The security

configuration of such devices should be documented, reviewed, and approved by an organization

change control board. Any deviations from the standard configuration or updates to the standard

configuration should be documented and approved in a change control system.

PROTECT (PR)













assets.



PR.IP-2: A System Development Life Cycle to manage systems is

implemented

PR.IP-3: Configuration change control processes are in place

· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

· COBIT 5 APO13.01

· ISA 62443-2-1:2009 4.3.4.3.9

· ISA 62443-3-3:2013 SR 7.3, SR 7.4

· ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3

· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

· COBIT 5 DSS01.04, DSS05.05

· ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6

· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3

· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18

· COBIT 5 BAI09.03

· ISA 62443-2-1:2009 4.3.4.4.4

· ISA 62443-3-3:2013 SR 4.2

· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

· NIST SP 800-53 Rev. 4 MP-6

· COBIT 5 APO11.06, DSS04.05

PR.IP-3.1 Determine types of changes that are configuration-controlled (e.g. emergency patches,

releases, and other out-of-band security packages).

PR.IP-3.2 Develop a process to review and approve or disapprove proposed changes based on a

security impact analysis (e.g., implementation is commensurate with the risk associated with the

weakness or vulnerability).

PR.IP-3.3 Develop a process to document change decisions.

PR.IP-3.4 Develop a process to implement approved changes and review implemented changes.

PR.IP-3.5 Develop an oversight capability for change control activities.

PR.IP-3.6 Develop procedures to ensure security requirements are incorporated into the change

control process.

PR.IP-3.7 Compare firewall, router, and switch configuration against standard secure

configurations defined for each type of network device in use in the organization. The security

configuration of such devices should be documented, reviewed, and approved by an organization

change control board. Any deviations from the standard configuration or updates to the standard

configuration should be documented and approved in a change control system.

PR.IP-4.1 Ensure backups of information are conducted, maintained, and tested periodically

PR.IP-4.2 Ensure that all systems that store logs have adequate storage space for the logs

generated on a regular basis, so that log files will not fill up between log rotation intervals. The

logs must be archived and digitally signed on a periodic basis.

PR.IP-4.3 Ensure that each system is automatically backed up on at least a weekly basis, and

more often for systems storing sensitive information. To help ensure the ability to rapidly restore

a system from backup, the operating system, application software, and data on a machine should

each be included in the overall backup procedure. These three components of a system do not

have to be included in the same backup file or use the same backup software. There should be

multiple backups over time, so that in the event of malware infection, restoration can be from a

version that is believed to predate the original infection. All backup policies should be compliant

with any regulatory or official requirements.

PR.IP-4.4 Test data on backup media on a regular basis by performing a data restoration process

to ensure that the backup is properly working.

PR.IP-4.5 Ensure that backups are properly protected via physical security or encryption when

they are stored, as well as when they are moved across the network. This includes remote

backups and cloud services.

PR.IP-4.6 Ensure that key systems have at least one backup destination that is not continuously

addressable through operating system calls. This will mitigate the risk of attacks like

CryptoLocker which seek to encrypt or damage data on all addressable data shares, including

backup destinations.

PR.IP-5.1 Establish policy and regulatory expectations for protection of the physical operating

environment for agency-owned or managed IT resources.

PR.IP-6.1 Manage and dispose of records/data in accordance with the records retention

requirements as provided in the State of Florida General Records Schedule GS1-SL for State and

Local Government Agencies.

PR.IP-7.1 Establish a policy and procedure review process that facilitates continuous

improvement to protection processes.

PR.IP-7.2 Ensure security control selection occurs during the beginning of the system

development lifecycle (SDLC) and is documented in final design documentation.

PR.IP-7.3 System security plans shall document controls necessary to protect production data in

the production environment and copies of production data used in non-production environments.

PR.IP-7.4 System security plans are confidential per section 282.318, F.S., and shall be available

to the agency ISM and CISO.

PR.IP-7.5 Require that each agency application or system with a categorization of moderate-

impact or higher have a documented system security plan (SSP). For existing production systems,

that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent

documentation efforts.

PR.IP-7.6 "The SSP shall include a provisions that:

Align the system with the agency’s enterprise architecture

ii. Define the authorization boundary for the system

iii. Describe the mission-related business purpose

iv. Provide the security categorization, including security requirements and rationale

(compliance, availability, etc.)

v. Describe the operational environment, including relationships, interfaces, or dependencies on

external services

vi. Provide an overview of system security requirements

vii. Identify authorizing official or designee, who reviews and approves prior to implementation."

PR.IP-7.7 Require Information system owners (ISOs) to define application security-related

business requirements using role-based access controls and rule-based security policies.

PR.IP-7.8 Require ISOs to establish and authorize the types of privileges and access rights

appropriate to system users, both internal and external.

PR.IP-7.9 Create procedures to address inspection of content stored, processed or transmitted on

agency-owned or managed IT resources, including attached removable media. Inspection shall be

performed where authorization has been provided by stakeholders that should or must receive

this information.

PR.IP-7.10 Establish parameters for agency-managed devices that prohibit installation (without

worker consent) of clients that allow the agency to inspect private partitions or personal data.

PR.IP-7.11 Require ISOs ensure segregation of duties when establishing system authorizations.

PR.IP-7.12 Establish controls that prohibit a single individual from having the ability to complete

all steps in a transaction or control all stages of a critical process.

PR.IP-7.13 Require agency information owners to identify exempt, and confidential and exempt

information in their systems.

PR.IP-7.14 Have security personnel and/or system administrators run biweekly reports that

identify anomalies in logs. They should then actively review the anomalies, documenting their

findings.

PROTECT (PR)













assets.

PR.IP-3: Configuration change control processes are in place

PR.IP-4: Backups of information are conducted, maintained, and tested

periodically

PR.IP-5: Policy and regulations regarding the physical operating

environment for organizational assets are met

PR.IP-6: Data is destroyed according to policy

PR.IP-7: Protection processes are continuously improved

· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6,

4.4.3.7, 4.4.3.8

· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6

· ISO/IEC 27001:2013 A.16.1.6

· NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

· COBIT 5 DSS04.03

· ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1

· ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2

· NIST SP 800-53 Rev. 4 CP-2, IR-8

· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11

· ISA 62443-3-3:2013 SR 3.3

· ISO/IEC 27001:2013 A.17.1.3

· NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14

· COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05

· ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3

· ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4

· NIST SP 800-53 Rev. 4 PS Family

· ISO/IEC 27001:2013 A.12.6.1, A.18.2.2

PR.IP-8.1 Ensure that effectiveness of protection technologies is shared with stakeholders that

should or must receive this information.

PR.IP-9.1 Develop, implement and manage response plans (e.g., Incident Response and Business

Continuity) and recovery plans (e.g., Incident Recovery and Disaster Recovery).

PR.IP-9.2 Deploy a SIEM (Security Information and Event Management) or log analytic tools for

log aggregation and consolidation from multiple machines and for log correlation and analysis.

Using the SIEM tool, system administrators and security personnel should devise profiles of

common events from given systems so that they can tune detection to focus on unusual activity,

avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with

insignificant alerts.

PR.IP-10.1 Establish a procedure that ensures that agency response and recovery plans are

regularly tested.

PR.IP-11.1 Include cybersecurity in human resources practices (e.g., de-provisioning, personnel

screening).

PR.IP-12.1 Each agency shall develop and implement a vulnerability management plan.

PR.IP-12.2 Configure network vulnerability scanning tools to detect wireless access points

connected to the wired network. Identified devices should be reconciled against a list of

authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.

PR.IP-7.1 Establish a policy and procedure review process that facilitates continuous

improvement to protection processes.

PR.IP-7.2 Ensure security control selection occurs during the beginning of the system

development lifecycle (SDLC) and is documented in final design documentation.

PR.IP-7.3 System security plans shall document controls necessary to protect production data in

the production environment and copies of production data used in non-production environments.

PR.IP-7.4 System security plans are confidential per section 282.318, F.S., and shall be available

to the agency ISM and CISO.

PR.IP-7.5 Require that each agency application or system with a categorization of moderate-

impact or higher have a documented system security plan (SSP). For existing production systems,

that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent

documentation efforts.

PR.IP-7.6 "The SSP shall include a provisions that:

Align the system with the agency’s enterprise architecture

ii. Define the authorization boundary for the system

iii. Describe the mission-related business purpose

iv. Provide the security categorization, including security requirements and rationale

(compliance, availability, etc.)

v. Describe the operational environment, including relationships, interfaces, or dependencies on

external services

vi. Provide an overview of system security requirements

vii. Identify authorizing official or designee, who reviews and approves prior to implementation."

PR.IP-7.7 Require Information system owners (ISOs) to define application security-related

business requirements using role-based access controls and rule-based security policies.

PR.IP-7.8 Require ISOs to establish and authorize the types of privileges and access rights

appropriate to system users, both internal and external.

PR.IP-7.9 Create procedures to address inspection of content stored, processed or transmitted on

agency-owned or managed IT resources, including attached removable media. Inspection shall be

performed where authorization has been provided by stakeholders that should or must receive

this information.

PR.IP-7.10 Establish parameters for agency-managed devices that prohibit installation (without

worker consent) of clients that allow the agency to inspect private partitions or personal data.

PR.IP-7.11 Require ISOs ensure segregation of duties when establishing system authorizations.

PR.IP-7.12 Establish controls that prohibit a single individual from having the ability to complete

all steps in a transaction or control all stages of a critical process.

PR.IP-7.13 Require agency information owners to identify exempt, and confidential and exempt

information in their systems.

PR.IP-7.14 Have security personnel and/or system administrators run biweekly reports that

identify anomalies in logs. They should then actively review the anomalies, documenting their

findings.

PROTECT (PR)

PR.IP-9: Response plans (Incident Response and Business Continuity)

and recovery plans (Incident Recovery and Disaster Recovery) are in

place and managed

PR.IP-10: Response and recovery plans are tested

PR.IP-11: Cybersecurity is included in human resources practices (e.g.,

deprovisioning, personnel screening)

PR.IP-12: A vulnerability management plan is developed and

implemented













assets.

PR.IP-7: Protection processes are continuously improved

PR.IP-8: Effectiveness of protection technologies is shared with

appropriate parties

· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2

· COBIT 5 BAI09.03

· ISA 62443-2-1:2009 4.3.3.3.7

· ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5

· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5

· COBIT 5 DSS05.04

· ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8

· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1

· NIST SP 800-53 Rev. 4 MA-4

· CCS CSC 14 14

· COBIT 5 APO11.04

· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4

· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12

· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1

· NIST SP 800-53 Rev. 4 AU Family

· COBIT 5 DSS05.02, APO13.01

· ISA 62443-3-3:2013 SR 2.3

· ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9

· NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7

· COBIT 5 DSS05.02

· ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5,

4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4,

4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2,

4.3.3.7.3, 4.3.3.7.4


1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR

2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7

· ISO/IEC 27001:2013 A.9.1.2

PR.PT-3.1 Control access to systems and assets, utilizing the priciple of least trust.

PR.PT-3.2 Virtual machines and/or air-gapped systems should be used to isolate and run

applications that are required for business operations but based on higher risk should not be

installed within a networked environment.

PR.PT-3.3 All communication of sensitive information over less-trusted networks should be

encrypted. Whenever information flows over a network with a lower trust level, the information

should be encrypted.

PR.PT-3.4 All information stored on systems shall be protected with file system, network share,

claims, application, or database specific access control lists. These controls will enforce the

principal that only authorized individuals should have access to the information based on their

need to access the information as a part of their responsibilities.

PR.PT-3.5 Sensitive information stored on systems shall be encrypted at rest and require a

secondary authentication mechanism, not integrated into the operating system, in order to access

the information.

PR.PT-3.6 Archived data sets or systems not regularly accessed by the organization shall be

removed from the organization's network. These systems shall only be used as stand alone systems

(disconnected from the network) by the business unit needing to occasionally use the system or

completely virtualized and powered off until needed.

PR.IP-12.1 Each agency shall develop and implement a vulnerability management plan.

PR.IP-12.2 Configure network vulnerability scanning tools to detect wireless access points

connected to the wired network. Identified devices should be reconciled against a list of

authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.

PR.MA-1.1 Perform and log maintenance and repair of IT resources in a timely manner with

tools that have been approved and are administered by the agency to be used for such activities.

PR.MA-2.1 Approve, encrypt, log and perform remote maintenance of IT resources in a manner

that prevents unauthorized access.

PR.MA-2.2 Not engage in new development of custom authenticators . Agencies assess the

feasibility of replacing agency-developed authenticators in legacy applications.

PR.PT-1.1 Determine and document required audit/log records, implement logging of audit

records, and protect and review logs in accordance with agency-developed policy. Agency-

developed policy shall be based on resource criticality. Where possible, ensure that electronic

audit records allow actions of users to be uniquely traced to those users so they can be held

accountable for their actions. Maintain logs identifying where access to exempt, or confidential

and exempt data was permitted. The logs shall support unique identification of individuals and

permit an audit of the logs to trace activities through the system, including the capability to

determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the

individual.

PR.PT-1.2 Enforce detailed audit logging for access to nonpublic data and special authentication

for sensitive data.

PR.PT-2.1 Protect and restrict removable media in accordance with agency-developed

information security policy.

PR.PT-2.2 If there is no business need for supporting such devices, configure systems so that they

will not write data to USB tokens or USB hard drives. If such devices are required, enterprise

software should be used that can configure systems to allow only specific USB devices (based on

serial number or other unique property) to be accessed, and that can automatically encrypt all

data placed on such devices. An inventory of all authorized devices must be maintained.

PROTECT (PR)

PR.IP-12: A vulnerability management plan is developed and

implemented

Maintenance (PR.MA):

Maintenance and repairs of

industrial control and

information system

components is performed

consistent with policies and

procedures.

PR.MA-1: Maintenance and repair of organizational assets is

performed and logged in a timely manner, with approved and controlled

tools

PR.MA-2: Remote maintenance of organizational assets is approved,

logged, and performed in a manner that prevents unauthorized access













assets.

Protective Technology

(PR.PT): Technical security

solutions are managed to

ensure the security and

resilience of systems and

assets, consistent with

related policies, procedures,

and agreements.

PR.PT-1: Audit/log records are determined, documented, implemented,

and reviewed in accordance with policy

PR.PT-2: Removable media is protected and its use restricted

according to policy

PR.PT-3: Access to systems and assets is controlled, incorporating the

principle of least functionality

· NIST SP 800-53 Rev. 4 AC-3, CM-7

· CCS CSC 7

7

· COBIT 5 DSS05.02, APO13.01


5.2, SR 5.3, SR 7.1, SR 7.6

· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1

PR.PT-3.1 Control access to systems and assets, utilizing the priciple of least trust.

PR.PT-3.2 Virtual machines and/or air-gapped systems should be used to isolate and run

applications that are required for business operations but based on higher risk should not be

installed within a networked environment.

PR.PT-3.3 All communication of sensitive information over less-trusted networks should be

encrypted. Whenever information flows over a network with a lower trust level, the information

should be encrypted.

PR.PT-3.4 All information stored on systems shall be protected with file system, network share,

claims, application, or database specific access control lists. These controls will enforce the

principal that only authorized individuals should have access to the information based on their

need to access the information as a part of their responsibilities.

PR.PT-3.5 Sensitive information stored on systems shall be encrypted at rest and require a

secondary authentication mechanism, not integrated into the operating system, in order to access

the information.

PR.PT-3.6 Archived data sets or systems not regularly accessed by the organization shall be

removed from the organization's network. These systems shall only be used as stand alone systems

(disconnected from the network) by the business unit needing to occasionally use the system or

completely virtualized and powered off until needed.

PR.PT-4.1 Protect communications and control networks by establishing perimeter security

measures to prevent unauthorized connections to agency IT resources.

PR.PT-4.2 Place databases containing mission critical, exempt, or confidential and exempt data in

an internal network zone, segregated from the demilitarized zone (DMZ).

PR.PT-4.3 Agencies shall require host-based (e.g. a system controlled by a central or main

computer) boundary protection on mobile computing devices where technology permits (i.e.,

detection agent).

PR.PT-4.4 Ensure that only fully supported web browsers and email clients are allowed to execute

in the organization, ideally only using the latest version of the browsers provided by the vendor in

order to take advantage of the latest security functions and fixes.

PR.PT-4.5 Deploy two separate browser configurations to each system. One configuration should

disable the use of all plugins, unnecessary scripting languages, and generally be configured with

limited functionality and be used for general web browsing. The other configuration shall allow

for more browser functionality but should only be used to access specific websites that require the

use of such functionality.

PR.PT-4.6 The organization shall maintain and enforce network based URL filters that limit a

system's ability to connect to websites not approved by the organization. The organization shall

subscribe to URL categorization services to ensure that they are up-to-date with the most recent

website category definitions available. Uncategorized sites shall be blocked by default. This

filtering shall be enforced for each of the organization's systems, whether they are physically at

an organization's facilities or not.

PR.PT-4.7 To lower the chance of spoofed e-mail messages, implement the Sender Policy

Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in

mail servers.

PR.PT-4.8 Manage network devices using two-factor authentication and encrypted sessions.

PR.PT-4.9 Install the latest stable version of any security-related updates on all network devices.

PR.PT-4.10 Manage the network infrastructure across network connections that are separated

from the business use of that network, relying on separate VLANs or, preferably, on entirely

different physical connectivity for management sessions for network devices.

PR.PT-4.11 On DMZ networks, configure monitoring systems (which may be built in to the IDS

sensors or deployed as a separate technology) to record at least packet header information, and

preferably full packet header and payloads of the traffic destined for or passing through the

network border. This traffic should be sent to a properly configured Security Information Event

Management (SIEM) or log analytics system so that events can be correlated from all devices on

the network.

PR.PT-4.12 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous

activity.

PR.PT-4.13 Segment the network based on the label or classification level of the information

stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering

to ensure that only authorized individuals are only able to communicate with systems necessary to

fulfill their specific responsibilities.

PR.PT-4.14 All network switches will enable Private Virtual Local Area Networks (VLANs) for

segmented workstation networks to limit the ability of devices on a network to directly

communicate with other devices on the subnet and limit an attackers ability to laterally move to

compromise neighboring systems.

PR.PT-4.15 Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices

and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic

should be monitored by WIDS as traffic passes into the wired network.

PR.PT-4.16 Ensure that all wireless traffic leverages at least Advanced Encryption Standard

(AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.

PR.PT-4.17 Ensure that wireless networks use authentication protocols such as Extensible

Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential

protection and mutual authentication.

PR.PT-4.18 Create separate virtual local area networks (VLANs) for BYOD systems or other

untrusted devices. Internet access from this VLAN should go through at least the same border as

corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered

and audited accordingly.

PROTECT (PR)








and agreements.

PR.PT-3: Access to systems and assets is controlled, incorporating the

principle of least functionality

PR.PT-4: Communications and control networks are protected

· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7

· COBIT 5 DSS03.01

· ISA 62443-2-1:2009 4.4.3.3

· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4

· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9,

SR 6.1, SR 6.2

· ISO/IEC 27001:2013 A.16.1.1, A.16.1.4

· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4

· ISA 62443-3-3:2013 SR 6.1

· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4

· COBIT 5 APO12.06

· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4

· COBIT 5 APO12.06

· ISA 62443-2-1:2009 4.2.3.10

· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

· CCS CSC 14, 16 14, 16

· COBIT 5 DSS05.07

· ISA 62443-3-3:2013 SR 6.2

PR.PT-4.1 Protect communications and control networks by establishing perimeter security

measures to prevent unauthorized connections to agency IT resources.

PR.PT-4.2 Place databases containing mission critical, exempt, or confidential and exempt data in

an internal network zone, segregated from the demilitarized zone (DMZ).

PR.PT-4.3 Agencies shall require host-based (e.g. a system controlled by a central or main

computer) boundary protection on mobile computing devices where technology permits (i.e.,

detection agent).

PR.PT-4.4 Ensure that only fully supported web browsers and email clients are allowed to execute

in the organization, ideally only using the latest version of the browsers provided by the vendor in

order to take advantage of the latest security functions and fixes.

PR.PT-4.5 Deploy two separate browser configurations to each system. One configuration should

disable the use of all plugins, unnecessary scripting languages, and generally be configured with

limited functionality and be used for general web browsing. The other configuration shall allow

for more browser functionality but should only be used to access specific websites that require the

use of such functionality.

PR.PT-4.6 The organization shall maintain and enforce network based URL filters that limit a

system's ability to connect to websites not approved by the organization. The organization shall

subscribe to URL categorization services to ensure that they are up-to-date with the most recent

website category definitions available. Uncategorized sites shall be blocked by default. This

filtering shall be enforced for each of the organization's systems, whether they are physically at

an organization's facilities or not.

PR.PT-4.7 To lower the chance of spoofed e-mail messages, implement the Sender Policy

Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in

mail servers.

PR.PT-4.8 Manage network devices using two-factor authentication and encrypted sessions.

PR.PT-4.9 Install the latest stable version of any security-related updates on all network devices.

PR.PT-4.10 Manage the network infrastructure across network connections that are separated

from the business use of that network, relying on separate VLANs or, preferably, on entirely

different physical connectivity for management sessions for network devices.

PR.PT-4.11 On DMZ networks, configure monitoring systems (which may be built in to the IDS

sensors or deployed as a separate technology) to record at least packet header information, and

preferably full packet header and payloads of the traffic destined for or passing through the

network border. This traffic should be sent to a properly configured Security Information Event

Management (SIEM) or log analytics system so that events can be correlated from all devices on

the network.

PR.PT-4.12 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous

activity.

PR.PT-4.13 Segment the network based on the label or classification level of the information

stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering

to ensure that only authorized individuals are only able to communicate with systems necessary to

fulfill their specific responsibilities.

PR.PT-4.14 All network switches will enable Private Virtual Local Area Networks (VLANs) for

segmented workstation networks to limit the ability of devices on a network to directly

communicate with other devices on the subnet and limit an attackers ability to laterally move to

compromise neighboring systems.

PR.PT-4.15 Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices

and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic

should be monitored by WIDS as traffic passes into the wired network.

PR.PT-4.16 Ensure that all wireless traffic leverages at least Advanced Encryption Standard

(AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.

PR.PT-4.17 Ensure that wireless networks use authentication protocols such as Extensible

Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential

protection and mutual authentication.

PR.PT-4.18 Create separate virtual local area networks (VLANs) for BYOD systems or other

untrusted devices. Internet access from this VLAN should go through at least the same border as

corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered

and audited accordingly.

DE.AE-1.1 Establish and manage a baseline of network operations and expected data flows for

users and systems.

DE.AE-2.1 Detect and analyze anomalous events to determine attack targets and methods.

DE.AE-2.2 Monitor unauthorized wireless access points when connected to the agency internal

network, and immediately remove them upon detection.

DE.AE-2.3 Implement procedures to establish accountability for accessing and modifying exempt,

or confidential and exempt data stores to ensure inappropriate access or modification is

detectable.

DE.AE-3.1 Aggregate and correlate event data from multiple sources and sensors.

DE.AE-4.1 Determine the impact of events.

DE.AE-5.1 Establish incident alert thresholds.

DE.CM-1.1 Monitor for unauthorized IT resource connections to the internal agency network.

DE.CM-1.2 Employ automated tools to continuously monitor workstations, servers, and mobile

devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All

malware detection events should be sent to enterprise anti-malware administration tools and

event log servers.

DE.CM-1.3 Use network-based anti-malware tools to identify executables in all network traffic

and use techniques other than signature-based detection to identify and filter out malicious

content before it arrives at the endpoint.

DE.CM-1.4 Deploy network-based IDS sensors on Internet and extranet DMZ systems and

networks that look for unusual attack mechanisms and detect compromise of these systems. These

network-based IDS sensors may detect attacks through the use of signatures, network behavior

analysis, or other mechanisms to analyze traffic.

DE.CM-1.5 Network-based IPS devices should be deployed to complement IDS by blocking known

bad signatures or the behavior of potential attacks. As attacks become automated, methods such

as IDS typically delay the amount of time it takes for someone to react to an attack. A properly

configured network-based IPS can provide automation to block bad traffic. When evaluating

network-based IPS products, include those using techniques other than signature-based detection

(such as virtual machine or sandbox-based approaches) for consideration.

DE.CM-1.6 Periodically scan for back-channel connections to the Internet that bypass the DMZ,

including unauthorized VPN connections and dual-homed hosts connected to the enterprise

network and to other networks via wireless, dial-up modems, or other mechanisms.

DE.CM-1.7 Conduct periodic scans of server machines using automated tools to determine

whether sensitive data (e.g., personally identifiable information, health, credit card, or classified

information) is present on the system in clear text. These tools, which search for patterns that

indicate the presence of sensitive information, can help identify if a business or technical process

is leaving behind or otherwise leaking sensitive information.

DE.CM-1.8 Use network-based DLP solutions to monitor and control the flow of data within the

network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate

action taken to address them.

DE.CM-1.9 Include tests for the presence of unprotected system information and artifacts that

would be useful to attackers, including network diagrams, configuration files, older penetration

test reports, e-mails or documents containing passwords or other information critical to system

operation.

PROTECT (PR)








and agreements.

PR.PT-4: Communications and control networks are protected

DE.AE-1: A baseline of network operations and expected data flows

for users and systems is established and managed

DE.AE-2: Detected events are analyzed to understand attack targets

and methods

DE.AE-3: Event data are aggregated and correlated from multiple

sources and sensors

Anomalies and Events

(DE.AE): Anomalous

activity is detected in a

timely manner and the

potential impact of events is

understood.

DE.AE-5: Incident alert thresholds are established

DE.AE-4: Impact of events is determined

Security Continuous

Monitoring (DE.CM): The

information system and

assets are monitored at

discrete intervals to identify

cybersecurity events and

verify the effectiveness of

protective measures.

DE.CM-1: The network is monitored to detect potential cybersecurity

events

DETECT

(DE)

· NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4

· ISA 62443-2-1:2009 4.3.3.3.8

· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20

· ISA 62443-3-3:2013 SR 6.2

· ISO/IEC 27001:2013 A.12.4.1

· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11

· CCS CSC 5 5

· COBIT 5 DSS05.01

· ISA 62443-2-1:2009 4.3.4.3.8

· ISA 62443-3-3:2013 SR 3.2

· ISO/IEC 27001:2013 A.12.2.1

· NIST SP 800-53 Rev. 4 SI-3

· ISA 62443-3-3:2013 SR 2.4

· ISO/IEC 27001:2013 A.12.5.1

· NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44

· COBIT 5 APO07.06

· ISO/IEC 27001:2013 A.14.2.7, A.15.2.1

· NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4

DE.CM-3.1 Monitoring user activity to detect potential cybersecurity.

DE.CM-3.2 Profile each user’s typical account usage by determining normal time-of-day access

and access duration. Reports should be generated that indicate users who have logged in during

unusual hours or have exceeded their normal login duration. This includes flagging the use of the

user’s credentials from a computer other than computers on which the user generally works.

DE.CM-3.3 Any user or system accounts used to perform penetration testing should be controlled

and monitored to make sure they are only being used for legitimate purposes, and are removed or

restored to normal function after testing is over.

DE.CM-4.1 Scan and block all e-mail attachments entering the organization's e-mail gateway if

they contain malicious code or file types that are unnecessary for the organization's business. This

scanning should be done before the e-mail is placed in the user's inbox. This includes e-mail

content filtering and web content filtering.

DE.CM-4.2 Employ anti-malware software that offers a centralized infrastructure that compiles

information on file reputations or have administrators manually push updates to all machines.

After applying an update, automated systems should verify that each system has received its

signature update.

DE.CM-4.3 Enable domain name system (DNS) query logging to detect hostname lookup for

known malicious C2 domains.

DE.CM-4.4 Protect web applications by deploying web application firewalls (WAFs) that inspect

all traffic flowing to the web application for common web application attacks, including but not

limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks.

For applications that are not web-based, specific application firewalls should be deployed if such

tools are available for the given application type. If the traffic is encrypted, the device should

either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither

option is appropriate, a host-based web application firewall should be deployed.

DE.CM-5.1 Monitor for unauthorized mobile code.

DE.CM-6.1 Monitor external service provider activity to detect potential cybersecurity events.

DE.CM-1.1 Monitor for unauthorized IT resource connections to the internal agency network.

DE.CM-1.2 Employ automated tools to continuously monitor workstations, servers, and mobile

devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All

malware detection events should be sent to enterprise anti-malware administration tools and

event log servers.

DE.CM-1.3 Use network-based anti-malware tools to identify executables in all network traffic

and use techniques other than signature-based detection to identify and filter out malicious

content before it arrives at the endpoint.

DE.CM-1.4 Deploy network-based IDS sensors on Internet and extranet DMZ systems and

networks that look for unusual attack mechanisms and detect compromise of these systems. These

network-based IDS sensors may detect attacks through the use of signatures, network behavior

analysis, or other mechanisms to analyze traffic.

DE.CM-1.5 Network-based IPS devices should be deployed to complement IDS by blocking known

bad signatures or the behavior of potential attacks. As attacks become automated, methods such

as IDS typically delay the amount of time it takes for someone to react to an attack. A properly

configured network-based IPS can provide automation to block bad traffic. When evaluating

network-based IPS products, include those using techniques other than signature-based detection

(such as virtual machine or sandbox-based approaches) for consideration.

DE.CM-1.6 Periodically scan for back-channel connections to the Internet that bypass the DMZ,

including unauthorized VPN connections and dual-homed hosts connected to the enterprise

network and to other networks via wireless, dial-up modems, or other mechanisms.

DE.CM-1.7 Conduct periodic scans of server machines using automated tools to determine

whether sensitive data (e.g., personally identifiable information, health, credit card, or classified

information) is present on the system in clear text. These tools, which search for patterns that

indicate the presence of sensitive information, can help identify if a business or technical process

is leaving behind or otherwise leaking sensitive information.

DE.CM-1.8 Use network-based DLP solutions to monitor and control the flow of data within the

network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate

action taken to address them.

DE.CM-1.9 Include tests for the presence of unprotected system information and artifacts that

would be useful to attackers, including network diagrams, configuration files, older penetration

test reports, e-mails or documents containing passwords or other information critical to system

operation.

DE.CM-2.1 Monitoring the physical environment to detect potential cybersecurity events.

Security Continuous








DE.CM-1: The network is monitored to detect potential cybersecurity

events

DE.CM-2: The physical environment is monitored to detect potential

cybersecurity events

DE.CM-3: Personnel activity is monitored to detect potential

cybersecurity events

DE.CM-4: Malicious code is detected

DE.CM-5: Unauthorized mobile code is detected

DE.CM-6: External service provider activity is monitored to detect

potential cybersecurity events

DETECT

(DE)

DE.CM-7: Monitoring for unauthorized personnel, connections,

devices, and software is performed

DE.CM-7.1 Monitor for unauthorized personnel, connections, devices, and software.

DE.CM-7.2 Log all URL requests from each of the organization's systems, whether onsite or a

mobile device, in order to identify potentially malicious activity and assist incident handlers with

identifying potentially compromised systems.

DE.CM-7.3 Limit use of external devices to those with an approved, documented business need.

Monitor for use and attempted use of external devices. Configure laptops, workstations, and

servers so that they will not auto-run content from removable media, like USB tokens (i.e.,

“thumb drives”), USB hard drives, CDs/DVDs, FireWire devices, external serial advanced

technology attachment devices, and mounted network shares. Configure systems so that they

automatically conduct an anti-malware scan of removable media when inserted.

DE.CM-7.4 Regularly monitor the use of all accounts, automatically logging off users after a

standard period of inactivity.

DE.CM-7.5 Monitor account usage to determine dormant accounts, notifying the user or user’s

manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor

maintenance accounts needed for system recovery or continuity operations). Require that

managers match active employees and contractors with each account belonging to their managed

staff. Security or system administrators should then disable accounts that are not assigned to valid

workforce members.

DE.CM-7.6 Monitor attempts to access deactivated accounts through audit logging.

· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20,

SI-4

· COBIT 5 BAI03.10

20

· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7

· ISO/IEC 27001:2013 A.12.6.1

· NIST SP 800-53 Rev. 4 RA-5

· CCS CSC 5 5

· COBIT 5 DSS05.01

· ISA 62443-2-1:2009 4.4.3.1

· ISO/IEC 27001:2013 A.6.1.1

· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

· ISA 62443-2-1:2009 4.4.3.2

· ISO/IEC 27001:2013 A.18.1.4

· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4

· COBIT 5 APO13.02 20

· ISA 62443-2-1:2009 4.4.3.2

· ISA 62443-3-3:2013 SR 3.3

· ISO/IEC 27001:2013 A.14.2.8

· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4

DE.CM-8.1 Perform vulnerability scans. These shall be a part of the SDLC.

DE.CM-8.2 Deploy an automated tool on network perimeters that monitors for sensitive

information (e.g., personally identifiable information), keywords, and other document

characteristics to discover unauthorized attempts to exfiltrate data across network boundaries

and block such transfers while alerting information security personnel.

DE.CM-8.3 Conduct regular external and internal penetration tests to identify vulnerabilities and

attack vectors that can be used to exploit enterprise systems successfully. Penetration testing

should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around

an organization) as well as from within its boundaries (i.e., on the internal network) to simulate

both outsider and insider attacks.

DE.CM-8.4 Use vulnerability scanning and penetration testing tools in concert. The results of

vulnerability scanning assessments should be used as a starting point to guide and focus

penetration testing efforts.

DE.DP-1.1 Define roles and responsibilities for detection to ensure accountability.

DE.DP-1.3 Establish and follow a process for revoking system access by disabling accounts

immediately upon termination of an employee or contractor. Disabling instead of deleting

accounts allows preservation of audit trails.

DE.DP-2.1 Ensure that detection activities comply with all applicable requirements.

DE.DP-2.2 Wherever possible, ensure that Red Teams results are documented using open,

machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of

Red Team exercises so that results can be compared over time.

DE.DP-3.1 Perform periodic Red Team exercises to test organizational readiness to identify and

stop attacks or to respond quickly and effectively.

DE.DP-3.2 Plan clear goals of the penetration test itself with blended attacks in mind, identifying

the goal machine or target asset. Many APT-style attacks deploy multiple vectors—often social

engineering combined with web or network exploitation. Red Team manual or automated testing

that captures pivoted and multi-vector attacks offers a more realistic assessment of security

posture and risk to critical assets.

DE.DP-3.3 Create a test bed that mimics a production environment for specific penetration tests

and Red Team attacks against elements that are not typically tested in production, such as attacks

against supervisory control and data acquisition and other control systems.

Security Continuous








DE.CM-8: Vulnerability scans are performed

DETECT

(DE)

Detection Processes

(DE.DP): Detection

processes and procedures are

maintained and tested to

ensure timely and adequate

awareness of anomalous

events.

DE.DP-1: Roles and responsibilities for detection are well defined to

ensure accountability

DE.DP-2: Detection activities comply with all applicable requirements

DE.DP-3: Detection processes are tested

· COBIT 5 APO12.06

· ISA 62443-2-1:2009 4.3.4.5.9

· ISA 62443-3-3:2013 SR 6.1

· ISO/IEC 27001:2013 A.16.1.2

· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4

· COBIT 5 APO11.06, DSS04.05

· ISA 62443-2-1:2009 4.4.3.4

· ISO/IEC 27001:2013 A.16.1.6

· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14

· COBIT 5 BAI01.10

· CCS CSC 18

18

· ISA 62443-2-1:2009 4.3.4.5.1

· ISO/IEC 27001:2013 A.16.1.5

· NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8

· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4

· ISO/IEC 27001:2013 A.6.1.1, A.16.1.1

· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8

· ISA 62443-2-1:2009 4.3.4.5.5

· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2

· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8

DE.DP-5.1 Enable anti-exploitation features such as Data Execution Prevention (DEP), Address

Space Layout Randomization (ASLR), virtualization/containerization, etc. For increased

protection, deploy capabilities such as Enhanced Mitigation Experience Toolkit (EMET) that can

be configured to apply these protections to a broader set of applications and executables.

RS.RP-1.1 Each agency shall execute a response plan during or after an event.

RS.RP-1.2 Agencies shall establish a Computer Security Incident Response Team (CSIRT) to

respond to suspected computer security incidents. CSIRT members shall convene immediately,

upon notice of suspected computer security incidents.

RS.RP-1.3 CSIRT members convene at least quarterly to review, at a minimum, established

processes and escalation protocols.

RS.RP-1.4 CSIRT members receive training at least annually on cybersecurity threats, trends,

and evolving practices. Training shall be coordinated as a part of the information security

program.

RS.RP-1.5 CSIRT membership shall include, at a minimum, a member from the information

security team, the CIO (or designee), and a member from the Inspector General’s Office. For

agencies that are HIPAA-covered entities as defined by 45 CFR 164.103, CSIRT membership

shall also include the agency’s designated HIPAA privacy official or their designee. The CSIRT

team shall report findings to agency management.

RS.RP-1.6 The CSIRT shall determine the appropriate response required for each suspected

computer security incident.

RS.RP-1.7 The agency security incident reporting process must include notification procedures,

established pursuant to section 501.171, F.S., section 282.318, F.S., and as specified in executed

agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as

established within the Florida Department of Law Enforcement via section 943.0415, F.S.), use the

timeframes in the "TIMEFRAMES FOR REPORTING INCIDENTS TO AST AND THE

CYBERCRIME OFFICE" table in the INSTRUCTIONS worksheet.

RS.RP-1.8 Ensure that there are written incident response procedures that include a definition of

personnel roles for handling incidents. The procedures should define the phases of incident

handling.

RS.RP-1.9 Assign job titles and duties for handling computer and network incidents to specific

individuals.

RS.RP-1.10 Define management personnel who will support the incident handling process by

acting in key decision-making roles.

RS.RP-1.11 Devise organization-wide standards for the time required for system administrators

and other personnel to report anomalous events to the incident handling team, the mechanisms for

such reporting, and the kind of information that should be included in the incident notification.

This reporting should also include notifying the appropriate Community Emergency Response

Team in accordance with all legal or regulatory requirements for involving that organization in

computer incidents.

RS.CO-1.1 Inform workers of their roles and order of operations when a response is needed.

RS.CO-1.2 Conduct periodic incident scenario sessions for personnel associated with the incident

handling team to ensure that they understand current threats and risks, as well as their

responsibilities in supporting the incident handling team.

RS.CO-2.1 Require that events be reported consistent with established criteria and in accordance

with agency incident reporting procedures. Criteria shall require immediate reporting, including

instances of lost identification and authentication resources.

DE.DP-4.1 Communicate event detection information to stakeholders that should or must receive

this information.

DETECT

(DE)

Detection Processes

(DE.DP): Detection


maintained and tested to

ensure timely and adequate

awareness of anomalous

events.

DE.DP-4: Event detection information is communicated to appropriate

parties

DE.DP-5: Detection processes are continuously improved

RS.CO-1: Personnel know their roles and order of operations when a

response is needed

Communications (RS.CO):

Response activities are

coordinated with internal

and external stakeholders, as

appropriate, to include

external support from law

enforcement agencies.

RESPOND

(RS)

Response Planning

(RS.RP): Response


executed and maintained, to

ensure timely response to

detected cybersecurity

events.

RS.RP-1: Response plan is executed during or after an event

RS.CO-2: Events are reported consistent with established criteria

· ISA 62443-2-1:2009 4.3.4.5.2

· ISO/IEC 27001:2013 A.16.1.2

· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4

· ISA 62443-2-1:2009 4.3.4.5.5

· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.CO-5: Voluntary information sharing occurs with external

stakeholders to achieve broader cybersecurity situational awareness

RS.CO-5.1 Establish communications with external stakeholders to share and receive information

to achieve broader cybersecurity situational awareness. Where technology permits, enable

automated security alerts. Establish processes to receive, assess, and act upon security advisories.

RS.CO-5.2 Assemble and maintain information on third-party contact information to be used to

report a security incident (e.g., maintain an e-mail address of [email protected] or have

a web page http://organization.com/security).

· NIST SP 800-53 Rev. 4 PM-15, SI-5

· COBIT 5 DSS02.07

· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

· ISA 62443-3-3:2013 SR 6.1

· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5

· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4

· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

· ISO/IEC 27001:2013 A.16.1.6

· NIST SP 800-53 Rev. 4 CP-2, IR-4

· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9,

SR 6.1

· ISO/IEC 27001:2013 A.16.1.7

· NIST SP 800-53 Rev. 4 AU-7, IR-4

· ISA 62443-2-1:2009 4.3.4.5.6

· ISO/IEC 27001:2013 A.16.1.4

· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8

· ISA 62443-2-1:2009 4.3.4.5.6

· ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4

· ISO/IEC 27001:2013 A.16.1.5

· NIST SP 800-53 Rev. 4 IR-4

· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10

· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

· NIST SP 800-53 Rev. 4 IR-4

· ISO/IEC 27001:2013 A.12.6.1

· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5

· COBIT 5 BAI01.13

· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4

· ISO/IEC 27001:2013 A.16.1.6


RS.IM-2: Response strategies are updated RS.IM-2.1 Agencies shall update response strategies in accordance with agency-established policy. · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

· CCS CSC 88

· COBIT 5 DSS02.05, DSS03.04

RS.CO-3.1 Publish information for all personnel, including employees and contractors, regarding

reporting computer anomalies and incidents to the incident handling team. Such information

should be included in routine employee awareness activities.

RS.CO-4.1 Coordinate with stakeholders, consistent with response.

RS.AN-1.1 Each agency shall establish notification thresholds and investigate notifications from

detection systems.

RS.AN-2.1 Each agency shall assess and identify the impact of the incident.

RS.AN-3.1 Each agency shall perform forensics, where deemed appropriate.

RS.AN-4.1 Each agency shall categorize incidents, consistent with response plans. Each incident

report and analysis, including findings and corrective actions, shall be documented.

RS.MI-1.1 The objective of incident mitigation activities shall be to contain and prevent recurrent

of incidents.

RS.MI-2.1 The objective of incident mitigation activities shall be to mitigate incident effects and

eradicate the incident.

RS.MI-3.1 The objective of incident mitigation activities shall be address vulnerabilities or

document as acceptable risks.

RS.IM-1.1 Each agency shall improve organizational response activities by incorporating lessons

learned from current and previous detection/response activities into response plans.

RC.RP-1.1 Execute a recovery plan during or after an event.

RC.RP-1.2 Mirror data and software, essential to the continued operation of critical agency

functions, to an off-site location or regularly back up a current copy and store at an off-site

location.

RC.RP-1.3 Develop procedures to prevent loss of data, and ensure that agency data, including

unique copies, are backed up.

RC.RP-1.4 Document disaster recovery plans that address protection of critical IT resources and

provide for the continuation of critical agency functions in the event of a disaster. Plans shall

address shared resource systems, which require special consideration, when interdependencies

may affect continuity of critical agency functions.

RC.RP-1.5 IT disaster recovery plans shall be tested at least annually; results of the annual

exercise shall document plan procedures that were successful and specify any modifications

required to improve the plan.

RS.CO-4: Coordination with stakeholders occurs consistent with

response plans

Analysis (RS.AN): Analysis

is conducted to ensure

adequate response and

support recovery activities.

RS.AN-1: Notifications from detection systems are investigated

RS.AN-2: The impact of the incident is understood

Mitigation (RS.MI):

Activities are performed to

prevent expansion of an

event, mitigate its effects,

and eradicate the incident.

Communications (RS.CO):

Response activities are


and external stakeholders, as

appropriate, to include

external support from law

enforcement agencies.

RESPOND

(RS)

RECOVER (RC)

Recovery Planning

(RC.RP): Recovery


executed and maintained to

ensure timely restoration of

systems or assets affected by

cybersecurity events.

RC.RP-1: Recovery plan is executed during or after an event

RS.AN-3: Forensics are performed

RS.AN-4: Incidents are categorized consistent with response plans

RS.MI-1: Incidents are contained

RS.MI-2: Incidents are mitigated

RS.MI-3: Newly identified vulnerabilities are mitigated or documented

as accepted risks

Improvements (RS.IM):

Organizational response

activities are improved by

incorporating lessons learned

from current and previous

detection/response activities.

RS.IM-1: Response plans incorporate lessons learned

RS.CO-3: Information is shared consistent with response plans

· ISO/IEC 27001:2013 A.16.1.5


· COBIT 5 BAI05.07

· ISA 62443-2-1 4.4.3.4


· COBIT 5 BAI07.08


RC.CO-1: Public relations are managed RC.CO-1.1 Manage public relations. · COBIT 5 EDM03.02

RC.CO-2: Reputation after an event is repaired RC.CO-2.1 Attempt to repair reputation after an event, if applicable. · COBIT 5 MEA03.02

RC.CO-3: Recovery activities are communicated to internal

stakeholders and executive and management teams

RC.CO-3.1 Communicate recovery activities to stakeholders, internal and external where

appropriate.· NIST SP 800-53 Rev. 4 CP-2, IR-4

RC.IM-1.1 Incorporate lessons learned in recovery plans.

RC.IM-2.1 Update recovery strategies.

RC.RP-1.1 Execute a recovery plan during or after an event.

RC.RP-1.2 Mirror data and software, essential to the continued operation of critical agency

functions, to an off-site location or regularly back up a current copy and store at an off-site

location.

RC.RP-1.3 Develop procedures to prevent loss of data, and ensure that agency data, including

unique copies, are backed up.

RC.RP-1.4 Document disaster recovery plans that address protection of critical IT resources and

provide for the continuation of critical agency functions in the event of a disaster. Plans shall

address shared resource systems, which require special consideration, when interdependencies

may affect continuity of critical agency functions.

RC.RP-1.5 IT disaster recovery plans shall be tested at least annually; results of the annual

exercise shall document plan procedures that were successful and specify any modifications

required to improve the plan.RECOVER (RC)

Recovery Planning

(RC.RP): Recovery


executed and maintained to

ensure timely restoration of

systems or assets affected by

cybersecurity events.

RC.RP-1: Recovery plan is executed during or after an event

Improvements (RC.IM):

Recovery planning and

processes are improved by

incorporating lessons learned

into future activities.

RC.IM-1: Recovery plans incorporate lessons learned

RC.IM-2: Recovery strategies are updated

Communications (RC.CO):

Restoration activities are


and external parties, such as

coordinating centers, Internet

Documents

SANS Critical Function Category Subcategory Subcategory … · €€€€€€ ccs csc 1 1 · €€€€€€ cobit 5 dss05.02 €€€€€€ isa 62443-2-1:2009 4.2.3.4