Protect
(PR) | PR.IP: Information Protection Processes and Procedures | PR.IP-2: A System Development Life Cycle to manage systems is implemented |
| PR.IP-3: Configuration change control processes are in place |
| PR.IP-4: Backups of information are conducted, maintained, and tested |
| PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met |
| PR.IP-6: Data is destroyed according to policy |
| PR.IP-7: Protection processes are improved |
| PR.IP-8: Effectiveness of protection technologies is shared |
| PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
| PR.IP-10: Response and recovery plans are tested |
| PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
| PR.IP-12: A vulnerability management plan is developed and implemented |
| PR.MA: Maintenance | PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools |
| PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
| PR.PT: Protective Technology | PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
| PR.PT-2: Removable media is protected and its use restricted according to policy |
| PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
| PR.PT-4: Communications and control networks are protected |
| PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
Detect
(DE) | DE.AE: Anomalies and Events | DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed |
| DE.AE-2: Detected events are analyzed to understand attack targets and methods |
| DE.AE-3: Event data are collected and correlated from multiple sources and sensors |
| DE.AE-4: Impact of events is determined |
| DE.AE-5: Incident alert thresholds are established |
| DE.CM: Security Continuous Monitoring | DE.CM-1: The network is monitored to detect potential cybersecurity events |
| DE.CM-2: The physical environment is monitored to detect potential cybersecurity events |
| DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events |
| DE.CM-4: Malicious code is detected |
| DE.CM-5: Unauthorized mobile code is detected |
| DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events |
| DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-8: Vulnerability scans are performed |
| DE.DP: Detection Processes | DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability |
| DE.DP-2: Detection activities comply with all applicable requirements |
| DE.DP-3: Detection processes are tested |
| DE.DP-4: Event detection information is communicated |
| DE.DP-5: Detection processes are continuously improved |
Respond
(RS) | RS.AN: Analysis | RS.AN-1: Notifications from detection systems are investigated |
| RS.AN-2: The impact of the incident is understood |
| RS.AN-3: Forensics are performed |
| RS.AN-4: Incidents are categorized consistent with response plans |
| RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
| RS.CO: Communications | RS.CO-1: Personnel know their roles and order of operations when a response is needed |
| RS.CO-2: Incidents are reported consistent with established criteria |
| RS.CO-3: Information is shared consistent with response plans |
| RS.CO-4: Coordination with stakeholders occurs consistent with response plans |
| RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness |
| RS.IM: Improvements | RS.IM-1: Response plans incorporate lessons learned |
| RS.IM-2: Response strategies are updated |
| RS.MI: Mitigation | RS.MI-1: Incidents are contained |
| RS.MI-2: Incidents are mitigated |
