Please enable JavaScript.
Coggle requires JavaScript to display documents.
NIST (Protect (PR) (Information Protection Processes and Procedures (PR.IP…
NIST
Protect (PR)
Access Controls
-
PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
-
-
Awareness & Training
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities
-
-
-
-
Data Security
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
-
-
-
-
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
-
-
Maintenance
PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
Protective Technology
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
-
PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality
-
Respond (RS)
-
-
Communications
-
-
-
-
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
-
-
Identify (ID)
Governance
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
-
-
Risk Assessment
-
ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
-
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
-
Business Environment
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
-
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
-
-
Risk Management Strategy
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
-
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Asset Management
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value
-
-
-
-
Recover *RC)
-
Communications
-
-
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams
-
Detect (DE)
Anomalies and Events
-
-
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
-
-
-
-