TestWithJeffFiles-web
Job ID: TestWithJeffFiles-web-081925081416
2025-08-19
Completed
Generating your report with AI insights. This may take a moment...
Overall Alignment
37.2%
Controls Aligned
111 / 298
Frameworks
1
NIST
Assessment frameworks applied
Key Controls
68 / 155
Overall Alignment
Framework Breakdown
Key Controls Status
Framework Compliance Overview
| Framework | Total Controls | Aligned | Gaps | Compliance Progress |
|---|---|---|---|---|
| NIST | 298 | 111 | 187 |
|
| OVERALL | 298 | 111 | 187 |
|
Document Analysis Details
Demo_Policies_combined.xlsx 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| NIST | 298 | 75 |
|
Demo_IT_Issues_List.xlsx 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| NIST | 298 | 31 |
|
Demo_Risk_Register.xlsx 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| NIST | 298 | 33 |
|
298 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access control policy and procedures... |
Demo_Risk_Register.xlsx
|
|
| AC-10 |
Concurrent Session Control
|
Gap | Organizations may define the maximum number of concurrent sessions for system accounts globally, by ... | ||
| AC-11 |
Device Lock
Key Control
|
Gap |
Device locks are temporary actions taken to prevent logical access to organizational systems when us...
Critical Gap - Key Control Missing
|
||
| AC-12 |
Session Termination
|
Gap | Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-... | ||
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Gap |
Specific user actions may be permitted without identification or authentication if organizations det...
Critical Gap - Key Control Missing
|
||
| AC-16 |
Security and Privacy Attributes
Key Control
|
Gap |
Information is represented internally within systems using abstractions known as data structures. In...
Critical Gap - Key Control Missing
|
||
| AC-17 |
Remote Access
Key Control
|
Gap |
Remote access is access to organizational systems (or processes acting on behalf of users) that comm...
Critical Gap - Key Control Missing
|
||
| AC-18 |
Wireless Access
|
Gap | Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency),... | ||
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Policy Number: 3.0 Information Security Policy | Subsection:... |
Demo_Policies_combined.xlsx
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-23 |
Data Mining Protection
|
Gap | Data mining is an analytical process that attempts to find correlations or patterns in large data se... | ||
| AC-24 |
Access Control Decisions
|
Aligned | Subsection: 1.5 ROLES & RESPONSIBILITIES... |
Demo_Policies_combined.xlsx
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Risk: Brute force... |
Demo_Risk_Register.xlsx
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Risk: Transmission Interception... |
Demo_Risk_Register.xlsx
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Ensure that conflicting functions such as data entry, comput... |
Demo_Policies_combined.xlsx
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Ensure that conflicting functions such as data entry, comput... |
Demo_Policies_combined.xlsx
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| AC-6 |
Least Privilege
|
Aligned | Subsection: 1.5 ROLES & RESPONSIBILITIES... |
Demo_Policies_combined.xlsx
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Sub Sub Subsection: ii | section: n... |
Demo_Policies_combined.xlsx
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Risk: Brute force... |
Demo_Risk_Register.xlsx
|
|
| AC-8 |
System Use Notification
|
Aligned | Subsection: 1.2 SYSTEM USE NOTIFICATION... |
Demo_Policies_combined.xlsx
|
|
| AC-8 |
System Use Notification
|
Aligned | Subsection: 1.2 SYSTEM USE NOTIFICATION... |
Demo_Policies_combined.xlsx
|
|
| AC-9 |
Previous Logon Notification
|
Aligned | Subsection: 1.2 SYSTEM USE NOTIFICATION... |
Demo_Policies_combined.xlsx
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Number: 5.0 Human Resource Security Policy | Subsecti... |
Demo_Policies_combined.xlsx
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Issue ID: 29 | Issue Name: Phishing Vulnerability... |
Demo_IT_Issues_List.xlsx
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Information Security Awareness training for employees... |
Demo_Policies_combined.xlsx
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Ensure employees under their supervision complete a Security... |
Demo_Policies_combined.xlsx
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness Training... |
Demo_Policies_combined.xlsx
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Ensure employees under their supervision complete a Security... |
Demo_Policies_combined.xlsx
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Subsection: 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
Demo_Policies_combined.xlsx
|
|
| AT-4 |
Training Records
Key Control
|
Gap |
Documentation for specialized training may be maintained by individual supervisors at the discretion...
Critical Gap - Key Control Missing
|
||
| AT-6 |
Training Feedback
|
Gap | Training feedback includes awareness training results and role-based training results. Training resu... | ||
| AU-1 |
Policy and Procedures
Key Control
|
Gap |
Audit and accountability policy and procedures address the controls in the AU family that are implem...
Critical Gap - Key Control Missing
|
||
| AU-10 |
Non-repudiation
|
Gap | Types of individual actions covered by non-repudiation include creating information, sending and rec... | ||
| AU-11 |
Audit Record Retention
|
Gap | Organizations retain audit records until it is determined that the records are no longer needed for ... | ||
| AU-12 |
Audit Record Generation
|
Gap | Audit records can be generated from many different system components. The event types specified in A... | ||
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| AU-14 |
Session Audit
Key Control
|
Gap |
Session audits can include monitoring keystrokes, tracking websites visited, and recording informati...
Critical Gap - Key Control Missing
|
||
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Gap |
When organizations use systems or services of external organizations, the audit logging capability n...
Critical Gap - Key Control Missing
|
||
| AU-2 |
Event Logging
|
Aligned | Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| AU-3 |
Content of Audit Records
|
Gap | Audit record content that may be necessary to support the auditing function includes event descripti... | ||
| AU-4 |
Audit Log Storage Capacity
|
Gap | Organizations consider the types of audit logging to be performed and the audit log processing requi... | ||
| AU-5 |
Response to Audit Logging Process Failures
|
Gap | Audit logging process failures include software and hardware errors, failures in audit log capturing... | ||
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Issue ID: 58 | Issue Name: Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| AU-7 |
Audit Record Reduction and Report Generation
|
Gap | Audit record reduction is a process that manipulates collected audit log information and organizes i... | ||
| AU-8 |
Time Stamps
|
Gap | Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated... | ||
| AU-9 |
Protection of Audit Information
Key Control
|
Gap |
Audit information includes all information needed to successfully audit system activity, such as aud...
Critical Gap - Key Control Missing
|
||
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Ensure that conflicting functions such as data entry, comput... |
Demo_Policies_combined.xlsx
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Assessment, authorization, and monitoring policy and procedu... |
Demo_IT_Issues_List.xlsx
|
|
| CA-2 |
Control Assessments
Key Control
|
Gap |
Organizations ensure that control assessors possess the required skills and technical expertise to d...
Critical Gap - Key Control Missing
|
||
| CA-3 |
Information Exchange
Key Control
|
Aligned | Risk: Third and fourth-party vendors and Risk: Transmission ... |
Demo_Risk_Register.xlsx
|
|
| CA-5 |
Plan of Action and Milestones
|
Gap | Plans of action and milestones are useful for any type of organization to track planned remedial act... | ||
| CA-6 |
Authorization
Key Control
|
Gap |
Authorizations are official management decisions by senior officials to authorize operation of syste...
Critical Gap - Key Control Missing
|
||
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Continuous monitoring at the system level facilitates ongoin... |
Demo_IT_Issues_List.xlsx
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Continuous Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| CA-8 |
Penetration Testing
|
Gap | Penetration testing is a specialized type of assessment conducted on systems or individual system co... | ||
| CA-9 |
Internal System Connections
Key Control
|
Gap |
Internal system connections are connections between organizational systems and separate constituent ...
Critical Gap - Key Control Missing
|
||
| CM-1 |
Policy and Procedures
|
Aligned | The technical and organizational controls define minimum req... |
Demo_Policies_combined.xlsx
|
|
| CM-10 |
Software Usage Restrictions
Key Control
|
Gap |
Software license tracking can be accomplished by manual or automated methods, depending on organizat...
Critical Gap - Key Control Missing
|
||
| CM-11 |
User-installed Software
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| CM-11 |
User-installed Software
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| CM-12 |
Information Location
Key Control
|
Gap |
Information location addresses the need to understand where information is being processed and store...
Critical Gap - Key Control Missing
|
||
| CM-13 |
Data Action Mapping
Key Control
|
Gap |
Data actions are system operations that process personally identifiable information. The processing ...
Critical Gap - Key Control Missing
|
||
| CM-14 |
Signed Components
|
Gap | Software and firmware components prevented from installation unless signed with recognized and appro... | ||
| CM-2 |
Baseline Configuration
|
Gap | Baseline configurations for systems and system components include connectivity, operational, and com... | ||
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Control: SI-2... |
Demo_IT_Issues_List.xlsx
|
|
| CM-4 |
Impact Analyses
Key Control
|
Gap |
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individu...
Critical Gap - Key Control Missing
|
||
| CM-5 |
Access Restrictions for Change
Key Control
|
Gap |
Changes to the hardware, software, or firmware components of systems or the operational procedures r...
Critical Gap - Key Control Missing
|
||
| CM-6 |
Configuration Settings
|
Aligned | Risk: Misconfiguration... |
Demo_Risk_Register.xlsx
|
|
| CM-7 |
Least Functionality
|
Gap | Systems provide a wide variety of functions and services. Some of the functions and services routine... | ||
| CM-8 |
System Component Inventory
Key Control
|
Gap |
System components are discrete, identifiable information technology assets that include hardware, so...
Critical Gap - Key Control Missing
|
||
| CM-9 |
Configuration Management Plan
Key Control
|
Gap |
Configuration management activities occur throughout the system development life cycle. As such, the...
Critical Gap - Key Control Missing
|
||
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency planning policy and procedures... |
Demo_IT_Issues_List.xlsx
|
|
| CP-10 |
System Recovery and Reconstitution
|
Gap | Recovery is executing contingency plan activities to restore organizational mission and business fun... | ||
| CP-11 |
Alternate Communications Protocols
|
Gap | Contingency plans and the contingency training or testing associated with those plans incorporate an... | ||
| CP-12 |
Safe Mode
Key Control
|
Gap |
For systems that support critical mission and business functions—including military operations...
Critical Gap - Key Control Missing
|
||
| CP-13 |
Alternative Security Mechanisms
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsecti... |
Demo_Policies_combined.xlsx
|
|
| CP-2 |
Contingency Plan
Key Control
|
Gap |
Contingency planning for systems is part of an overall program for achieving continuity of operation...
Critical Gap - Key Control Missing
|
||
| CP-3 |
Contingency Training
Key Control
|
Gap |
Contingency training provided by organizations is linked to the assigned roles and responsibilities ...
Critical Gap - Key Control Missing
|
||
| CP-4 |
Contingency Plan Testing
|
Gap | Methods for testing contingency plans to determine the effectiveness of the plans and identify poten... | ||
| CP-6 |
Alternate Storage Site
Key Control
|
Gap |
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicat...
Critical Gap - Key Control Missing
|
||
| CP-7 |
Alternate Processing Site
Key Control
|
Gap |
Alternate processing sites are geographically distinct from primary processing sites and provide pro...
Critical Gap - Key Control Missing
|
||
| CP-8 |
Telecommunications Services
Key Control
|
Gap |
Telecommunications services (for data and voice) for primary and alternate processing and storage si...
Critical Gap - Key Control Missing
|
||
| CP-9 |
System Backup
Key Control
|
Gap |
System-level information includes system state information, operating system software, middleware, a...
Critical Gap - Key Control Missing
|
||
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Issue ID: 25 | Issue Name: Lack of Multi-Factor Authenticati... |
Demo_IT_Issues_List.xlsx
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Risk: Brute force... |
Demo_Risk_Register.xlsx
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B125... |
Demo_Policies_combined.xlsx
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126... |
Demo_Policies_combined.xlsx
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B114 | Sub Subsecti... |
Demo_Policies_combined.xlsx
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Subsection: 1.5 ROLES & RESPONSIBILITIES... |
Demo_Policies_combined.xlsx
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Issue Name: Lack of Multi-Factor Authentication... |
Demo_IT_Issues_List.xlsx
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Issue ID: 65 | Issue Name: Lack of Multi-Factor Authenticati... |
Demo_IT_Issues_List.xlsx
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Gap |
Devices that require unique device-to-device identification and authentication are defined by type, ...
Critical Gap - Key Control Missing
|
||
| IA-4 |
Identifier Management
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Issue Name: Weak Password Policies... |
Demo_IT_Issues_List.xlsx
|
|
| IA-6 |
Authentication Feedback
|
Gap | Authentication feedback from systems does not provide information that would allow unauthorized indi... | ||
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B114 | Sub Subsecti... |
Demo_Policies_combined.xlsx
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsecti... |
Demo_Policies_combined.xlsx
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Issue Name: Shadow IT... |
Demo_IT_Issues_List.xlsx
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Risk: Access or Privilege Misuse... |
Demo_Risk_Register.xlsx
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and authentication requirements for non-organ... |
Demo_Risk_Register.xlsx
|
|
| IA-9 |
Service Identification and Authentication
Key Control
|
Gap |
Services that may require identification and authentication include web applications using digital c...
Critical Gap - Key Control Missing
|
||
| IR-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
Demo_Policies_combined.xlsx
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Lack of Incident Response Plan... |
Demo_IT_Issues_List.xlsx
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
Demo_IT_Issues_List.xlsx
|
|
| IR-2 |
Incident Response Training
|
Gap | Incident response training is associated with the assigned roles and responsibilities of organizatio... | ||
| IR-3 |
Incident Response Testing
|
Gap | Organizations test incident response capabilities to determine their effectiveness and identify pote... | ||
| IR-4 |
Incident Handling
Key Control
|
Aligned | Lack of Incident Response Plan... |
Demo_IT_Issues_List.xlsx
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Issue ID: 98 | Issue Name: Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| IR-6 |
Incident Reporting
|
Aligned | Subsection: 1.4 CONTACT WITH AUTHORITIES... |
Demo_Policies_combined.xlsx
|
|
| IR-7 |
Incident Response Assistance
|
Gap | Incident response support resources provided by organizations include help desks, assistance groups,... | ||
| IR-8 |
Incident Response Plan
Key Control
|
Gap |
It is important that organizations develop and implement a coordinated approach to incident response...
Critical Gap - Key Control Missing
|
||
| IR-9 |
Information Spillage Response
|
Gap | Information spillage refers to instances where information is placed on systems that are not authori... | ||
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
Demo_Policies_combined.xlsx
|
|
| MA-2 |
Controlled Maintenance
Key Control
|
Gap |
Controlling system maintenance addresses the information security aspects of the system maintenance ...
Critical Gap - Key Control Missing
|
||
| MA-3 |
Maintenance Tools
Key Control
|
Gap |
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues ...
Critical Gap - Key Control Missing
|
||
| MA-4 |
Nonlocal Maintenance
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsecti... |
Demo_Policies_combined.xlsx
|
|
| MA-4 |
Nonlocal Maintenance
|
Aligned | Control: MA-4: Nonlocal maintenance and diagnostic activitie... |
Demo_IT_Issues_List.xlsx
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Gap |
Maintenance personnel refers to individuals who perform hardware or software maintenance on organiza...
Critical Gap - Key Control Missing
|
||
| MA-6 |
Timely Maintenance
Key Control
|
Aligned | Risk: Denial of Service, Risk: Environmental Factors, Risk: ... |
Demo_Risk_Register.xlsx
|
|
| MA-7 |
Field Maintenance
|
Gap | Field maintenance is the type of maintenance conducted on a system or system component after the sys... | ||
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Media Protection Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| MP-2 |
Media Access
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| MP-2 |
Media Access
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| MP-3 |
Media Marking
|
Gap | Security marking refers to the application or use of human-readable security attributes. Digital med... | ||
| MP-4 |
Media Storage
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B37... |
Demo_Policies_combined.xlsx
|
|
| MP-5 |
Media Transport
Key Control
|
Gap |
System media includes digital and non-digital media. Digital media includes flash drives, diskettes,...
Critical Gap - Key Control Missing
|
||
| MP-6 |
Media Sanitization
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| MP-8 |
Media Downgrading
|
Gap | Media downgrading applies to digital and non-digital media subject to release outside of the organiz... | ||
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
Demo_Policies_combined.xlsx
|
|
| PE-10 |
Emergency Shutoff
|
Gap | Emergency power shutoff primarily applies to organizational facilities that contain concentrations o... | ||
| PE-11 |
Emergency Power
|
Gap | An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency p... | ||
| PE-12 |
Emergency Lighting
Key Control
|
Gap |
The provision of emergency lighting applies primarily to organizational facilities that contain conc...
Critical Gap - Key Control Missing
|
||
| PE-13 |
Fire Protection
|
Gap | The provision of fire detection and suppression systems applies primarily to organizational faciliti... | ||
| PE-14 |
Environmental Controls
Key Control
|
Gap |
The provision of environmental controls applies primarily to organizational facilities that contain ...
Critical Gap - Key Control Missing
|
||
| PE-15 |
Water Damage Protection
|
Gap | The provision of water damage protection primarily applies to organizational facilities that contain... | ||
| PE-16 |
Delivery and Removal
Key Control
|
Gap |
Enforcing authorizations for entry and exit of system components may require restricting access to d...
Critical Gap - Key Control Missing
|
||
| PE-17 |
Alternate Work Site
Key Control
|
Gap |
Alternate work sites include government facilities or the private residences of employees. While dis...
Critical Gap - Key Control Missing
|
||
| PE-18 |
Location of System Components
Key Control
|
Aligned | Risk: Environmental Factors... |
Demo_Risk_Register.xlsx
|
|
| PE-19 |
Information Leakage
|
Gap | Information leakage is the intentional or unintentional release of data or information to an untrust... | ||
| PE-2 |
Physical Access Authorizations
Key Control
|
Gap |
Physical access authorizations apply to employees and visitors. Individuals with permanent physical ...
Critical Gap - Key Control Missing
|
||
| PE-20 |
Asset Monitoring and Tracking
Key Control
|
Gap |
Asset location technologies can help ensure that critical assets—including vehicles, equipment...
Critical Gap - Key Control Missing
|
||
| PE-21 |
Electromagnetic Pulse Protection
|
Gap | An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a rang... | ||
| PE-22 |
Component Marking
Key Control
|
Gap |
Hardware components that may require marking include input and output devices. Input devices include...
Critical Gap - Key Control Missing
|
||
| PE-23 |
Facility Location
|
Aligned | Risk: Environmental Factors... |
Demo_Risk_Register.xlsx
|
|
| PE-3 |
Physical Access Control
Key Control
|
Gap |
Physical access control applies to employees and visitors. Individuals with permanent physical acces...
Critical Gap - Key Control Missing
|
||
| PE-4 |
Access Control for Transmission
|
Aligned | Risk: Transmission Interception... |
Demo_Risk_Register.xlsx
|
|
| PE-5 |
Access Control for Output Devices
Key Control
|
Gap |
Controlling physical access to output devices includes placing output devices in locked rooms or oth...
Critical Gap - Key Control Missing
|
||
| PE-6 |
Monitoring Physical Access
Key Control
|
Gap |
Physical access monitoring includes publicly accessible areas within organizational facilities. Exam...
Critical Gap - Key Control Missing
|
||
| PE-8 |
Visitor Access Records
Key Control
|
Gap |
Visitor access records include the names and organizations of individuals visiting, visitor signatur...
Critical Gap - Key Control Missing
|
||
| PE-9 |
Power Equipment and Cabling
|
Gap | Organizations determine the types of protection necessary for the power equipment and cabling employ... | ||
| PL-1 |
Policy and Procedures
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy Number: 3.0 Information Security Policy | Subsection:... |
Demo_Policies_combined.xlsx
|
|
| PL-10 |
Baseline Selection
Key Control
|
Gap |
Control baselines are predefined sets of controls specifically assembled to address the protection n...
Critical Gap - Key Control Missing
|
||
| PL-11 |
Baseline Tailoring
|
Gap | The concept of tailoring allows organizations to specialize or customize a set of baseline controls ... | ||
| PL-2 |
System Security and Privacy Plans
|
Aligned | Section 2.1 describes the different types of requirements th... |
Demo_Policies_combined.xlsx
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| PL-7 |
Concept of Operations
Key Control
|
Gap |
The CONOPS may be included in the security or privacy plans for the system or in other system develo...
Critical Gap - Key Control Missing
|
||
| PL-8 |
Security and Privacy Architectures
|
Gap | The security and privacy architectures at the system level are consistent with the organization-wide... | ||
| PL-9 |
Central Management
Key Control
|
Gap |
Central management refers to organization-wide management and implementation of selected controls an...
Critical Gap - Key Control Missing
|
||
| PM-1 |
Information Security Program Plan
|
Gap | An information security program plan is a formal document that provides an overview of the security ... | ||
| PM-10 |
Authorization Process
Key Control
|
Gap |
Authorization processes for organizational systems and environments of operation require the impleme...
Critical Gap - Key Control Missing
|
||
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Protection Needs and Policy Exceptions... |
Demo_Policies_combined.xlsx
|
|
| PM-12 |
Insider Threat Program
Key Control
|
Aligned | Insider Threats... |
Demo_IT_Issues_List.xlsx
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Gap |
Security and privacy workforce development and improvement programs include defining the knowledge, ...
Critical Gap - Key Control Missing
|
||
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Ensure employees under their supervision complete a Security... |
Demo_Policies_combined.xlsx
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Phishing Vulnerability... |
Demo_IT_Issues_List.xlsx
|
|
| PM-15 |
Security and Privacy Groups and Associations
|
Gap | Ongoing contact with security and privacy groups and associations is important in an environment of ... | ||
| PM-16 |
Threat Awareness Program
|
Gap | Because of the constantly changing and increasing sophistication of adversaries, especially the adva... | ||
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Gap | Controlled unclassified information is defined by the National Archives and Records Administration a... | ||
| PM-18 |
Privacy Program Plan
|
Gap | A privacy program plan is a formal document that provides an overview of an organization’s pri... | ||
| PM-19 |
Privacy Program Leadership Role
|
Gap | The privacy officer is an organizational official. For federal agencies—as defined by applicab... | ||
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Subsection: 1.2 ROLES & RESPONSIBILITIES... |
Demo_Policies_combined.xlsx
|
|
| PM-20 |
Dissemination of Privacy Program Information
|
Gap | For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include p... | ||
| PM-21 |
Accounting of Disclosures
Key Control
|
Gap |
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally i...
Critical Gap - Key Control Missing
|
||
| PM-22 |
Personally Identifiable Information Quality Management
|
Gap | Personally identifiable information quality management includes steps that organizations take to con... | ||
| PM-23 |
Data Governance Body
Key Control
|
Gap |
A Data Governance Body can help ensure that the organization has coherent policies and the ability t...
Critical Gap - Key Control Missing
|
||
| PM-24 |
Data Integrity Board
|
Gap | A Data Integrity Board is the board of senior officials designated by the head of a federal agency a... | ||
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Key Control
|
Gap |
The use of personally identifiable information in testing, research, and training increases the risk...
Critical Gap - Key Control Missing
|
||
| PM-26 |
Complaint Management
|
Gap | Complaints, concerns, and questions from individuals can serve as valuable sources of input to organ... | ||
| PM-27 |
Privacy Reporting
|
Gap | Through internal and external reporting, organizations promote accountability and transparency in or... | ||
| PM-28 |
Risk Framing
|
Gap | Risk framing is most effective when conducted at the organization level and in consultation with sta... | ||
| PM-29 |
Risk Management Program Leadership Roles
|
Gap | The senior accountable official for risk management leads the risk executive (function) in organizat... | ||
| PM-3 |
Information Security and Privacy Resources
|
Gap | Organizations consider establishing champions for information security and privacy and, as part of i... | ||
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Risk: Third and fourth-party vendors... |
Demo_Risk_Register.xlsx
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Gap |
Continuous monitoring at the organization level facilitates ongoing awareness of the security and pr...
Critical Gap - Key Control Missing
|
||
| PM-32 |
Purposing
Key Control
|
Gap |
Systems are designed to support a specific mission or business function. However, over time, systems...
Critical Gap - Key Control Missing
|
||
| PM-4 |
Plan of Action and Milestones Process
|
Gap | The plan of action and milestones is a key organizational document and is subject to reporting requi... | ||
| PM-5 |
System Inventory
|
Gap | OMB A-130 provides guidance on developing systems inventories and associated reporting requirements.... | ||
| PM-6 |
Measures of Performance
|
Gap | Measures of performance are outcome-based metrics used by an organization to measure the effectivene... | ||
| PM-7 |
Enterprise Architecture
|
Gap | The integration of security and privacy requirements and controls into the enterprise architecture h... | ||
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Protection Strategies and Policy Exceptions... |
Demo_Policies_combined.xlsx
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Poor Patch Management... |
Demo_IT_Issues_List.xlsx
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Risk: Third and fourth-party vendors, Risk: Transmission Int... |
Demo_Risk_Register.xlsx
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel Security Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Gap |
Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper ...
Critical Gap - Key Control Missing
|
||
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Subsection: 1.3 BACKGROUND CHECKS... |
Demo_Policies_combined.xlsx
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | Exit Interviews and Equipment Examination... |
Demo_Policies_combined.xlsx
|
|
| PS-5 |
Personnel Transfer
Key Control
|
Aligned | Procedures for personnel transfer and access management... |
Demo_Policies_combined.xlsx
|
|
| PS-6 |
Access Agreements
|
Gap | Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, an... | ||
| PS-7 |
External Personnel Security
Key Control
|
Gap |
External provider refers to organizations other than the organization operating or acquiring the sys...
Critical Gap - Key Control Missing
|
||
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Subsection: 1.8 DISCIPLINARY PROCESS... |
Demo_Policies_combined.xlsx
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Subsection: 1.5 ROLES & RESPONSIBILITIES... |
Demo_Policies_combined.xlsx
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
Demo_Policies_combined.xlsx
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Outdated Legacy Systems... |
Demo_IT_Issues_List.xlsx
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Gap |
The processing of personally identifiable information is an operation or set of operations that the ...
Critical Gap - Key Control Missing
|
||
| PT-3 |
Personally Identifiable Information Processing Purposes
Key Control
|
Gap |
Identifying and documenting the purpose for processing provides organizations with a basis for under...
Critical Gap - Key Control Missing
|
||
| PT-4 |
Consent
|
Aligned | Policy Number: 2.0 IS Acceptable Use Policy | Subsection: 1.... |
Demo_Policies_combined.xlsx
|
|
| PT-5 |
Privacy Notice
Key Control
|
Gap |
Privacy notices help inform individuals about how their personally identifiable information is being...
Critical Gap - Key Control Missing
|
||
| PT-6 |
System of Records Notice
|
Gap | The PRIVACT requires that federal agencies publish a system of records notice in the Federal Registe... | ||
| PT-7 |
Specific Categories of Personally Identifiable Information
Key Control
|
Gap |
Organizations apply any conditions or protections that may be necessary for specific categories of p...
Critical Gap - Key Control Missing
|
||
| PT-8 |
Computer Matching Requirements
|
Gap | The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matchi... | ||
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Assessment Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Assessment Policy and Procedures... |
Demo_Risk_Register.xlsx
|
|
| RA-10 |
Threat Hunting
|
Gap | Threat hunting is an active means of cyber defense in contrast to traditional protection measures, s... | ||
| RA-2 |
Security Categorization
|
Gap | Security categories describe the potential adverse impacts or negative consequences to organizationa... | ||
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk assessments consider threats, vulnerabilities, likeliho... |
Demo_Risk_Register.xlsx
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
Demo_IT_Issues_List.xlsx
|
|
| RA-6 |
Technical Surveillance Countermeasures Survey
|
Gap | A technical surveillance countermeasures survey is a service provided by qualified personnel to dete... | ||
| RA-7 |
Risk Response
|
Aligned | Risk Response and Exception Handling... |
Demo_Policies_combined.xlsx
|
|
| RA-7 |
Risk Response
|
Aligned | Risk: Denial of Service, Risk: Environmental Factors, Risk: ... |
Demo_Risk_Register.xlsx
|
|
| RA-8 |
Privacy Impact Assessments
|
Gap | A privacy impact assessment is an analysis of how personally identifiable information is handled to ... | ||
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Technical and Organizational Controls... |
Demo_Policies_combined.xlsx
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | System and services acquisition policy and procedures... |
Demo_Policies_combined.xlsx
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Gap |
Organizations consider the quality and completeness of configuration management activities conducted...
Critical Gap - Key Control Missing
|
||
| SA-11 |
Developer Testing and Evaluation
|
Gap | Developmental testing and evaluation confirms that the required controls are implemented correctly, ... | ||
| SA-15 |
Development Process, Standards, and Tools
Key Control
|
Gap |
Development tools include programming languages and computer-aided design systems. Reviews of develo...
Critical Gap - Key Control Missing
|
||
| SA-16 |
Developer-provided Training
|
Aligned | Information Security Awareness training for employees... |
Demo_Policies_combined.xlsx
|
|
| SA-17 |
Developer Security and Privacy Architecture and Design
|
Gap | Developer security and privacy architecture and design are directed at external developers, although... | ||
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | Technical and Organizational Controls... |
Demo_Policies_combined.xlsx
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Gap |
Organizations determine that certain system components likely cannot be trusted due to specific thre...
Critical Gap - Key Control Missing
|
||
| SA-21 |
Developer Screening
Key Control
|
Gap |
Developer screening is directed at external developers. Internal developer screening is addressed by...
Critical Gap - Key Control Missing
|
||
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | Support for system components... |
Demo_IT_Issues_List.xlsx
|
|
| SA-23 |
Specialization
Key Control
|
Gap |
It is often necessary for a system or system component that supports mission-essential services or f...
Critical Gap - Key Control Missing
|
||
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | System Development Life Cycle Process... |
Demo_Risk_Register.xlsx
|
|
| SA-4 |
Acquisition Process
|
Aligned | Technical and Organizational Controls... |
Demo_Policies_combined.xlsx
|
|
| SA-5 |
System Documentation
|
Gap | System documentation helps personnel understand the implementation and operation of controls. Organi... | ||
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Security Engineering Principles... |
Demo_Risk_Register.xlsx
|
|
| SA-9 |
External System Services
Key Control
|
Gap |
External system services are provided by an external provider, and the organization has no direct co...
Critical Gap - Key Control Missing
|
||
| SC-1 |
Policy and Procedures
|
Aligned | System and communications protection policy and procedures... |
Demo_Policies_combined.xlsx
|
|
| SC-10 |
Network Disconnect
|
Gap | Network disconnect applies to internal and external networks. Terminating network connections associ... | ||
| SC-11 |
Trusted Path
|
Gap | Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) ... | ||
| SC-12 |
Cryptographic Key Establishment and Management
|
Gap | Cryptographic key management and establishment can be performed using manual procedures or automated... | ||
| SC-13 |
Cryptographic Protection
|
Aligned | Subsection: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURIT... |
Demo_Policies_combined.xlsx
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Issue ID: 4 | Issue Name: Outdated Encryption Protocols... |
Demo_IT_Issues_List.xlsx
|
|
| SC-15 |
Collaborative Computing Devices and Applications
|
Gap | Collaborative computing devices and applications include remote meeting devices and applications, ne... | ||
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115, +B116, +B117... |
Demo_Policies_combined.xlsx
|
|
| SC-17 |
Public Key Infrastructure Certificates
|
Gap | Public key infrastructure (PKI) certificates are certificates with visibility external to organizati... | ||
| SC-18 |
Mobile Code
|
Aligned | Subsection: 1.4 SECURITY & PROPRIETARY INFORMATION... |
Demo_Policies_combined.xlsx
|
|
| SC-18 |
Mobile Code
|
Aligned | Risk: Code Exploitation... |
Demo_Risk_Register.xlsx
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | Ensure that conflicting functions such as data entry, comput... |
Demo_Policies_combined.xlsx
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Gap |
Providing authoritative source information enables external clients, including remote Internet clien...
Critical Gap - Key Control Missing
|
||
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Gap | Each client of name resolution services either performs this validation on its own or has authentica... | ||
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Gap | Systems that provide name and address resolution services include domain name system (DNS) servers. ... | ||
| SC-23 |
Session Authenticity
|
Aligned | Risk: Session hijacking... |
Demo_Risk_Register.xlsx
|
|
| SC-24 |
Fail in Known State
|
Gap | Failure in a known state addresses security concerns in accordance with the mission and business nee... | ||
| SC-25 |
Thin Nodes
|
Gap | The deployment of system components with minimal functionality reduces the need to secure every endp... | ||
| SC-26 |
Decoys
|
Gap | Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and de... | ||
| SC-27 |
Platform-independent Applications
|
Gap | Platforms are combinations of hardware, firmware, and software components used to execute software a... | ||
| SC-28 |
Protection of Information at Rest
Key Control
|
Gap |
Information at rest refers to the state of information when it is not in process or in transit and i...
Critical Gap - Key Control Missing
|
||
| SC-29 |
Heterogeneity
|
Gap | Increasing the diversity of information technologies within organizational systems reduces the impac... | ||
| SC-3 |
Security Function Isolation
|
Gap | Security functions are isolated from nonsecurity functions by means of an isolation boundary impleme... | ||
| SC-30 |
Concealment and Misdirection
|
Gap | Concealment and misdirection techniques can significantly reduce the targeting capabilities of adver... | ||
| SC-31 |
Covert Channel Analysis
|
Gap | Developers are in the best position to identify potential areas within systems that might lead to co... | ||
| SC-32 |
System Partitioning
|
Gap | System partitioning is part of a defense-in-depth protection strategy. Organizations determine the d... | ||
| SC-34 |
Non-modifiable Executable Programs
Key Control
|
Gap |
The operating environment for a system contains the code that hosts applications, including operatin...
Critical Gap - Key Control Missing
|
||
| SC-35 |
External Malicious Code Identification
|
Gap | External malicious code identification differs from decoys in SC-26 in that the components actively ... | ||
| SC-36 |
Distributed Processing and Storage
Key Control
|
Gap |
Distributing processing and storage across multiple physical locations or logical domains provides a...
Critical Gap - Key Control Missing
|
||
| SC-37 |
Out-of-band Channels
Key Control
|
Gap |
Out-of-band channels include local, non-network accesses to systems; network paths physically separa...
Critical Gap - Key Control Missing
|
||
| SC-38 |
Operations Security
|
Gap | Operations security (OPSEC) is a systematic process by which potential adversaries can be denied inf... | ||
| SC-39 |
Process Isolation
|
Gap | Systems can maintain separate execution domains for each executing process by assigning each process... | ||
| SC-4 |
Information in Shared System Resources
Key Control
|
Gap |
Preventing unauthorized and unintended information transfer via shared system resources stops inform...
Critical Gap - Key Control Missing
|
||
| SC-40 |
Wireless Link Protection
|
Aligned | Risk: Transmission Interception... |
Demo_Risk_Register.xlsx
|
|
| SC-41 |
Port and I/O Device Access
|
Gap | Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/ou... | ||
| SC-42 |
Sensor Capability and Data
Key Control
|
Gap |
Sensor capability and data applies to types of systems or system components characterized as mobile ...
Critical Gap - Key Control Missing
|
||
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB)... |
Demo_Policies_combined.xlsx
|
|
| SC-44 |
Detonation Chambers
|
Gap | Detonation chambers, also known as dynamic execution environments, allow organizations to open email... | ||
| SC-45 |
System Time Synchronization
|
Gap | Time synchronization of system clocks is essential for the correct execution of many system services... | ||
| SC-46 |
Cross Domain Policy Enforcement
Key Control
|
Gap |
For logical policy enforcement mechanisms, organizations avoid creating a logical path between inter...
Critical Gap - Key Control Missing
|
||
| SC-47 |
Alternate Communications Paths
|
Aligned | Risk: Denial of Service... |
Demo_Risk_Register.xlsx
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | Risk: Environmental Factors... |
Demo_Risk_Register.xlsx
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | Risk: Human Error... |
Demo_Risk_Register.xlsx
|
|
| SC-48 |
Sensor Relocation
Key Control
|
Aligned | Issue Name: Poor Network Segmentation... |
Demo_IT_Issues_List.xlsx
|
|
| SC-48 |
Sensor Relocation
Key Control
|
Aligned | Issue Name: Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Gap |
System owners may require additional strength of mechanism and robustness to ensure domain separatio...
Critical Gap - Key Control Missing
|
||
| SC-5 |
Denial-of-service Protection
|
Aligned | Risk: Denial of Service... |
Demo_Risk_Register.xlsx
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | The technical and organizational controls define minimum req... |
Demo_Policies_combined.xlsx
|
|
| SC-51 |
Hardware-based Protection
|
Gap | None.... | ||
| SC-6 |
Resource Availability
|
Gap | Priority protection prevents lower-priority processes from delaying or interfering with the system t... | ||
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Risk: Transmission Interception... |
Demo_Risk_Register.xlsx
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Gap |
System and information integrity policy and procedures address the controls in the SI family that ar...
Critical Gap - Key Control Missing
|
||
| SI-10 |
Information Input Validation
|
Aligned | Control: SI-10: Checking the valid syntax and semantics of s... |
Demo_Risk_Register.xlsx
|
|
| SI-11 |
Error Handling
|
Gap | Organizations consider the structure and content of error messages. The extent to which systems can ... | ||
| SI-12 |
Information Management and Retention
|
Gap | Information management and retention requirements cover the full life cycle of information, in some ... | ||
| SI-13 |
Predictable Failure Prevention
Key Control
|
Gap |
While MTTF is primarily a reliability issue, predictable failure prevention is intended to address p...
Critical Gap - Key Control Missing
|
||
| SI-14 |
Non-persistence
|
Gap | Implementation of non-persistent components and services mitigates risk from advanced persistent thr... | ||
| SI-15 |
Information Output Filtering
|
Gap | Certain types of attacks, including SQL injections, produce output results that are unexpected or in... | ||
| SI-16 |
Memory Protection
|
Gap | Some adversaries launch attacks with the intent of executing code in non-executable regions of memor... | ||
| SI-17 |
Fail-safe Procedures
Key Control
|
Gap |
Failure conditions include the loss of communications among critical system components or between sy...
Critical Gap - Key Control Missing
|
||
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Gap |
Personally identifiable information quality operations include the steps that organizations take to ...
Critical Gap - Key Control Missing
|
||
| SI-19 |
De-identification
|
Gap | De-identification is the general term for the process of removing the association between a set of i... | ||
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Control: SI-2... |
Demo_IT_Issues_List.xlsx
|
|
| SI-20 |
Tainting
|
Aligned | Risk: Malicious insider | Risk: Malware... |
Demo_Risk_Register.xlsx
|
|
| SI-21 |
Information Refresh
|
Aligned | Issue Name: Data Retention Policy Violations... |
Demo_IT_Issues_List.xlsx
|
|
| SI-22 |
Information Diversity
Key Control
|
Gap |
Actions taken by a system service or a function are often driven by the information it receives. Cor...
Critical Gap - Key Control Missing
|
||
| SI-23 |
Information Fragmentation
|
Gap | One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltra... | ||
| SI-3 |
Malicious Code Protection
|
Aligned | Control: SI-2... |
Demo_IT_Issues_List.xlsx
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Risk: Malware... |
Demo_Risk_Register.xlsx
|
|
| SI-4 |
System Monitoring
|
Aligned | Issue ID: 18 | Issue Name: Inadequate Logging and Monitoring... |
Demo_IT_Issues_List.xlsx
|
|
| SI-5 |
Security Alerts, Advisories, and Directives
Key Control
|
Aligned | Issue Description... |
Demo_IT_Issues_List.xlsx
|
|
| SI-6 |
Security and Privacy Function Verification
Key Control
|
Gap |
Transitional states for systems include system startup, restart, shutdown, and abort. System notific...
Critical Gap - Key Control Missing
|
||
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Issue ID: 81 | Issue Name: Unpatched Systems... |
Demo_IT_Issues_List.xlsx
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Risk: Malicious insider | Risk: Malware... |
Demo_Risk_Register.xlsx
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | section: b. Email ... |
Demo_Policies_combined.xlsx
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | section: b. Email ... |
Demo_Policies_combined.xlsx
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Supply Chain Risk Management Policy and Procedures... |
Demo_Policies_combined.xlsx
|
|
| SR-10 |
Inspection of Systems or Components
|
Gap | The inspection of systems or systems components for tamper resistance and detection addresses physic... | ||
| SR-11 |
Component Authenticity
|
Gap | Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-... | ||
| SR-12 |
Component Disposal
Key Control
|
Aligned | Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3... |
Demo_Policies_combined.xlsx
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Issue ID: 16 | Issue Name: Third-Party Vendor Risks... |
Demo_IT_Issues_List.xlsx
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Risks associated with third-party vendors and their security... |
Demo_Risk_Register.xlsx
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Gap |
Supply chain elements include organizations, entities, or tools employed for the research and develo...
Critical Gap - Key Control Missing
|
||
| SR-4 |
Provenance
Key Control
|
Gap |
Every system and system component has a point of origin and may be changed throughout its existence....
Critical Gap - Key Control Missing
|
||
| SR-5 |
Acquisition Strategies, Tools, and Methods
Key Control
|
Gap |
The use of the acquisition process provides an important vehicle to protect the supply chain. There ...
Critical Gap - Key Control Missing
|
||
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Gap |
An assessment and review of supplier risk includes security and supply chain risk management process...
Critical Gap - Key Control Missing
|
||
| SR-7 |
Supply Chain Operations Security
Key Control
|
Gap |
Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is...
Critical Gap - Key Control Missing
|
||
| SR-8 |
Notification Agreements
Key Control
|
Gap |
The establishment of agreements and procedures facilitates communications among supply chain entitie...
Critical Gap - Key Control Missing
|
||
| SR-9 |
Tamper Resistance and Detection
|
Gap | Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system co... | ||
Demo_Policies_combined.xlsx NIST
101 matches foundDocument Content
Matched Section
Section: Access Control Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of access control policies and procedures, including the ability for divisions to define stronger or lower security requirements based on risk, which aligns with the need for a comprehensive access control policy.
Document Content
Matched Section
Section: Policy Number: 3.0 Information Security Policy | Subsection: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: Access should be restricted to the information assets in keeping with business requirements and the associated risk.
Content: Access should be restricted to the information assets in keeping with business requirements and the associated risk.
AI Justification
The policy statements emphasize the need for access restrictions based on business requirements and risk assessments, which aligns with the principles of information sharing and the need for formal determinations regarding access.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Use third-party email & messaging services to conduct the Company business without specific approval from Information Security.
Content: Policy Statement: Use third-party email & messaging services to conduct the Company business without specific approval from Information Security.
AI Justification
The policy explicitly restricts the use of third-party email and messaging services for conducting company business, aligning with the control's focus on managing external systems.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Under certain circumstances, business specific email systems such as Bloomberg or other approved systems may be used with the approval of Senior Management.
Content: Policy Statement: Under certain circumstances, business specific email systems such as Bloomberg or other approved systems may be used with the approval of Senior Management.
AI Justification
The policy allows for the use of specific external systems with approval, which aligns with the control's provisions for managing external system access.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | Sub Subsection: E. Bring Your Own Device
Content: The wiping or removal of data from the User’s personal device can occur at any time with or without prior notification or consent. The wiping or removal of data from the User’s personal device can be triggered due to various events including but not limited to employment termination and/or security event, breach, or threat. Monitoring of User’s device.
Content: The wiping or removal of data from the User’s personal device can occur at any time with or without prior notification or consent. The wiping or removal of data from the User’s personal device can be triggered due to various events including but not limited to employment termination and/or security event, breach, or threat. Monitoring of User’s device.
AI Justification
The policies outlined in the document chunk address the management and control of personal mobile devices, including the ability to wipe data and monitor devices, which aligns with the requirements of AC-19.
Document Content
Matched Section
Section: Subsection: 1.5 ROLES & RESPONSIBILITIES
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager. For Key business applications, the application business owner should approve access to the application.
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager. For Key business applications, the application business owner should approve access to the application.
AI Justification
The text discusses the creation of login IDs and the administration of permissions, which relates to access control decisions and enforcement.
Document Content
Matched Section
Section: Subsection: 1.5 ROLES & RESPONSIBILITIES
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The text discusses the creation of login IDs and the administration of permissions, which aligns with the principle of least privilege by ensuring that employees have only the necessary access to perform their duties.
Document Content
Matched Section
Section: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text explicitly discusses the need to ensure that conflicting functions are not carried out by the same person, which aligns directly with the principle of separation of duties.
Document Content
Matched Section
Section: Sub Sub Subsection: ii | section: n
Content: n. Users should be aware that the Company systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements.
Content: n. Users should be aware that the Company systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements.
AI Justification
The policy explicitly mentions that users will be locked out after reaching a threshold of invalid access attempts, which aligns with the control's requirement to limit unsuccessful logon attempts.
Document Content
Matched Section
Section: Subsection: 1.2 SYSTEM USE NOTIFICATION
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements. Where it is not possible to display these messages, the Company should actively monitor for appropriate and legitimate usage of the asset.
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements. Where it is not possible to display these messages, the Company should actively monitor for appropriate and legitimate usage of the asset.
AI Justification
The policy statements regarding system use notification and user acknowledgment prior to authentication align with the intent of providing users with information about their last logon and expectations for system access.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a the Company managed application.
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a the Company managed application.
AI Justification
The policy statements indicate that monitoring and access control measures are in place for devices used by users, aligning with the principles of an access control policy.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
AI Justification
The mention of monitoring through automated programs aligns with the enforcement of access control policies.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: User may be asked and required to hand over his/her the Company managed device as part of an internal investigation.
Content: User may be asked and required to hand over his/her the Company managed device as part of an internal investigation.
AI Justification
The requirement for users to hand over devices for investigation supports the enforcement of access control policies.
Document Content
Matched Section
Section: Policy Number: 5.0 Human Resource Security Policy | Subsection: 1.7 INFORMATION SECURITY EDUCATION & TRAINING
Content: Employees should acknowledge that they are aware that actions on the Company networks may be monitored and give their consent to monitoring. Periodic Information Security Training will be provided to employees and evidence of training completion will be maintained. Training materials are prepared by Information Security Management. Specialized Information Security Training should be carried out periodically for employees performing security duties as part of their job requirements.
Content: Employees should acknowledge that they are aware that actions on the Company networks may be monitored and give their consent to monitoring. Periodic Information Security Training will be provided to employees and evidence of training completion will be maintained. Training materials are prepared by Information Security Management. Specialized Information Security Training should be carried out periodically for employees performing security duties as part of their job requirements.
AI Justification
The text discusses the importance of awareness and training policies and procedures, specifically mentioning periodic information security training for employees and the acknowledgment of monitoring actions.
Document Content
Matched Section
Section: Subsection: 1.2 SYSTEM USE NOTIFICATION
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements. Where it is not possible to display these messages, the Company should actively monitor for appropriate and legitimate usage of the asset.
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements. Where it is not possible to display these messages, the Company should actively monitor for appropriate and legitimate usage of the asset.
AI Justification
The provided chunk discusses the implementation of system use notifications, including the content that should be displayed and the requirement for user acknowledgment, which aligns with the control's intent.
Document Content
Matched Section
Section: Subsection: 1.2 SYSTEM USE NOTIFICATION
Content: The system use notification should be acknowledged by all users prior to authenticating onto the the Company network.
Content: The system use notification should be acknowledged by all users prior to authenticating onto the the Company network.
AI Justification
The acknowledgment requirement for users prior to authentication directly relates to the control's focus on ensuring users are informed of system use notifications.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B92 | Sub Subsection: C. Strictly Prohibited Use(s): ii | section: c. Internet Use Restrictions
Content: Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law.
Content: Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law.
AI Justification
The text discusses restrictions on accessing and posting nonpublic information, aligning with the control's focus on managing access to sensitive information.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B93 | Sub Subsection: C. Strictly Prohibited Use(s): ii | section: c. Internet Use Restrictions
Content: Posting the Company information on public Internet sites such as system configurations, details of products or vendors utilized by the Company, personally identifiable information (PII)
Content: Posting the Company information on public Internet sites such as system configurations, details of products or vendors utilized by the Company, personally identifiable information (PII)
AI Justification
The text emphasizes the prohibition of posting sensitive company information on public internet sites, which is a key aspect of controlling access to nonpublic information.
Document Content
Matched Section
Section: Subsection: 1.7 INFORMATION SECURITY EDUCATION & TRAINING
Content: Periodic Information Security Training will be provided to employees and evidence of training completion will be maintained. Training materials are prepared by Information Security Management.
Content: Periodic Information Security Training will be provided to employees and evidence of training completion will be maintained. Training materials are prepared by Information Security Management.
AI Justification
The text discusses the importance of periodic information security training for employees based on their roles and responsibilities, which aligns with the requirement for organizations to determine training content based on assigned roles.
Document Content
Matched Section
Section: Information Security Awareness training for employees
Content: The following topics in Information Security Awareness training for employees could include, but not limited to: Information Security Policies and Procedures, Password and User ID Practices, Social Engineering (e.g. Spear phishing), Internet Access Guidelines, Email Usage Guidelines, Whom to Contact for Additional Information, Information Classification Guidelines, Monitoring Policies, Overview of the Company’s Information Security Function, Reporting Security Incidents & Weaknesses and Legal Responsibilities. Information Security Awareness Training may also include materials such as brochures, bulletins, emails, posters, informal presentations, and formal training classes.
Content: The following topics in Information Security Awareness training for employees could include, but not limited to: Information Security Policies and Procedures, Password and User ID Practices, Social Engineering (e.g. Spear phishing), Internet Access Guidelines, Email Usage Guidelines, Whom to Contact for Additional Information, Information Classification Guidelines, Monitoring Policies, Overview of the Company’s Information Security Function, Reporting Security Incidents & Weaknesses and Legal Responsibilities. Information Security Awareness Training may also include materials such as brochures, bulletins, emails, posters, informal presentations, and formal training classes.
AI Justification
The chunk discusses various topics included in Information Security Awareness training for employees, which aligns with the requirement for organizations to provide literacy training to system users.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | Sub Subsection: C. Strictly Prohibited Use(s)
Content: Posting the Company information on public Internet sites such as system configurations, details of products or vendors utilized by the Company, personally identifiable information (PII)
Content: Posting the Company information on public Internet sites such as system configurations, details of products or vendors utilized by the Company, personally identifiable information (PII)
AI Justification
The policy explicitly prohibits posting company information, including personally identifiable information (PII), on public Internet sites, which aligns with the control's focus on preventing unauthorized disclosure of information.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
AI Justification
The policies outlined in the acceptable use standard specify rules of behavior for maintaining security while using organizationally owned and managed information systems, which aligns with the access control policies that govern access between users and systems.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
AI Justification
The policies outlined in the acceptable use standard specify rules of behavior for maintaining security while using organizationally owned and managed information systems, which aligns with the access control policies that govern access between users and systems.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
AI Justification
The policies outlined in the acceptable use standard specify rules of behavior for maintaining security while using organizationally owned and managed information systems, which aligns with the access control policies that govern access between users and systems.
Document Content
Matched Section
Section: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text discusses the importance of policies and procedures related to security and privacy, which aligns with the control's focus on assessment, authorization, and monitoring.
Document Content
Matched Section
Section: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text emphasizes the need for employees to complete Security Awareness Training, which aligns with the control's focus on training personnel to recognize and respond to security risks.
Document Content
Matched Section
Section: The technical and organizational controls define minimum requirements for securing assets.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The chunk discusses the implementation of security requirements and mechanisms, which aligns with the need for configuration management policies and procedures that address security and privacy assurance.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, the Company's policy exception process should be followed and applied.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, the Company's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of defining and implementing security requirements and mechanisms, as well as the process for requesting policy exceptions, which aligns with contingency planning and policy procedures.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Installation of Software on User’s device. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a the Company managed application.
Content: Policy Statement: Installation of Software on User’s device. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a the Company managed application.
AI Justification
The policies outlined in the Acceptable Use Standard specify user responsibilities regarding software installation and management, which aligns with the control's focus on governing user-installed software.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: User agrees not to remove, disable, or in any way interfere with the Company installed software.
Content: Policy Statement: User agrees not to remove, disable, or in any way interfere with the Company installed software.
AI Justification
The policy statement regarding not removing or disabling company-installed software directly supports the control's intent to maintain oversight over software installations.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
Content: Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
AI Justification
The policy emphasizes the importance of multi-factor authentication (MFA) as a critical security capability, which aligns with the need for alternative security mechanisms to ensure business continuity.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
AI Justification
The policy mentions the requirement for Multi-Factor Authentication (MFA) and the lockout mechanism after failed access attempts, which aligns with the need for adaptive authentication techniques to enhance security against impersonation attempts.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B125
Content: Policy Statement: n. Users should be aware that the Company systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements.
Content: Policy Statement: n. Users should be aware that the Company systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements.
AI Justification
The policy mentions the requirement for users to re-authenticate after a certain number of failed access attempts, which aligns with the re-authentication requirements outlined in IA-11.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126
Content: Policy Statement: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
Content: Policy Statement: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
AI Justification
The requirement for Multi-Factor Authentication (MFA) to access the Company network and sensitive systems supports the need for re-authentication in certain situations.
Document Content
Matched Section
Section: Subsection: 1.5 ROLES & RESPONSIBILITIES
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The text discusses the creation of network and application login IDs and the administration of permissions, which aligns with the identification and authentication requirements for organizational users.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B114 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
AI Justification
The chunk discusses the importance of maintaining security while using organizational systems, which aligns with the need for identity proofing to establish credentials for accessing a system.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B129 | Sub Subsection: E. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by the Company for managing security for personally owned devices registered, provisioned, and authorized to connect to the Company’s network.
Content: Mandatory security controls and safeguards have been identified by the Company for managing security for personally owned devices registered, provisioned, and authorized to connect to the Company’s network.
AI Justification
The chunk discusses managing security for personally owned devices, which relates to the identification and management of devices connecting to the network.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: k. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. Policy Statement: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
Content: Policy Statement: k. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. Policy Statement: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
AI Justification
The chunk discusses the management and security of passwords and the use of Multi-Factor Authentication (MFA), which aligns with the requirements for authenticators.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B114 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: Policy Statement: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
Content: Policy Statement: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login:
AI Justification
The mention of Multi-Factor Authentication (MFA) aligns with the requirement for authentication mechanisms to ensure that operators are authorized to access systems.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
AI Justification
The chunk discusses the identification and authentication of users, specifically mentioning multi-factor authentication (MFA) and lockout policies for invalid access attempts, which aligns with the requirements for non-organizational users.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, the Company's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, the Company's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the information security policy, which aligns with the need for incident response policies and procedures to address specific situations and risks.
Document Content
Matched Section
Section: Subsection: 1.4 CONTACT WITH AUTHORITIES
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The policy outlines procedures for reporting incidents to authorities, which aligns with the requirement for timely reporting and designated reporting authorities.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
AI Justification
The text discusses the importance of maintenance policies and procedures in relation to security and privacy assurance, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Media Protection Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for media protection, including the ability to define and implement security requirements and mechanisms, which aligns with the control's focus on media protection policies.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B126 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the the Company network, any internet facing applications and certain sensitive and business critical the Company systems.
AI Justification
The policy statement regarding Multi-Factor Authentication (MFA) aligns with the requirements for strong authentication techniques mentioned in MA-4.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
AI Justification
The text discusses the importance of security policies and procedures, which aligns with the need for physical and environmental protection policies.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B131 | Sub Subsection: E. Bring Your Own Device
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a the Company managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a the Company managed application.
AI Justification
The policy statement allows designated staff to remotely wipe or remove all data from personal devices, which aligns with the media sanitization process described in control MP-6.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: At no time is the user permitted to store any the Company data on a cloud-based storage server that is not approved for use.
Content: At no time is the user permitted to store any the Company data on a cloud-based storage server that is not approved for use.
AI Justification
The chunk discusses acceptable use and rules of behavior regarding the storage of company data, which aligns with the control's focus on managing and protecting media.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B37
Content: The following activities are acceptable to be performed using the Company IT resources and information systems, to include removable media.
Content: The following activities are acceptable to be performed using the Company IT resources and information systems, to include removable media.
AI Justification
The mention of acceptable use of removable media aligns with the control's emphasis on managing physical and digital media securely.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B40 | Sub Subsection: A. Acceptable Use | Sub Sub Subsection: i | section: c
Content: Policy Statement: Data processing using the Company-authorized encrypted removable media (USB drives, external hard drives).
Content: Policy Statement: Data processing using the Company-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The policy mentions the use of Company-authorized encrypted removable media, which aligns with the control's focus on managing access to digital media.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B41 | Sub Subsection: A. Acceptable Use | Sub Sub Subsection: i | section: d
Content: Policy Statement: NOTE: Personally owned removable media is not authorized under the Company’s Bring Your Own Device BYOD Program but can be authorized through a request.
Content: Policy Statement: NOTE: Personally owned removable media is not authorized under the Company’s Bring Your Own Device BYOD Program but can be authorized through a request.
AI Justification
The note regarding personally owned removable media not being authorized aligns with the control's emphasis on restricting access to non-digital media.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Data processing using the Company-authorized encrypted removable media (USB drives, external hard drives).
Content: Policy Statement: Data processing using the Company-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The chunk discusses the acceptable use of company-authorized encrypted removable media and the prohibition of personally owned removable media, which aligns with the restrictions on the use of certain types of media as outlined in MP-7.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: NOTE: Personally owned removable media is not authorized under the Company’s Bring Your Own Device BYOD Program but can be authorized through a request.
Content: Policy Statement: NOTE: Personally owned removable media is not authorized under the Company’s Bring Your Own Device BYOD Program but can be authorized through a request.
AI Justification
The note regarding the authorization of personally owned removable media through a request aligns with the control's emphasis on restricting the use of non-approved media.
Document Content
Matched Section
Section: Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of security requirements and mechanisms, including the process for policy exceptions, which aligns with the need for comprehensive security and privacy plans that address requirements and controls.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B99 | Sub Subsection: C. Strictly Prohibited Use(s): | Sub Sub Subsection: ii | section: c. Internet Use Restrictions
Content: NOTE: The above restrictions are not an exhaustive list of unacceptable uses of the Company’s Systems and equipment. It is the responsibility of every user to seek guidance from a manager or Information Security Team when in doubt.
Content: NOTE: The above restrictions are not an exhaustive list of unacceptable uses of the Company’s Systems and equipment. It is the responsibility of every user to seek guidance from a manager or Information Security Team when in doubt.
AI Justification
The text discusses the importance of planning policies and procedures for security and privacy programs, which aligns with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: Policy Number: 3.0 Information Security Policy | Subsection: 1.2 ROLES & RESPONSIBILITIES | Sub Subsection: CISO
Content: Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program.
Content: Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program.
AI Justification
The responsibilities outlined for the CISO in developing and maintaining cybersecurity goals reflect the need for structured policies and procedures in the organization.
Document Content
Matched Section
Section: Protection Needs and Policy Exceptions
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for defining minimum requirements for securing assets and the ability to implement stronger or lower protection levels based on risk, which aligns with the concept of protection needs outlined in PM-11.
Document Content
Matched Section
Section: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The chunk discusses the importance of ensuring that employees complete Security Awareness Training and monitor compliance with security policies, which aligns with the need for organization-wide security and privacy training and monitoring.
Document Content
Matched Section
Section: Subsection: 1.2 ROLES & RESPONSIBILITIES
Content: Is responsible for providing direction for Information security through approval and implementation of information security policies. Is responsible for approving information security policies. Is responsible for implementing the Information security program or Information security management system (ISMS). Is responsible for reviewing the status of the firm’s information security and set direction for information security within the firm.
Content: Is responsible for providing direction for Information security through approval and implementation of information security policies. Is responsible for approving information security policies. Is responsible for implementing the Information security program or Information security management system (ISMS). Is responsible for reviewing the status of the firm’s information security and set direction for information security within the firm.
AI Justification
The text discusses the roles and responsibilities related to information security, including the direction and implementation of information security policies, which aligns with the role of a senior agency information security officer.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you know – the employee’s username and password.
AI Justification
The text discusses rules of behavior for organizational users, which aligns with the control's focus on access agreements and user responsibilities.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B116 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you have – a device or access token.
AI Justification
The section also emphasizes the importance of maintaining security while using organizational systems, which is a key aspect of the rules of behavior.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
Content: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B117 | Sub Subsection: D. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets | Sub Sub Subsection: ii | section: l | Policy Statement: Something you are – verified by a biometric device.
AI Justification
The mention of biometric verification aligns with the control's focus on establishing rules of behavior for secure access.
Document Content
Matched Section
Section: Protection Strategies and Policy Exceptions
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the implementation of security requirements based on the prioritization of assets and the ability to adjust protection levels, which aligns with the concept of protection strategies based on critical assets.
Document Content
Matched Section
Section: Exit Interviews and Equipment Examination
Content: The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee.
Content: The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee.
AI Justification
The text discusses the examination of computing or communications equipment issued to terminated employees, which aligns with ensuring accountability for system-related property.
Document Content
Matched Section
Section: Procedures for personnel transfer and access management
Content: For employees who transfer and/or no longer require access, these procedures should be accomplished within ten (10) days of notification.
Content: For employees who transfer and/or no longer require access, these procedures should be accomplished within ten (10) days of notification.
AI Justification
The text discusses the procedures for collecting company property and managing access for employees who transfer or no longer require access, which aligns with the requirements of personnel transfer.
Document Content
Matched Section
Section: Subsection: 1.5 ROLES & RESPONSIBILITIES
Content: HR, in consultation with the relevant department head or manager, should ensure that job descriptions include information security responsibilities, if applicable.
Content: HR, in consultation with the relevant department head or manager, should ensure that job descriptions include information security responsibilities, if applicable.
AI Justification
The chunk discusses the need for job descriptions to include information security responsibilities, which aligns with the specification of security and privacy roles.
Document Content
Matched Section
Section: Personnel Security Policy and Procedures
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text discusses the importance of personnel security policies and procedures, particularly in relation to ensuring that conflicting functions are not performed by the same individual, which is a key aspect of personnel security.
Document Content
Matched Section
Section: Security Awareness Training
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text emphasizes the need for employees to complete Security Awareness Training, which aligns with the requirement for ongoing security training and awareness.
Document Content
Matched Section
Section: Subsection: 1.3 BACKGROUND CHECKS
Content: Prior to employment with the Company, each prospective employee is asked to complete an employment application and is required to pass a drug screening. Also, an investigative background and credit check (if applicable) is conducted on all prospective employees, subject to applicable state and local law, to verify pertinent data provided on the employment application.
Content: Prior to employment with the Company, each prospective employee is asked to complete an employment application and is required to pass a drug screening. Also, an investigative background and credit check (if applicable) is conducted on all prospective employees, subject to applicable state and local law, to verify pertinent data provided on the employment application.
AI Justification
The policy outlines the requirement for background checks and verification of information provided by prospective employees, which aligns with the control's focus on personnel screening and rescreening activities.
Document Content
Matched Section
Section: Subsection: 1.8 DISCIPLINARY PROCESS
Content: There should be a formal disciplinary process for employees who violate the Company’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation. The formal disciplinary process should provide for an appropriate management response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether it is a first or repeat offence, whether the violator was properly trained, relevant legislation, business contracts and other factors, as required.
Content: There should be a formal disciplinary process for employees who violate the Company’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation. The formal disciplinary process should provide for an appropriate management response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether it is a first or repeat offence, whether the violator was properly trained, relevant legislation, business contracts and other factors, as required.
AI Justification
The disciplinary process described aligns with the need for organizational sanctions that reflect applicable laws and policies, as it outlines formal actions for violations of information security policies.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
Content: Are responsible for understanding their responsibilities as they pertain to the maintenance and approval of the firm’s security policies.
AI Justification
The text discusses the importance of policies and procedures related to security and privacy, which aligns with the control's focus on processing and transparency of personally identifiable information.
Document Content
Matched Section
Section: Policy Number: 2.0 IS Acceptable Use Policy | Subsection: 1.3 ACCEPTABLE USE
Content: Upon use of the Company’s Systems, be it directly or indirectly, the user consents the following: The private use of the Company’s Systems is prohibited.
Content: Upon use of the Company’s Systems, be it directly or indirectly, the user consents the following: The private use of the Company’s Systems is prohibited.
AI Justification
The text discusses the concept of user consent when using the Company's Systems, aligning with the principles of consent management outlined in control PT-4.
Document Content
Matched Section
Section: Risk Assessment Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for risk assessment, including the need for collaboration between security and privacy programs, which aligns with the requirements of RA-1.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements based on risk, which aligns with the principles of criticality analysis and risk management outlined in RA-9.
Document Content
Matched Section
Section: Risk Response and Exception Handling
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the organization's approach to defining minimum security requirements and the process for requesting exceptions, which aligns with the risk response options outlined in RA-7.
Document Content
Matched Section
Section: System and services acquisition policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures in defining security requirements and addressing exceptions, which aligns with the control's focus on acquisition policies and procedures.
Document Content
Matched Section
Section: Information Security Awareness training for employees
Content: The following topics in Information Security Awareness training for employees could include, but not limited to: Information Security Policies and Procedures, Password and User ID Practices, Social Engineering (e.g. Spear phishing), Internet Access Guidelines, Email Usage Guidelines, Whom to Contact for Additional Information, Information Classification Guidelines, Monitoring Policies, Overview of the Company’s Information Security Function, Reporting Security Incidents & Weaknesses and Legal Responsibilities. Information Security Awareness Training may also include materials such as brochures, bulletins, emails, posters, informal presentations, and formal training classes.
Content: The following topics in Information Security Awareness training for employees could include, but not limited to: Information Security Policies and Procedures, Password and User ID Practices, Social Engineering (e.g. Spear phishing), Internet Access Guidelines, Email Usage Guidelines, Whom to Contact for Additional Information, Information Classification Guidelines, Monitoring Policies, Overview of the Company’s Information Security Function, Reporting Security Incidents & Weaknesses and Legal Responsibilities. Information Security Awareness Training may also include materials such as brochures, bulletins, emails, posters, informal presentations, and formal training classes.
AI Justification
The chunk discusses various topics included in Information Security Awareness training, which aligns with the requirement for training personnel to ensure the effectiveness of controls.
Document Content
Matched Section
Section: System and communications protection policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of defining and implementing security policies and procedures, including the process for requesting exceptions, which aligns with the requirements of SC-1.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The chunk discusses the definition and implementation of security requirements and mechanisms, which aligns with the derivation of security and privacy functional requirements.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The chunk implies the need for security requirements to be defined and implemented, which relates to the high-level security and privacy requirements described in SA-2.
Document Content
Matched Section
Section: Subsection: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY | Sub Subsection: VII | Sub Sub Subsection: h
Content: IS Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: IS Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The section discusses the establishment of controls for the proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information, which aligns with the requirements of SC-13.
Document Content
Matched Section
Section: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text emphasizes the importance of ensuring that conflicting functions are not carried out by the same person, which aligns with the principle of separation of duties to mitigate risks.
Document Content
Matched Section
Section: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The requirement for employees to complete a Security Awareness Training refresher aligns with the need for ongoing security awareness and training programs.
Document Content
Matched Section
Section: Subsection: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: All mobile and computing devices that connect to the internal network should comply with the Access Control Policy.
Content: All mobile and computing devices that connect to the internal network should comply with the Access Control Policy.
AI Justification
The chunk discusses the use of mobile and computing devices that connect to the internal network, which relates to the management and security of mobile code.
Document Content
Matched Section
Section: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The chunk discusses the separation of conflicting functions to prevent unauthorized access and ensure proper management of system functions, aligning with the principles of SC-2.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) +B115, +B116, +B117
Content: Policy Statement: Something you know – the employee’s username and password. Policy Statement: Something you have – a device or access token. Policy Statement: Something you are – verified by a biometric device.
Content: Policy Statement: Something you know – the employee’s username and password. Policy Statement: Something you have – a device or access token. Policy Statement: Something you are – verified by a biometric device.
AI Justification
The chunk discusses maintaining security while using organizationally owned and managed information systems, which relates to the management of security and privacy attributes.
Document Content
Matched Section
Section: The technical and organizational controls define minimum requirements for securing assets.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement stronger security requirements, which aligns with the need for additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Attempting to breach, bypass, or disrupt the Company systems and network communications and security protections (ports, protocols, and services).
Content: Policy Statement: Attempting to breach, bypass, or disrupt the Company systems and network communications and security protections (ports, protocols, and services).
AI Justification
The policy explicitly outlines restrictions on network account usage and the prohibition of unauthorized devices, which aligns with the control's focus on usage restrictions for system components.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Policy Statement: Attaching removable media, computers, network devices, and/or other components not issued and managed by the Company.
Content: Policy Statement: Attaching removable media, computers, network devices, and/or other components not issued and managed by the Company.
AI Justification
The policy also mentions restrictions on attaching removable media and other components not managed by the company, reinforcing the control's emphasis on authorized system use.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | Sub Subsection: C. Strictly Prohibited Use(s): | Sub Sub Subsection: ii | section: c. Internet Use Restrictions
Content: Using the Company’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans.
Content: Using the Company’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans.
AI Justification
The policy statements regarding the use of the internet and restrictions on malicious code align with the need for managed interfaces and boundary protection to prevent unauthorized access and protect the network.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | Sub Subsection: C. Strictly Prohibited Use(s): | Sub Sub Subsection: ii | section: c. Internet Use Restrictions
Content: Using high bandwidth streaming media applications such as Google Music, YouTube Music, Netflix, Hulu, or internet radio, etc. unless required for a valid business purpose.
Content: Using high bandwidth streaming media applications such as Google Music, YouTube Music, Netflix, Hulu, or internet radio, etc. unless required for a valid business purpose.
AI Justification
The restriction on high bandwidth streaming media applications unless required for a valid business purpose supports the control's intent to manage and restrict internet usage to protect the network.
Document Content
Matched Section
Section: Supply Chain Risk Management Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for managing supply chain risks, including the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB) | Sub Subsection: E. Bring Your Own Device
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a the Company managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a the Company managed application.
AI Justification
The policy statement allows designated staff to remotely wipe or remove all data from personal devices, which aligns with the control's emphasis on data disposal at any time during the system development life cycle.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) | section: b. Email Communication Restrictions
Content: Using personal email accounts for exchanging information with clients or for conducting business on behalf of the Company. Personal commercial email accounts including but not limited to POP3 and IMAP accounts under Yahoo, Gmail Microsoft Outlook (aka Hotmail), ProtonMail, AOL, Zoho Mail, iCloud Mail, Global Mail eXchange(GMX), and Hey Mail.
Content: Using personal email accounts for exchanging information with clients or for conducting business on behalf of the Company. Personal commercial email accounts including but not limited to POP3 and IMAP accounts under Yahoo, Gmail Microsoft Outlook (aka Hotmail), ProtonMail, AOL, Zoho Mail, iCloud Mail, Global Mail eXchange(GMX), and Hey Mail.
AI Justification
The policy explicitly restricts the use of personal email accounts and the company email systems for non-business purposes, which aligns with the need for spam protection mechanisms.
Document Content
Matched Section
Section: Subsection: 1.3 RULES OF BEHAVIOR (ROB) | section: b. Email Communication Restrictions
Content: Using the Company email systems for solicitation or distribution of non-business material unless required for a valid business or by the Company approved purpose.
Content: Using the Company email systems for solicitation or distribution of non-business material unless required for a valid business or by the Company approved purpose.
AI Justification
The policy restricts the use of the Company email systems for solicitation or distribution of non-business material, which is relevant to spam protection.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a the Company managed application.
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a the Company managed application.
AI Justification
The policy statements indicate that monitoring of devices and data is permitted, which aligns with the need to prevent unauthorized changes and ensure integrity of information.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
AI Justification
The mention of automated programs that detect and flag unsafe practices supports the integrity-checking mechanisms described in the control.
Document Content
Matched Section
Section: Policy Number: 2.1 Acceptable Use Standard | Subsection: 1.3 RULES OF BEHAVIOR (ROB)
Content: User may be asked and required to hand over his/her the Company managed device as part of an internal investigation.
Content: User may be asked and required to hand over his/her the Company managed device as part of an internal investigation.
AI Justification
The requirement for users to hand over devices for internal investigations relates to ensuring the integrity of the devices and the information they contain.
Demo_IT_Issues_List.xlsx NIST
36 matches foundDocument Content
Matched Section
Section: Issue ID: 29 | Issue Name: Phishing Vulnerability
Content: Employees who lack awareness of phishing scams may inadvertently disclose credentials or install malicious software.
Content: Employees who lack awareness of phishing scams may inadvertently disclose credentials or install malicious software.
AI Justification
The chunk discusses the importance of awareness and training regarding security threats, specifically mentioning phishing vulnerabilities which relate directly to the need for training policies.
Document Content
Matched Section
Section: Issue ID: 58 | Issue Name: Inadequate Logging and Monitoring
Content: Issue ID: 58 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Issue ID: 58 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The chunk discusses inadequate logging and monitoring, which directly relates to the need for audit record review and analysis to detect security incidents.
Document Content
Matched Section
Section: Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions.
Content: Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions.
Content: Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions.
AI Justification
The text discusses the importance of continuous monitoring for maintaining security posture and making risk management decisions, which aligns directly with control CA-7.
Document Content
Matched Section
Section: Inadequate Logging and Monitoring
Content: Issue ID: 78 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Issue ID: 78 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The mention of inadequate logging and monitoring in the issue description aligns with the need for effective logging and monitoring as part of security controls.
Document Content
Matched Section
Section: Assessment, authorization, and monitoring policy and procedures
Content: Control: CA-1: Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures.
Content: Control: CA-1: Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures.
AI Justification
The text discusses the importance of assessment, authorization, and monitoring policies and procedures, which aligns directly with control CA-1.
Document Content
Matched Section
Section: Inadequate Logging and Monitoring
Content: Issue ID: 78 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Issue ID: 78 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The mention of logging and monitoring critical systems relates to the need for audit events to be recorded for security incident detection.
Document Content
Matched Section
Section: Outdated Legacy Systems
Content: Issue ID: 80 | Issue Name: Outdated Legacy Systems | Issue Description: Reliance on unsupported legacy systems exposes the organization to unpatchable vulnerabilities and operational inefficiencies.
Content: Issue ID: 80 | Issue Name: Outdated Legacy Systems | Issue Description: Reliance on unsupported legacy systems exposes the organization to unpatchable vulnerabilities and operational inefficiencies.
AI Justification
The reference to outdated legacy systems highlights the need for policies addressing system vulnerabilities and operational efficiencies.
Document Content
Matched Section
Section: Contingency planning policy and procedures
Content: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of contingency planning policies and procedures, which aligns directly with control CP-1.
Document Content
Matched Section
Section: Lack of Incident Response Plan
Content: Without a documented incident response plan, organizations may struggle to contain and mitigate cyber incidents effectively.
Content: Without a documented incident response plan, organizations may struggle to contain and mitigate cyber incidents effectively.
AI Justification
The mention of the need for an incident response plan aligns with control IR-1, which focuses on establishing policies and procedures for incident response.
Document Content
Matched Section
Section: Issue ID: 25 | Issue Name: Lack of Multi-Factor Authentication
Content: Issue ID: 25 | Issue Name: Lack of Multi-Factor Authentication | Issue Description: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
Content: Issue ID: 25 | Issue Name: Lack of Multi-Factor Authentication | Issue Description: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
AI Justification
The chunk discusses the importance of implementing multi-factor authentication and monitoring for suspicious behavior, which aligns with the need for adaptive authentication mechanisms to enhance security.
Document Content
Matched Section
Section: Issue Name: Weak Password Policies
Content: Weak or inconsistent password policies expose systems to unauthorized access, increasing the likelihood of compromised accounts.
Content: Weak or inconsistent password policies expose systems to unauthorized access, increasing the likelihood of compromised accounts.
AI Justification
The chunk discusses weak password policies which directly relate to the management and security of authenticators, as weak passwords can lead to unauthorized access.
Document Content
Matched Section
Section: Incident Response Policy and Procedures
Content: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of having an incident response policy and procedures, which aligns directly with control IR-1.
Document Content
Matched Section
Section: Issue Name: Shadow IT
Content: Employees using unauthorized software or hardware can create security blind spots, increasing risks of data leaks and regulatory non-compliance.
Content: Employees using unauthorized software or hardware can create security blind spots, increasing risks of data leaks and regulatory non-compliance.
AI Justification
The chunk discusses unauthorized software and hardware usage, which relates to the identification and authentication of users accessing systems, particularly non-organizational users.
Document Content
Matched Section
Section: Issue Name: Lack of Multi-Factor Authentication
Content: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
Content: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
AI Justification
The mention of unauthorized access and the need for proper identification and authentication aligns with the requirements for organizational users as well.
Document Content
Matched Section
Section: Lack of Incident Response Plan
Content: Without a documented incident response plan, organizations may struggle to contain and mitigate cyber incidents effectively.
Content: Without a documented incident response plan, organizations may struggle to contain and mitigate cyber incidents effectively.
AI Justification
The chunk discusses the importance of having an incident response plan and the consequences of lacking one, which aligns with the control's focus on incident response capabilities.
Document Content
Matched Section
Section: Issue ID: 98 | Issue Name: Inadequate Logging and Monitoring
Content: Issue ID: 98 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Issue ID: 98 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The chunk discusses various issues related to security incidents, including inadequate logging and monitoring, which aligns with the need to document and evaluate incidents.
Document Content
Matched Section
Section: Issue ID: 65 | Issue Name: Lack of Multi-Factor Authentication
Content: Issue ID: 65 | Issue Name: Lack of Multi-Factor Authentication | Issue Description: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
Content: Issue ID: 65 | Issue Name: Lack of Multi-Factor Authentication | Issue Description: Failing to implement multi-factor authentication increases susceptibility to phishing attacks and unauthorized access to critical systems.
AI Justification
The chunk discusses the lack of multi-factor authentication, which directly relates to the requirements for strong authentication techniques outlined in IA-2.
Document Content
Matched Section
Section: Control: MA-4: Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Content: Control: MA-4: Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
Content: Control: MA-4: Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network.
AI Justification
The control MA-4 is directly referenced in the context of maintenance and diagnostic activities, emphasizing the need for strong authentication in nonlocal sessions.
Document Content
Matched Section
Section: Insider Threats
Content: Lack of monitoring for insider threats increases the risk of sensitive data being deliberately or accidentally exposed by employees or contractors.
Content: Lack of monitoring for insider threats increases the risk of sensitive data being deliberately or accidentally exposed by employees or contractors.
AI Justification
The chunk discusses the risks associated with insider threats and the need for monitoring, which aligns with the requirements of establishing an insider threat program as outlined in control PM-12.
Document Content
Matched Section
Section: Phishing Vulnerability
Content: Employees who lack awareness of phishing scams may inadvertently disclose credentials or install malicious software.
Content: Employees who lack awareness of phishing scams may inadvertently disclose credentials or install malicious software.
AI Justification
The chunk discusses the importance of employee awareness and training regarding phishing scams, which aligns with the need for security and privacy training activities.
Document Content
Matched Section
Section: Continuous Monitoring
Content: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions.
Content: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions.
AI Justification
The text discusses the importance of continuous monitoring for assessing and managing risks, which aligns with the CA-7 control.
Document Content
Matched Section
Section: Inadequate Logging and Monitoring
Content: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The mention of inadequate logging and monitoring directly relates to the AU-13 control, which focuses on the need for effective logging and monitoring of systems.
Document Content
Matched Section
Section: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including scanning for patch levels and identifying potential vulnerabilities in systems, which aligns with the requirements of RA-5.
Document Content
Matched Section
Section: Support for system components
Content: Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components.
Content: Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components.
AI Justification
The text discusses the importance of maintaining system components through patches, updates, and support, which aligns with the control's focus on ensuring continued support for system components.
Document Content
Matched Section
Section: Poor Patch Management
Content: Delayed or inconsistent application of security patches creates vulnerabilities that attackers can exploit.
Content: Delayed or inconsistent application of security patches creates vulnerabilities that attackers can exploit.
AI Justification
The mention of poor patch management directly relates to the need for timely application of security patches to mitigate vulnerabilities.
Document Content
Matched Section
Section: Issue ID: 4 | Issue Name: Outdated Encryption Protocols
Content: Issue ID: 4 | Issue Name: Outdated Encryption Protocols | Issue Description: Using deprecated encryption algorithms, such as MD5 or SHA-1, can lead to data interception and non-compliance with industry standards.
Content: Issue ID: 4 | Issue Name: Outdated Encryption Protocols | Issue Description: Using deprecated encryption algorithms, such as MD5 or SHA-1, can lead to data interception and non-compliance with industry standards.
AI Justification
The chunk discusses outdated encryption protocols, which directly relates to the use of cryptography for protecting information.
Document Content
Matched Section
Section: Issue Name: Poor Network Segmentation
Content: Poor Network Segmentation | Issue Description: Lack of proper segmentation increases the risk of lateral movement by attackers within the network.
Content: Poor Network Segmentation | Issue Description: Lack of proper segmentation increases the risk of lateral movement by attackers within the network.
AI Justification
The text discusses the risks associated with unsecured IoT devices and poor network segmentation, which can facilitate lateral movement by attackers, aligning with the need for monitoring and detection capabilities to impede adversarial actions.
Document Content
Matched Section
Section: Issue Name: Inadequate Logging and Monitoring
Content: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The issue of inadequate logging and monitoring directly relates to the organization's ability to detect lateral movement and exfiltration attempts, which is a key aspect of control SC-48.
Document Content
Matched Section
Section: Issue Name: Data Retention Policy Violations
Content: Issue Description: Non-compliance with data retention policies can result in excessive data storage costs or fines for retaining data longer than allowed.
Content: Issue Description: Non-compliance with data retention policies can result in excessive data storage costs or fines for retaining data longer than allowed.
AI Justification
The chunk discusses non-compliance with data retention policies, which directly relates to the importance of retaining information only for the necessary period to minimize risks.
Document Content
Matched Section
Section: Issue ID: 18 | Issue Name: Inadequate Logging and Monitoring
Content: Issue ID: 18 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
Content: Issue ID: 18 | Issue Name: Inadequate Logging and Monitoring | Issue Description: Failing to log or monitor critical systems impedes the ability to detect and respond to security incidents promptly.
AI Justification
The chunk discusses issues related to inadequate logging and monitoring, which directly aligns with the objectives of system monitoring as outlined in control SI-4.
Document Content
Matched Section
Section: Issue ID: 81 | Issue Name: Unpatched Systems
Content: Issue Description: Systems running outdated software without recent security patches are vulnerable to exploits, increasing the risk of cyberattacks and data breaches.
Content: Issue Description: Systems running outdated software without recent security patches are vulnerable to exploits, increasing the risk of cyberattacks and data breaches.
AI Justification
The chunk discusses the risks associated with unpatched systems and outdated software, which directly relates to unauthorized changes and vulnerabilities in software integrity.
Document Content
Matched Section
Section: Issue Description
Content: Connecting unsecured IoT devices to the corporate network can create entry points for attackers to access sensitive systems. Inadequate vetting or monitoring of third-party vendors can result in data breaches or non-compliance due to shared responsibility gaps.
Content: Connecting unsecured IoT devices to the corporate network can create entry points for attackers to access sensitive systems. Inadequate vetting or monitoring of third-party vendors can result in data breaches or non-compliance due to shared responsibility gaps.
AI Justification
The chunk discusses risks associated with unsecured IoT devices and third-party vendor risks, which align with the need for security alerts and advisories to maintain situational awareness and compliance with security directives.
Document Content
Matched Section
Section: Control: SI-2
Content: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities.
Content: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities.
AI Justification
The text discusses the importance of addressing software flaws and vulnerabilities, which aligns with the control's focus on identifying and remediating system flaws.
Document Content
Matched Section
Section: Control: SI-2
Content: Security-relevant updates include patches, service packs, and malicious code signatures.
Content: Security-relevant updates include patches, service packs, and malicious code signatures.
AI Justification
The mention of malicious code signatures and the need for updates aligns with the control's focus on protecting against malicious code.
Document Content
Matched Section
Section: Control: SI-2
Content: By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
Content: By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
AI Justification
The text emphasizes the incorporation of flaw remediation into configuration management processes, which aligns with the control's focus on managing changes to systems.
Document Content
Matched Section
Section: Issue ID: 16 | Issue Name: Third-Party Vendor Risks
Content: Issue ID: 16 | Issue Name: Third-Party Vendor Risks | Issue Description: Inadequate vetting or monitoring of third-party vendors can result in data breaches or non-compliance due to shared responsibility gaps.
Content: Issue ID: 16 | Issue Name: Third-Party Vendor Risks | Issue Description: Inadequate vetting or monitoring of third-party vendors can result in data breaches or non-compliance due to shared responsibility gaps.
AI Justification
The text discusses the risks associated with third-party vendors and the importance of managing those risks, which aligns with the control's focus on supply chain risks.
Demo_Risk_Register.xlsx NIST
38 matches foundDocument Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and the management of various types of accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Access control policy and procedures
Content: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of access control policies and procedures in managing risks related to unauthorized access and privilege misuse.
Document Content
Matched Section
Section: Risk: Transmission Interception
Content: Risk: Transmission Interception | Status: In Development | Content ID: nan | Description: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
Content: Risk: Transmission Interception | Status: In Development | Content ID: nan | Description: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
AI Justification
The text discusses risks associated with data transmission and the potential for interception, which aligns with the principles of information flow control.
Document Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The chunk discusses unauthorized access and misuse of privileges, which relates directly to the need for separation of duties to mitigate such risks.
Document Content
Matched Section
Section: Risk: Brute force
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
AI Justification
The text discusses the need to limit unsuccessful logon attempts and outlines various actions that can be taken when the maximum number of attempts is exceeded, which aligns directly with control AC-7.
Document Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The chunk discusses unauthorized access and misuse of privileges, which directly relates to access control policies that enforce authorized access.
Document Content
Matched Section
Section: Risk: Brute force
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
AI Justification
The mention of brute force attacks highlights the need for access control mechanisms to prevent unauthorized access attempts.
Document Content
Matched Section
Section: Risk: Third and fourth-party vendors and Risk: Transmission Interception
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization. Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization. Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
AI Justification
The chunk discusses risks associated with third-party vendors and data transmission, which aligns with the need for controls regarding system information exchanges and the associated risks.
Document Content
Matched Section
Section: Risk: Misconfiguration
Content: Risk: Misconfiguration | Status: In Development | Content ID: nan | Description: Misconfiguration involves incorrect configuration of systems, leading to vulnerabilities or operational issues. This can include open ports, default passwords, or improper access controls, making it easier for attackers to exploit the system.
Content: Risk: Misconfiguration | Status: In Development | Content ID: nan | Description: Misconfiguration involves incorrect configuration of systems, leading to vulnerabilities or operational issues. This can include open ports, default passwords, or improper access controls, making it easier for attackers to exploit the system.
AI Justification
The chunk discusses misconfiguration and its implications, which directly relates to the control's focus on configuration settings that affect security and privacy.
Document Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The chunk discusses unauthorized access and misuse of privileges, which relates to the identification and authentication of users, particularly non-organizational users.
Document Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The text discusses the need for mechanisms to assess suspicious behavior and the use of additional authentication information when certain conditions are met, which aligns with the principles of adaptive authentication.
Document Content
Matched Section
Section: Risk: Brute force
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
Content: Brute force attacks involve repeated attempts to guess passwords or encryption keys. Attackers use automated tools to try numerous combinations, potentially leading to unauthorized access if successful. This can compromise the security of accounts and systems.
AI Justification
The mention of brute force attacks and the need for stronger authentication mechanisms when faced with such threats aligns with the adaptive authentication control.
Document Content
Matched Section
Section: Risk: Access or Privilege Misuse
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
Content: Unauthorized access or misuse of privileges can lead to data breaches or system compromise. This risk involves employees or external attackers gaining access to sensitive information or critical systems without proper authorization, potentially causing significant harm to the organization.
AI Justification
The text discusses the importance of unique identification and authentication of users, including employees and contractors, which aligns with the requirements of IA-2.
Document Content
Matched Section
Section: Identification and authentication requirements for non-organizational users
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
AI Justification
The mention of identification and authentication requirements for non-organizational users aligns with IA-8, which focuses on the identification and authentication of users who are not part of the organization.
Document Content
Matched Section
Section: Risk: Environmental Factors
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
AI Justification
The chunk discusses environmental factors such as natural disasters that align with the control's focus on physical and environmental hazards.
Document Content
Matched Section
Section: Risk: Denial of Service, Risk: Environmental Factors, Risk: Human Error
Content: Risk: Denial of Service | Status: In Development | Content ID: nan | Description: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation. Risk: Environmental Factors | Status: In Development | Content ID: nan | Description: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services. Risk: Human Error | Status: In Development | Content ID: nan | Description: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
Content: Risk: Denial of Service | Status: In Development | Content ID: nan | Description: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation. Risk: Environmental Factors | Status: In Development | Content ID: nan | Description: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services. Risk: Human Error | Status: In Development | Content ID: nan | Description: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
AI Justification
The chunk discusses various risks, including Denial of Service, environmental factors, and human error, which can impact system operations and organizational assets. This aligns with the need to specify system components that result in increased risk when not operational.
Document Content
Matched Section
Section: Risk: Environmental Factors
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
AI Justification
The chunk discusses environmental factors, including natural disasters, which aligns with the control's focus on physical and environmental hazards.
Document Content
Matched Section
Section: Risk: Transmission Interception
Content: Risk: Transmission Interception | Status: In Development | Content ID: nan | Description: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
Content: Risk: Transmission Interception | Status: In Development | Content ID: nan | Description: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
AI Justification
The chunk discusses risks associated with data transmission interception, which aligns with the need for security controls to prevent eavesdropping and modification of unencrypted transmissions.
Document Content
Matched Section
Section: Risk: Third and fourth-party vendors
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization.
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization.
AI Justification
The chunk discusses risks associated with third-party vendors, which directly relates to the supply chain risk management strategy outlined in control PM-30.
Document Content
Matched Section
Section: Risk: Third and fourth-party vendors, Risk: Transmission Interception, Risk: Unknown/Other
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization. Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications. Any other risks that do not fall into the above categories or are currently unknown. This category includes emerging threats, new attack vectors, or risks that have not yet been identified or classified.
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization. Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications. Any other risks that do not fall into the above categories or are currently unknown. This category includes emerging threats, new attack vectors, or risks that have not yet been identified or classified.
AI Justification
The chunk discusses risks associated with third-party vendors, data transmission interception, and unknown risks, which aligns with the need for a comprehensive risk management strategy as outlined in PM-9.
Document Content
Matched Section
Section: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets.
Content: Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts.
Content: Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts.
AI Justification
The text discusses various risks including Denial of Service, Environmental Factors, and Human Error, which are relevant to the risk assessment process outlined in control RA-3.
Document Content
Matched Section
Section: Risk Assessment Policy and Procedures
Content: Control: RA-1: Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Content: Control: RA-1: Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
AI Justification
The text discusses the importance of risk assessment policies and procedures in addressing various risks, including Denial of Service, Environmental Factors, and Human Error.
Document Content
Matched Section
Section: Risk: Denial of Service, Risk: Environmental Factors, Risk: Human Error
Content: Risk: Denial of Service | Status: In Development | Content ID: nan | Description: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation. Risk: Environmental Factors | Status: In Development | Content ID: nan | Description: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services. Risk: Human Error | Status: In Development | Content ID: nan | Description: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
Content: Risk: Denial of Service | Status: In Development | Content ID: nan | Description: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation. Risk: Environmental Factors | Status: In Development | Content ID: nan | Description: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services. Risk: Human Error | Status: In Development | Content ID: nan | Description: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
AI Justification
The chunk discusses various risks and their implications, aligning with the need for organizations to respond to risks appropriately.
Document Content
Matched Section
Section: System Development Life Cycle Process
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
AI Justification
The text discusses the importance of integrating security and privacy considerations into the system development life cycle, which aligns directly with the principles outlined in SA-3.
Document Content
Matched Section
Section: Security Engineering Principles
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
AI Justification
The text mentions the role of security engineering principles in the design, coding, and testing of systems, which aligns with SA-8.
Document Content
Matched Section
Section: Risk: Code Exploitation
Content: Code exploitation refers to attackers taking advantage of vulnerabilities in the software code. These vulnerabilities can be used to gain unauthorized access, execute malicious code, or disrupt the normal functioning of the system, leading to potential data loss or service interruptions.
Content: Code exploitation refers to attackers taking advantage of vulnerabilities in the software code. These vulnerabilities can be used to gain unauthorized access, execute malicious code, or disrupt the normal functioning of the system, leading to potential data loss or service interruptions.
AI Justification
The chunk discusses vulnerabilities in software code that can be exploited, which aligns with the control's focus on the risks associated with mobile code execution and the need for policies to mitigate such risks.
Document Content
Matched Section
Section: Risk: Session hijacking
Content: Session hijacking involves taking over a user's session to gain unauthorized access to systems or data. Attackers can intercept session tokens or cookies, allowing them to impersonate the user and access sensitive information.
Content: Session hijacking involves taking over a user's session to gain unauthorized access to systems or data. Attackers can intercept session tokens or cookies, allowing them to impersonate the user and access sensitive information.
AI Justification
The chunk discusses session hijacking, which directly relates to the protection of session authenticity as outlined in control SC-23.
Document Content
Matched Section
Section: Risk: Transmission Interception
Content: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
Content: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
AI Justification
The chunk discusses risks associated with data transmission, including interception, which aligns with the need for wireless link protection.
Document Content
Matched Section
Section: Risk: Denial of Service
Content: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation.
Content: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation.
AI Justification
The chunk discusses Denial of Service (DoS) attacks and their impact on system availability, which aligns with the control's focus on mitigating such events.
Document Content
Matched Section
Section: Risk: Transmission Interception
Content: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
Content: Interception of data during transmission involves attackers capturing data as it is being transmitted between systems. This can include eavesdropping on network traffic, man-in-the-middle attacks, or intercepting unencrypted communications.
AI Justification
The chunk discusses risks associated with data transmission, including interception and vulnerabilities introduced by third-party vendors, which directly relates to the control's focus on protecting transmitted information.
Document Content
Matched Section
Section: Risk: Denial of Service
Content: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation.
Content: Denial of Service (DoS) attacks involve overloading the system with requests, making it unavailable to legitimate users. This can disrupt business operations, cause financial losses, and damage the organization's reputation.
AI Justification
The chunk discusses risks that can disrupt system operations, including Denial of Service attacks, which aligns with the need for alternate communications paths to maintain operations during incidents.
Document Content
Matched Section
Section: Risk: Environmental Factors
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
Content: Environmental factors include natural disasters or environmental conditions that could impact system operations. Examples include earthquakes, floods, fires, or extreme weather conditions that can damage infrastructure and disrupt services.
AI Justification
The mention of environmental factors impacting system operations relates to the need for alternate communications paths to ensure continuity during such disruptions.
Document Content
Matched Section
Section: Risk: Human Error
Content: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
Content: Human error refers to mistakes made by employees that could lead to security breaches or data loss. This can include accidental deletion of files, misconfiguration of systems, or falling for phishing attacks, all of which can have serious consequences.
AI Justification
Human error can lead to disruptions in operations, and having alternate communications paths can mitigate the impact of such errors.
Document Content
Matched Section
Section: Control: SI-10: Checking the valid syntax and semantics of system inputs
Content: Control: SI-10: Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content.
Content: Control: SI-10: Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content.
AI Justification
The text discusses the importance of checking the validity of system inputs, including syntax and semantics, which aligns directly with the control's focus on ensuring inputs match specified definitions.
Document Content
Matched Section
Section: Risk: Malicious insider | Risk: Malware
Content: Malicious insiders are employees or contractors with malicious intent who cause harm to the organization. They may steal sensitive information, sabotage systems, or engage in fraudulent activities, posing a significant threat to the organization's security. Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems.
Content: Malicious insiders are employees or contractors with malicious intent who cause harm to the organization. They may steal sensitive information, sabotage systems, or engage in fraudulent activities, posing a significant threat to the organization's security. Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems.
AI Justification
The text discusses the risks posed by malicious insiders and malware, which aligns with the need for monitoring systems to detect and respond to such threats.
Document Content
Matched Section
Section: Risk: Malware
Content: Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems. This includes viruses, worms, trojans, and ransomware, which can compromise data integrity, steal information, or render systems inoperable.
Content: Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems. This includes viruses, worms, trojans, and ransomware, which can compromise data integrity, steal information, or render systems inoperable.
AI Justification
The text discusses various aspects of malicious code, including its definition, methods of insertion, and protection mechanisms, which aligns directly with the control SI-3.
Document Content
Matched Section
Section: Risk: Malicious insider | Risk: Malware
Content: Malicious insiders are employees or contractors with malicious intent who cause harm to the organization. They may steal sensitive information, sabotage systems, or engage in fraudulent activities, posing a significant threat to the organization's security. Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems. This includes viruses, worms, trojans, and ransomware, which can compromise data integrity, steal information, or render systems inoperable.
Content: Malicious insiders are employees or contractors with malicious intent who cause harm to the organization. They may steal sensitive information, sabotage systems, or engage in fraudulent activities, posing a significant threat to the organization's security. Malware is malicious software designed to disrupt, damage, or gain unauthorized access to systems. This includes viruses, worms, trojans, and ransomware, which can compromise data integrity, steal information, or render systems inoperable.
AI Justification
The chunk discusses risks associated with malicious insiders and malware, which can lead to unauthorized changes and compromise data integrity.
Document Content
Matched Section
Section: Risks associated with third-party vendors and their security practices.
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization.
Content: Risks associated with third-party vendors and their security practices. This includes the potential for vendors to introduce vulnerabilities, fail to comply with security standards, or experience breaches that affect the organization.
AI Justification
The text discusses risks associated with third-party vendors, which aligns with the control's focus on managing supply chain risks and the potential vulnerabilities introduced by external providers.