graphgrc

SCF Controls

AST - Asset Management

• AST-01 - Asset Governance
• AST-01.1 - Asset-Service Dependencies
• AST-01.2 - Stakeholder Identification & Involvement
• AST-02 - Asset Inventories
• AST-02.1 - Updates During Installations / Removals
• AST-02.2 - Automated Unauthorized Component Detection
• AST-02.3 - Component Duplication Avoidance
• AST-02.7 - Software Licensing Restrictions
• AST-02.8 - Data Action Mapping
• AST-03 - Asset Ownership Assignment
• AST-03.1 - Accountability Information
• AST-03.2 - Provenance
• AST-04 - Network Diagrams & Data Flow Diagrams (DFDs)
• AST-04.1 - Asset Scope Classification
• AST-05 - Security of Assets & Media
• AST-06 - Unattended End-User Equipment
• AST-07 - Kiosks & Point of Interaction (PoI) Devices
• AST-08 - Tamper Detection
• AST-09 - Secure Disposal, Destruction or Re-Use of Equipment
• AST-10 - Return of Assets
• AST-11 - Removal of Assets
• AST-12 - Use of Personal Devices
• AST-15 - Tamper Protection
• AST-15.1 - Inspection of Systems, Components & Devices

  BCD - Business Continuity & Disaster Recovery

• BCD-01 - Business Continuity Management System (BCMS)
• BCD-01.1 - Coordinate with Related Plans
• BCD-01.2 - Coordinate With External Service Providers
• BCD-01.4 - Recovery Time / Point Objectives (RTO / RPO)
• BCD-02 - Identify Critical Assets
• BCD-02.1 - Resume All Missions & Business Functions
• BCD-02.2 - Continue Essential Mission & Business Functions
• BCD-02.3 - Resume Essential Missions & Business Functions
• BCD-03 - Contingency Training
• BCD-03.1 - Simulated Events
• BCD-04 - Contingency Plan Testing & Exercises
• BCD-04.1 - Coordinated Testing with Related Plans
• BCD-05 - Contingency Plan Root Cause Analysis (RCA) & Lessons Learned
• BCD-06 - Contingency Planning & Updates
• BCD-07 - Alternative Security Measures
• BCD-08 - Alternate Storage Site
• BCD-08.1 - Separation from Primary Site
• BCD-08.2 - Accessibility
• BCD-09 - Alternate Processing Site
• BCD-09.1 - Separation from Primary Site
• BCD-09.2 - Accessibility
• BCD-09.3 - Alternate Site Priority of Service
• BCD-10 - Telecommunications Services Availability
• BCD-10.1 - Telecommunications Priority of Service Provisions
• BCD-11 - Data Backups
• BCD-11.1 - Testing for Reliability & Integrity
• BCD-11.2 - Separate Storage for Critical Information
• BCD-11.3 - Information System Imaging
• BCD-11.4 - Cryptographic Protection
• BCD-11.7 - Redundant Secondary System
• BCD-12 - Information System Recovery & Reconstitution
• BCD-12.1 - Transaction Recovery
• BCD-12.2 - Failover Capability
• BCD-13 - Backup & Restoration Hardware Protection

  CAP - Capacity & Performance Planning

• CAP-01 - Capacity & Performance Management
• CAP-02 - Resource Priority
• CAP-03 - Capacity Planning

  CFG - Configuration Management

• CFG-01 - Configuration Management Program
• CFG-01.1 - Assignment of Responsibility
• CFG-02 - System Hardening Through Baseline Configurations
• CFG-02.1 - Reviews & Updates
• CFG-02.2 - Automated Central Management & Verification
• CFG-02.3 - Retention Of Previous Configurations
• CFG-02.4 - Development & Test Environment Configurations
• CFG-02.5 - Configure Systems, Components or Services for High-Risk Areas
• CFG-02.7 - Approved Configuration Deviations
• CFG-02.9 - Baseline Tailoring
• CFG-03 - Least Functionality
• CFG-03.1 - Periodic Review
• CFG-03.2 - Prevent Unauthorized Software Execution
• CFG-03.3 - Unauthorized or Authorized Software (Blacklisting or Whitelisting)
• CFG-03.4 - Split Tunneling
• CFG-04 - Software Usage Restrictions
• CFG-04.2 - Unsupported Internet Browsers & Email Clients
• CFG-05 - User-Installed Software
• CFG-05.1 - Unauthorized Installation Alerts

  CHG - Change Management

• CHG-01 - Change Management Program
• CHG-02 - Configuration Change Control
• CHG-02.1 - Prohibition Of Changes
• CHG-02.2 - Test, Validate & Document Changes
• CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
• CHG-03 - Security Impact Analysis for Changes
• CHG-04 - Access Restriction For Change
• CHG-04.3 - Dual Authorization for Change
• CHG-05 - Stakeholder Notification of Changes
• CHG-06 - Cybersecurity Functionality Verification

  CLD - Cloud Security

• CLD-01 - Cloud Services
• CLD-02 - Cloud Security Architecture
• CLD-04 - Application & Program Interface (API) Security
• CLD-06 - Multi-Tenant Environments
• CLD-06.1 - Customer Responsibility Matrix (CRM)
• CLD-09 - Geolocation Requirements for Processing, Storage and Service Locations

  CPL - Compliance

• CPL-01 - Statutory, Regulatory & Contractual Compliance
• CPL-01.1 - Non-Compliance Oversight
• CPL-01.2 - Compliance Scope
• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CPL-02.1 - Internal Audit Function
• CPL-03 - Cybersecurity & Data Protection Assessments
• CPL-03.1 - Independent Assessors
• CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
• CPL-04 - Audit Activities

  CRY - Cryptographic Protections

• CRY-01 - Use of Cryptographic Controls
• CRY-01.1 - Alternate Physical Protection
• CRY-01.2 - Export-Controlled Technology
• CRY-02 - Cryptographic Module Authentication
• CRY-03 - Transmission Confidentiality
• CRY-04 - Transmission Integrity
• CRY-05 - Encrypting Data At Rest
• CRY-07 - Wireless Access Authentication & Encryption
• CRY-08 - Public Key Infrastructure (PKI)
• CRY-09 - Cryptographic Key Management
• CRY-09.1 - Symmetric Keys
• CRY-09.2 - Asymmetric Keys
• CRY-09.3 - Cryptographic Key Loss or Change
• CRY-09.4 - Control & Distribution of Cryptographic Keys

  DCH - Data Classification & Handling

• DCH-01 - Data Protection
• DCH-01.1 - Data Stewardship
• DCH-02 - Data & Asset Classification
• DCH-03 - Media Access
• DCH-03.1 - Disclosure of Information
• DCH-03.2 - Masking Displayed Data
• DCH-04 - Media Marking
• DCH-04.1 - Automated Marking
• DCH-06 - Media Storage
• DCH-07 - Media Transportation
• DCH-07.1 - Custodians
• DCH-07.2 - Encrypting Data In Storage Media
• DCH-08 - Physical Media Disposal
• DCH-09 - System Media Sanitization
• DCH-09.1 - System Media Sanitization Documentation
• DCH-09.3 - Sanitization of Personal Data (PD)
• DCH-10 - Media Use
• DCH-10.1 - Limitations on Use
• DCH-10.2 - Prohibit Use Without Owner
• DCH-12 - Removable Media Security
• DCH-13 - Use of External Information Systems
• DCH-13.1 - Limits of Authorized Use
• DCH-13.2 - Portable Storage Devices
• DCH-14 - Information Sharing
• DCH-15 - Publicly Accessible Content
• DCH-17 - Ad-Hoc Transfers
• DCH-18 - Media & Data Retention
• DCH-18.1 - Minimize Personal Data (PD)
• DCH-18.2 - Limit Personal Data (PD) Elements In Testing, Training & Research
• DCH-21 - Information Disposal
• DCH-22 - Data Quality Operations
• DCH-22.1 - Updating & Correcting Personal Data (PD)
• DCH-23 - De-Identification (Anonymization)
• DCH-23.4 - Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers
• DCH-24 - Information Location
• DCH-24.1 - Automated Tools to Support Information Location
• DCH-25 - Transfer of Sensitive and/or Regulated Data

  EMB - Embedded Technology

• EMB-01 - Embedded Technology Security Program

  END - Endpoint Security

• END-01 - Endpoint Security
• END-02 - Endpoint Protection Measures
• END-03 - Prohibit Installation Without Privileged Status
• END-03.1 - Software Installation Alerts
• END-03.2 - Governing Access Restriction for Change
• END-04 - Malicious Code Protection (Anti-Malware)
• END-04.1 - Automatic Antimalware Signature Updates
• END-04.4 - Heuristic / Nonsignature-Based Detection
• END-06 - Endpoint File Integrity Monitoring (FIM)
• END-06.1 - Integrity Checks
• END-06.2 - Integration of Detection & Response
• END-07 - Host Intrusion Detection and Prevention Systems (HIDS / HIPS)
• END-08 - Phishing & Spam Protection
• END-08.2 - Automatic Spam and Phishing Protection Updates
• END-10 - Mobile Code
• END-13.1 - Authorized Use
• END-13.2 - Notice of Collection
• END-13.3 - Collection Minimization
• END-14 - Collaborative Computing Devices

  GOV - Cybersecurity & Data Privacy Governance

• GOV-01 - Cybersecurity & Data Protection Governance Program
• GOV-01.1 - Steering Committee & Program Oversight
• GOV-01.2 - Status Reporting To Governing Body
• GOV-02 - Publishing Cybersecurity & Data Protection Documentation
• GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
• GOV-04 - Assigned Cybersecurity & Data Protection Responsibilities
• GOV-05 - Measures of Performance
• GOV-05.1 - Key Performance Indicators (KPIs)
• GOV-05.2 - Key Risk Indicators (KRIs)
• GOV-06 - Contacts With Authorities
• GOV-07 - Contacts With Groups & Associations
• GOV-09 - Define Control Objectives
• GOV-15 - Operationalizing Cybersecurity & Data Protection Practices
• GOV-15.1 - Select Controls
• GOV-15.2 - Implement Controls

  HRS - Human Resources Security

• HRS-01 - Human Resources Security Management
• HRS-02 - Position Categorization
• HRS-02.1 - Users With Elevated Privileges
• HRS-03 - Roles & Responsibilities
• HRS-03.1 - User Awareness
• HRS-03.2 - Competency Requirements for Security-Related Positions
• HRS-04 - Personnel Screening
• HRS-04.1 - Roles With Special Protection Measures
• HRS-04.2 - Formal Indoctrination
• HRS-05 - Terms of Employment
• HRS-05.1 - Rules of Behavior
• HRS-05.2 - Social Media & Social Networking Restrictions
• HRS-05.3 - Use of Communications Technology
• HRS-05.4 - Use of Critical Technologies
• HRS-05.5 - Use of Mobile Devices
• HRS-05.7 - Policy Familiarization & Acknowledgement
• HRS-06 - Access Agreements
• HRS-06.1 - Confidentiality Agreements
• HRS-07 - Personnel Sanctions
• HRS-07.1 - Workplace Investigations
• HRS-08 - Personnel Transfer
• HRS-09 - Personnel Termination
• HRS-09.1 - Asset Collection
• HRS-09.2 - High-Risk Terminations
• HRS-09.3 - Post-Employment Requirements
• HRS-10 - Third-Party Personnel Security
• HRS-11 - Separation of Duties (SoD)
• HRS-12 - Incompatible Roles

  IAC - Identification & Authentication

• IAC-01 - Identity & Access Management (IAM)
• IAC-01.2 - Authenticate, Authorize and Audit (AAA)
• IAC-02 - Identification & Authentication for Organizational Users
• IAC-02.2 - Replay-Resistant Authentication
• IAC-02.3 - Acceptance of PIV Credentials
• IAC-03 - Identification & Authentication for Non-Organizational Users
• IAC-03.1 - Acceptance of PIV Credentials from Other Organizations
• IAC-03.2 - Acceptance of Third-Party Credentials
• IAC-03.3 - Use of FICAM-Issued Profiles
• IAC-04 - Identification & Authentication for Devices
• IAC-05 - Identification & Authentication for Third Party Systems & Services
• IAC-06 - Multi-Factor Authentication (MFA)
• IAC-06.1 - Network Access to Privileged Accounts
• IAC-06.2 - Network Access to Non-Privileged Accounts
• IAC-06.3 - Local Access to Privileged Accounts
• IAC-06.4 - Out-of-Band Multi-Factor Authentication
• IAC-07 - User Provisioning & De-Provisioning
• IAC-07.1 - Change of Roles & Duties
• IAC-07.2 - Termination of Employment
• IAC-08 - Role-Based Access Control (RBAC)
• IAC-09 - Identifier Management (User Names)
• IAC-09.1 - User Identity (ID) Management
• IAC-09.2 - Identity User Status
• IAC-09.3 - Dynamic Management
• IAC-09.4 - Cross-Organization Management
• IAC-09.6 - Pairwise Pseudonymous Identifiers (PPID)
• IAC-10 - Authenticator Management
• IAC-10.1 - Password-Based Authentication
• IAC-10.11 - Password Managers
• IAC-10.2 - PKI-Based Authentication
• IAC-10.4 - Automated Support For Password Strength
• IAC-10.5 - Protection of Authenticators
• IAC-10.7 - Hardware Token-Based Authentication
• IAC-10.8 - Vendor-Supplied Defaults
• IAC-11 - Authenticator Feedback
• IAC-12 - Cryptographic Module Authentication
• IAC-14 - Re-Authentication
• IAC-15 - Account Management
• IAC-15.1 - Automated System Account Management (Directory Services)
• IAC-15.2 - Removal of Temporary / Emergency Accounts
• IAC-15.3 - Disable Inactive Accounts
• IAC-15.4 - Automated Audit Actions
• IAC-15.5 - Restrictions on Shared Groups / Accounts
• IAC-15.6 - Account Disabling for High Risk Individuals
• IAC-16 - Privileged Account Management (PAM)
• IAC-16.1 - Privileged Account Inventories
• IAC-17 - Periodic Review of Account Privileges
• IAC-18 - User Responsibilities for Account Management
• IAC-19 - Credential Sharing
• IAC-20 - Access Enforcement
• IAC-20.1 - Access To Sensitive / Regulated Data
• IAC-20.2 - Database Access
• IAC-20.3 - Use of Privileged Utility Programs
• IAC-21 - Least Privilege
• IAC-21.1 - Authorize Access to Security Functions
• IAC-21.2 - Non-Privileged Access for Non-Security Functions
• IAC-21.3 - Privileged Accounts
• IAC-21.4 - Auditing Use of Privileged Functions
• IAC-21.5 - Prohibit Non-Privileged Users from Executing Privileged Functions
• IAC-22 - Account Lockout
• IAC-24 - Session Lock
• IAC-24.1 - Pattern-Hiding Displays
• IAC-25 - Session Termination
• IAC-26 - Permitted Actions Without Identification or Authorization
• IAC-28 - Identity Proofing (Identity Verification)
• IAC-28.2 - Identity Evidence
• IAC-28.3 - Identity Evidence Validation & Verification
• IAC-28.5 - Address Confirmation

  IAO - Information Assurance

• IAO-01 - Information Assurance (IA) Operations
• IAO-02 - Assessments
• IAO-02.1 - Assessor Independence
• IAO-02.2 - Specialized Assessments
• IAO-03 - System Security & Privacy Plan (SSPP)
• IAO-03.1 - Plan / Coordinate with Other Organizational Entities
• IAO-04 - Threat Analysis & Flaw Remediation During Development
• IAO-05 - Plan of Action & Milestones (POA&M)
• IAO-06 - Technical Verification
• IAO-07 - Security Authorization

  IRO - Incident Response

• IRO-01 - Incident Response Operations
• IRO-02 - Incident Handling
• IRO-02.1 - Automated Incident Handling Processes
• IRO-04 - Incident Response Plan (IRP)
• IRO-04.1 - Data Breach
• IRO-04.2 - IRP Update
• IRO-05 - Incident Response Training
• IRO-06 - Incident Response Testing
• IRO-06.1 - Coordination with Related Plans
• IRO-07 - Integrated Security Incident Response Team (ISIRT)
• IRO-08 - Chain of Custody & Forensics
• IRO-09 - Situational Awareness For Incidents
• IRO-10 - Incident Stakeholder Reporting
• IRO-10.1 - Automated Reporting
• IRO-10.2 - Cyber Incident Reporting for Sensitive Data
• IRO-10.3 - Vulnerabilities Related To Incidents
• IRO-10.4 - Supply Chain Coordination
• IRO-11 - Incident Reporting Assistance
• IRO-11.1 - Automation Support of Availability of Information / Support
• IRO-11.2 - Coordination With External Providers
• IRO-12 - Information Spillage Response
• IRO-13 - Root Cause Analysis (RCA) & Lessons Learned
• IRO-14 - Regulatory & Law Enforcement Contacts

  MDM - Mobile Device Management

• MDM-01 - Centralized Management Of Mobile Devices
• MDM-02 - Access Control For Mobile Devices
• MDM-03 - Full Device & Container-Based Encryption
• MDM-05 - Remote Purging

  MNT - Maintenance

• MNT-01 - Maintenance Operations
• MNT-02 - Controlled Maintenance
• MNT-03 - Timely Maintenance
• MNT-04 - Maintenance Tools
• MNT-04.1 - Inspect Tools
• MNT-04.2 - Inspect Media
• MNT-04.3 - Prevent Unauthorized Removal
• MNT-05 - Remote Maintenance
• MNT-05.1 - Auditing Remote Maintenance
• MNT-05.2 - Remote Maintenance Notifications
• MNT-06 - Authorized Maintenance Personnel
• MNT-07 - Maintain Configuration Control During Maintenance

  MON - Continuous Monitoring

• MON-01 - Continuous Monitoring
• MON-01.1 - Intrusion Detection & Prevention Systems (IDS & IPS)
• MON-01.2 - Automated Tools for Real-Time Analysis
• MON-01.3 - Inbound & Outbound Communications Traffic
• MON-01.4 - System Generated Alerts
• MON-01.5 - Wireless Intrusion Detection System (WIDS)
• MON-01.6 - Host-Based Devices
• MON-01.7 - File Integrity Monitoring (FIM)
• MON-01.8 - Reviews & Updates
• MON-02 - Centralized Collection of Security Event Logs
• MON-02.1 - Correlate Monitoring Information
• MON-02.2 - Central Review & Analysis
• MON-02.6 - Audit Level Adjustments
• MON-03 - Content of Event Logs
• MON-03.1 - Sensitive Audit Information
• MON-03.3 - Privileged Functions Logging
• MON-04 - Event Log Storage Capacity
• MON-05 - Response To Event Log Processing Failures
• MON-06 - Monitoring Reporting
• MON-07 - Time Stamps
• MON-08 - Protection of Event Logs
• MON-08.2 - Access by Subset of Privileged Users
• MON-10 - Event Log Retention
• MON-11 - Monitoring For Information Disclosure
• MON-11.3 - Monitoring for Indicators of Compromise (IOC)
• MON-16 - Anomalous Behavior

  NET - Network Security

• NET-01 - Network Security Controls (NSC)
• NET-02 - Layered Network Defenses
• NET-02.1 - Denial of Service (DoS) Protection
• NET-03 - Boundary Protection
• NET-03.1 - Limit Network Connections
• NET-03.2 - External Telecommunications Services
• NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)
• NET-04.1 - Deny Traffic by Default & Allow Traffic by Exception
• NET-05 - System Interconnections
• NET-05.1 - External System Connections
• NET-05.2 - Internal System Connections
• NET-06 - Network Segmentation
• NET-06.1 - Security Management Subnets
• NET-07 - Remote Session Termination
• NET-08 - Network Intrusion Detection / Prevention Systems (NIDS / NIPS)
• NET-08.1 - DMZ Networks
• NET-09 - Session Integrity
• NET-10 - Domain Name Service (DNS) Resolution
• NET-10.1 - Architecture & Provisioning for Name / Address Resolution Service
• NET-10.2 - Secure Name / Address Resolution Service (Recursive or Caching Resolver)
• NET-12 - Safeguarding Data Over Open Networks
• NET-12.1 - Wireless Link Protection
• NET-12.2 - End-User Messaging Technologies
• NET-13 - Electronic Messaging
• NET-14 - Remote Access
• NET-14.1 - Automated Monitoring & Control
• NET-14.2 - Protection of Confidentiality / Integrity Using Encryption
• NET-14.3 - Managed Access Control Points
• NET-14.4 - Remote Privileged Commands & Sensitive Data Access
• NET-14.5 - Work From Anywhere (WFA) - Telecommuting Security
• NET-15 - Wireless Networking
• NET-15.1 - Authentication & Encryption
• NET-15.2 - Disable Wireless Networking
• NET-18 - DNS & Content Filtering
• NET-18.1 - Route Traffic to Proxy Servers

  OPS - Security Operations

• OPS-01 - Operations Security
• OPS-01.1 - Standardized Operating Procedures (SOP)
• OPS-02 - Security Concept Of Operations (CONOPS)
• OPS-03 - Service Delivery (Business Process Support)

  PES - Physical & Environmental Security

• PES-01 - Physical & Environmental Protections
• PES-02 - Physical Access Authorizations
• PES-02.1 - Role-Based Physical Access
• PES-03 - Physical Access Control
• PES-03.1 - Controlled Ingress & Egress Points
• PES-03.3 - Physical Access Logs
• PES-04 - Physical Security of Offices, Rooms & Facilities
• PES-04.1 - Working in Secure Areas
• PES-05 - Monitoring Physical Access
• PES-05.1 - Intrusion Alarms / Surveillance Equipment
• PES-05.2 - Monitoring Physical Access To Information Systems
• PES-06 - Visitor Control
• PES-07 - Supporting Utilities
• PES-07.1 - Automatic Voltage Controls
• PES-07.2 - Emergency Shutoff
• PES-07.3 - Emergency Power
• PES-07.4 - Emergency Lighting
• PES-07.5 - Water Damage Protection
• PES-08 - Fire Protection
• PES-08.1 - Fire Detection Devices
• PES-08.2 - Fire Suppression Devices
• PES-09 - Temperature & Humidity Controls
• PES-09.1 - Monitoring with Alarms / Notifications
• PES-10 - Delivery & Removal
• PES-11 - Alternate Work Site
• PES-12 - Equipment Siting & Protection
• PES-12.1 - Transmission Medium Security
• PES-12.2 - Access Control for Output Devices
• PES-13 - Information Leakage Due To Electromagnetic Signals Emanations
• PES-15 - Electromagnetic Pulse (EMP) Protection

  PRI - Data Privacy

• PRI-01 - Data Privacy Program
• PRI-01.1 - Chief Privacy Officer (CPO)
• PRI-01.2 - Privacy Act Statements
• PRI-01.3 - Dissemination of Data Privacy Program Information
• PRI-01.4 - Data Protection Officer (DPO)
• PRI-01.6 - Security of Personal Data
• PRI-02 - Data Privacy Notice
• PRI-02.1 - Purpose Specification
• PRI-02.2 - Automated Data Management Processes
• PRI-03 - Choice & Consent
• PRI-03.1 - Tailored Consent
• PRI-03.2 - Just-In-Time Notice & Updated Consent
• PRI-04 - Restrict Collection To Identified Purpose
• PRI-04.1 - Authority To Collect, Use, Maintain & Share Personal Data
• PRI-05 - Personal Data Retention & Disposal
• PRI-05.1 - Internal Use of Personal Data For Testing, Training and Research
• PRI-05.2 - Personal Data Accuracy & Integrity
• PRI-05.3 - Data Masking
• PRI-05.4 - Usage Restrictions of Sensitive Personal Data
• PRI-06 - Data Subject Access
• PRI-06.1 - Correcting Inaccurate Personal Data
• PRI-06.2 - Notice of Correction or Processing Change
• PRI-06.3 - Appeal Adverse Decision
• PRI-06.4 - User Feedback Management
• PRI-06.5 - Right to Erasure
• PRI-06.6 - Data Portability
• PRI-07 - Information Sharing With Third Parties
• PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
• PRI-08 - Testing, Training & Monitoring
• PRI-09 - Personal Data Lineage
• PRI-10 - Data Quality Management
• PRI-10.1 - Automation
• PRI-12 - Updating Personal Data (PD)
• PRI-13 - Data Management Board
• PRI-14 - Data Privacy Records & Reporting
• PRI-14.1 - Accounting of Disclosures
• PRI-15 - Register As A Data Controller and/or Data Processor

  PRM - Project & Resource Management

• PRM-01 - Cybersecurity & Data Privacy Portfolio Management
• PRM-02 - Cybersecurity & Data Privacy Resource Management
• PRM-03 - Allocation of Resources
• PRM-04 - Cybersecurity & Data Privacy In Project Management
• PRM-05 - Cybersecurity & Data Privacy Requirements Definition
• PRM-06 - Business Process Definition
• PRM-07 - Secure Development Life Cycle (SDLC) Management

  RSK - Risk Management

• RSK-01 - Risk Management Program
• RSK-01.1 - Risk Framing
• RSK-02 - Risk-Based Security Categorization
• RSK-03 - Risk Identification
• RSK-04 - Risk Assessment
• RSK-04.1 - Risk Register
• RSK-05 - Risk Ranking
• RSK-06 - Risk Remediation
• RSK-06.1 - Risk Response
• RSK-07 - Risk Assessment Update
• RSK-08 - Business Impact Analysis (BIA)
• RSK-09 - Supply Chain Risk Management (SCRM) Plan
• RSK-09.1 - Supply Chain Risk Assessment
• RSK-10 - Data Protection Impact Assessment (DPIA)
• RSK-11 - Risk Monitoring

  SAT - Security Awareness & Training

• SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
• SAT-02 - Cybersecurity & Data Privacy Awareness Training
• SAT-02.2 - Social Engineering & Mining
• SAT-03 - Role-Based Cybersecurity & Data Privacy Training
• SAT-04 - Cybersecurity & Data Privacy Training Records

  SEA - Secure Engineering & Architecture

• SEA-01 - Secure Engineering Principles
• SEA-01.1 - Centralized Management of Cybersecurity & Data Privacy Controls
• SEA-02 - Alignment With Enterprise Architecture
• SEA-02.1 - Standardized Terminology
• SEA-03.2 - Application Partitioning
• SEA-04 - Process Isolation
• SEA-05 - Information In Shared Resources
• SEA-06 - Prevent Program Execution
• SEA-07.1 - Technology Lifecycle Management
• SEA-10 - Memory Protection
• SEA-15 - Distributed Processing & Storage
• SEA-17 - Secure Log-On Procedures
• SEA-18 - System Use Notification (Logon Banner)
• SEA-20 - Clock Synchronization

  TDA - Technology Development & Acquisition

• TDA-01 - Technology Development & Acquisition
• TDA-02 - Minimum Viable Product (MVP) Security Requirements
• TDA-02.1 - Ports, Protocols & Services In Use
• TDA-02.2 - Information Assurance Enabled Products
• TDA-02.3 - Development Methods, Techniques & Processes
• TDA-04 - Documentation Requirements
• TDA-04.1 - Functional Properties
• TDA-05 - Developer Architecture & Design
• TDA-06 - Secure Coding
• TDA-06.1 - Criticality Analysis
• TDA-07 - Secure Development Environments
• TDA-08 - Separation of Development, Testing and Operational Environments
• TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development
• TDA-10 - Use of Live Data
• TDA-11 - Product Tampering and Counterfeiting (PTC)
• TDA-11.1 - Anti-Counterfeit Training
• TDA-11.2 - Component Disposal
• TDA-14 - Developer Configuration Management
• TDA-15 - Developer Threat Analysis & Flaw Remediation
• TDA-17 - Unsupported Systems
• TDA-17.1 - Alternate Sources for Continued Support
• TDA-18 - Input Data Validation
• TDA-19 - Error Handling
• TDA-20 - Access to Program Source Code

  THR - Threat Management

• THR-01 - Threat Intelligence Program
• THR-02 - Indicators of Exposure (IOE)
• THR-03 - Threat Intelligence Feeds
• THR-04 - Insider Threat Program
• THR-05 - Insider Threat Awareness
• THR-06 - Vulnerability Disclosure Program (VDP)

  TPM - Third-Party Management

• TPM-01 - Third-Party Management
• TPM-01.1 - Third-Party Inventories
• TPM-02 - Third-Party Criticality Assessments
• TPM-03 - Supply Chain Protection
• TPM-03.1 - Acquisition Strategies, Tools & Methods
• TPM-03.2 - Limit Potential Harm
• TPM-03.3 - Processes To Address Weaknesses or Deficiencies
• TPM-04 - Third-Party Services
• TPM-04.1 - Third-Party Risk Assessments & Approvals
• TPM-04.2 - External Connectivity Requirements - Identification of Ports, Protocols & Services
• TPM-04.3 - Conflict of Interests
• TPM-04.4 - Third-Party Processing, Storage and Service Locations
• TPM-05 - Third-Party Contract Requirements
• TPM-05.1 - Security Compromise Notification Agreements
• TPM-05.4 - Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix
• TPM-06 - Third-Party Personnel Security
• TPM-07 - Monitoring for Third-Party Information Disclosure
• TPM-08 - Review of Third-Party Services
• TPM-09 - Third-Party Deficiency Remediation
• TPM-10 - Managing Changes To Third-Party Services
• TPM-11 - Third-Party Incident Response & Recovery Capabilities

  VPM - Vulnerability & Patch Management

• VPM-01 - Vulnerability & Patch Management Program (VPMP)
• VPM-01.1 - Attack Surface Scope
• VPM-02 - Vulnerability Remediation Process
• VPM-03 - Vulnerability Ranking
• VPM-04 - Continuous Vulnerability Remediation Activities
• VPM-04.2 - Flaw Remediation with Personal Data (PD)
• VPM-05 - Software & Firmware Patching
• VPM-05.2 - Automated Remediation Status
• VPM-06 - Vulnerability Scanning
• VPM-06.1 - Update Tool Capability
• VPM-06.3 - Privileged Access

  WEB - Web Security

This site is open source. Improve this page.