PR.IP-7: Protection processes are improved

PF v1.0 References:

Description

[csf.tools Note: Subcategories do not have detailed descriptions.]

Related Controls

NIST Special Publication 800-53 Revision 5

CA-2: Control Assessments

Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; Assessment procedures to be used to determine control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Ensure the…

CA-7: Continuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous…

CA-8: Penetration Testing

Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].

CP-2: Contingency Plan

Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration…

CP-4: Contingency Plan Testing

Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests]. Review the contingency plan test results; and Initiate corrective actions, if needed.

IR-3: Incident Response Testing

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

IR-8: Incident Response Plan

Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size,…

PL-2: System Security and Privacy Plans

Develop security and privacy plans for the system that: Are consistent with the organization’s enterprise architecture; Explicitly define the constituent system components; Describe the operational context of the system in terms of mission and business processes; Identify the individuals that fulfill system roles and responsibilities; Identify the information types processed, stored, and transmitted by the…

Cloud Controls Matrix v3.0.1

AIS-04: Data Security / Integrity

Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity, and availability) across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction.

AAC-01: Audit Planning

Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.

AAC-02: Independent Audits

Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.

AAC-03: Information System Regulatory Mapping

Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected.

BCR-02: Business Continuity Testing

Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.

STA-04: Provider Internal Assessments

The provider shall perform annual internal assessments of conformance to, and effectiveness of, its policies, procedures, and supporting measures and metrics.

Critical Security Controls Version 8

16: Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

18: Penetration Testing

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

NIST Special Publication 800-53 Revision 4

CA-2: Security Assessments

The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Assesses the security controls in the information system and its environment of operation…

CA-7: Continuous Monitoring

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; Ongoing security status monitoring…

CP-2: Contingency Plan

The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full…

IR-8: Incident Response Plan

The organization: Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to…

PL-2: System Security Plan

The organization: Develops a security plan for the information system that: Is consistent with the organization’s enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational…

Critical Security Controls Version 7.1