Promene u dizajnu dokumenata, controla, residual graph, residual tabele...
This commit is contained in:
635
controls.csv
635
controls.csv
@@ -1,481 +1,154 @@
|
||||
Risk #,Risk Description,CIS v8.1 Safeguards (Sub-Controls),Weight (0-10)
|
||||
1,"Ransomware Attack on Critical Systems","3.1 - Establish and Maintain Inventory of Enterprise Assets",3
|
||||
1,"Ransomware Attack on Critical Systems","3.3 - Manage Assets",4
|
||||
1,"Ransomware Attack on Critical Systems","5.1 - Establish and Maintain a Secure Configuration Process",5
|
||||
1,"Ransomware Attack on Critical Systems","5.3 - Securely Configure Enterprise Assets and Software",7
|
||||
1,"Ransomware Attack on Critical Systems","8.1 - Establish and Maintain a Vulnerability Management Process",6
|
||||
1,"Ransomware Attack on Critical Systems","9.2 - Deploy and Maintain Anti-Malware Software",9
|
||||
1,"Ransomware Attack on Critical Systems","10.8 - Perform and Test Data Backups",10
|
||||
1,"Ransomware Attack on Critical Systems","15.1 - Develop an Incident Response Plan",8
|
||||
2,"Large-Scale Data Breach Due to External Attack","3.1 - Establish and Maintain Inventory of Enterprise Assets",4
|
||||
2,"Large-Scale Data Breach Due to External Attack","3.4 - Manage Sensitive Assets",8
|
||||
2,"Large-Scale Data Breach Due to External Attack","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
|
||||
2,"Large-Scale Data Breach Due to External Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
2,"Large-Scale Data Breach Due to External Attack","6.3 - Implement and Manage Network Segmentation",8
|
||||
2,"Large-Scale Data Breach Due to External Attack","7.1 - Establish and Maintain a Data Management Process",6
|
||||
2,"Large-Scale Data Breach Due to External Attack","7.2 - Implement and Enforce Data Retention",5
|
||||
2,"Large-Scale Data Breach Due to External Attack","7.3 - Implement Data Loss Prevention (DLP)",9
|
||||
2,"Large-Scale Data Breach Due to External Attack","12.5 - Enforce Encryption of Data-at-Rest",8
|
||||
2,"Large-Scale Data Breach Due to External Attack","12.6 - Enforce Encryption of Data-in-Transit",7
|
||||
3,"Insider Threat Leading to Data Exfiltration","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
3,"Insider Threat Leading to Data Exfiltration","4.3 - Manage Privileged Access",9
|
||||
3,"Insider Threat Leading to Data Exfiltration","4.4 - Manage Service Accounts",6
|
||||
3,"Insider Threat Leading to Data Exfiltration","4.6 - Manage External Accounts",5
|
||||
3,"Insider Threat Leading to Data Exfiltration","7.3 - Implement Data Loss Prevention (DLP)",8
|
||||
3,"Insider Threat Leading to Data Exfiltration","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
|
||||
3,"Insider Threat Leading to Data Exfiltration","16.1 - Conduct Security Awareness and Skills Training",6
|
||||
4,"Supply Chain Disruption Impacting Operations","3.1 - Establish and Maintain Inventory of Enterprise Assets",2
|
||||
4,"Supply Chain Disruption Impacting Operations","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",1
|
||||
4,"Supply Chain Disruption Impacting Operations","4.6 - Manage External Accounts",6
|
||||
4,"Supply Chain Disruption Impacting Operations","13.1 - Establish and Maintain a Security Awareness Program",3
|
||||
4,"Supply Chain Disruption Impacting Operations","18.1 - Establish and Maintain a Penetration Testing Program",4
|
||||
4,"Supply Chain Disruption Impacting Operations","19.1 - Establish and Maintain an Incident Response Plan",7
|
||||
4,"Supply Chain Disruption Impacting Operations","20.1 - Establish and Maintain a Business Continuity Plan",10
|
||||
5,"Reputational Damage from Social Media Incident","13.1 - Establish and Maintain a Security Awareness Program",9
|
||||
5,"Reputational Damage from Social Media Incident","16.1 - Conduct Security Awareness and Skills Training",8
|
||||
5,"Reputational Damage from Social Media Incident","16.2 - Train Workforce Members on Social Engineering Attacks",7
|
||||
5,"Reputational Damage from Social Media Incident","19.1 - Establish and Maintain an Incident Response Plan",6
|
||||
5,"Reputational Damage from Social Media Incident","19.8 - Perform Post-Incident Reviews",5
|
||||
6,"Compliance Failure Leading to Fines","1.1 - Establish and Maintain Enterprise Governance",10
|
||||
6,"Compliance Failure Leading to Fines","1.2 - Establish and Maintain Enterprise Security Policies",9
|
||||
6,"Compliance Failure Leading to Fines","1.3 - Establish and Maintain Enterprise Agreements",8
|
||||
6,"Compliance Failure Leading to Fines","2.1 - Establish and Maintain an Inventory of Authorized Software",4
|
||||
6,"Compliance Failure Leading to Fines","3.4 - Manage Sensitive Assets",7
|
||||
7,"Loss of Critical Business Data Due to System Failure","10.8 - Perform and Test Data Backups",10
|
||||
7,"Loss of Critical Business Data Due to System Failure","10.9 - Perform Off-Site Backups",9
|
||||
7,"Loss of Critical Business Data Due to System Failure","10.10 - Securely Store Backups",8
|
||||
7,"Loss of Critical Business Data Due to System Failure","5.3 - Securely Configure Enterprise Assets and Software",6
|
||||
7,"Loss of Critical Business Data Due to System Failure","19.1 - Establish and Maintain an Incident Response Plan",5
|
||||
8,"Business Email Compromise (BEC) Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
8,"Business Email Compromise (BEC) Attack","16.2 - Train Workforce Members on Social Engineering Attacks",8
|
||||
8,"Business Email Compromise (BEC) Attack","11.1 - Implement and Manage Email Protections",7
|
||||
8,"Business Email Compromise (BEC) Attack","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
|
||||
9,"Physical Security Breach Leading to Asset Theft","17.1 - Implement Physical Access Controls",10
|
||||
9,"Physical Security Breach Leading to Asset Theft","17.2 - Monitor Physical Environment",9
|
||||
9,"Physical Security Breach Leading to Asset Theft","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
|
||||
9,"Physical Security Breach Leading to Asset Theft","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",4
|
||||
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",6
|
||||
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",10
|
||||
10,"Denial-of-Service (DoS) Attack Disrupting Services","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
|
||||
11,"Unpatched Software Vulnerabilities Exploited","8.2 - Remediate Vulnerabilities Based on Risk",10
|
||||
11,"Unpatched Software Vulnerabilities Exploited","8.3 - Verify Application of Security Patches",9
|
||||
11,"Unpatched Software Vulnerabilities Exploited","3.2 - Utilize an Automated Asset Discovery Tool",4
|
||||
12,"Third-Party Vendor Security Breach Impacting Data","4.6 - Manage External Accounts",8
|
||||
12,"Third-Party Vendor Security Breach Impacting Data","13.5 - Manage Supplier Access",9
|
||||
12,"Third-Party Vendor Security Breach Impacting Data","13.6 - Monitor Supplier Security",7
|
||||
13,"Mobile Device Compromise Leading to Data Loss","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
|
||||
13,"Mobile Device Compromise Leading to Data Loss","4.5 - Manage Mobile Devices",9
|
||||
13,"Mobile Device Compromise Leading to Data Loss","12.5 - Enforce Encryption of Data-at-Rest",7
|
||||
14,"Cloud Service Configuration Errors Exposing Data","5.4 - Securely Configure Cloud Infrastructure",9
|
||||
14,"Cloud Service Configuration Errors Exposing Data","5.5 - Securely Configure Cloud Workloads",8
|
||||
14,"Cloud Service Configuration Errors Exposing Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
15,"Lack of Employee Security Awareness Leading to Phishing Success","16.1 - Conduct Security Awareness and Skills Training",10
|
||||
15,"Lack of Employee Security Awareness Leading to Phishing Success","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
15,"Lack of Employee Security Awareness Leading to Phishing Success","11.1 - Implement and Manage Email Protections",7
|
||||
16,"Unsecured APIs Exposing Sensitive Information","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
|
||||
16,"Unsecured APIs Exposing Sensitive Information","12.6 - Enforce Encryption of Data-in-Transit",9
|
||||
16,"Unsecured APIs Exposing Sensitive Information","18.1 - Establish and Maintain a Penetration Testing Program",7
|
||||
17,"Accidental Data Leak by Employee","7.3 - Implement Data Loss Prevention (DLP)",8
|
||||
17,"Accidental Data Leak by Employee","16.1 - Conduct Security Awareness and Skills Training",7
|
||||
17,"Accidental Data Leak by Employee","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
|
||||
18,"Weak Password Policies Leading to Account Compromise","4.7 - Enforce Account Password Requirements",9
|
||||
18,"Weak Password Policies Leading to Account Compromise","4.8 - Enforce Multi-Factor Authentication for All Users",8
|
||||
18,"Weak Password Policies Leading to Account Compromise","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
|
||||
19,"Uncontrolled Use of Shadow IT","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",8
|
||||
19,"Uncontrolled Use of Shadow IT","2.1 - Establish and Maintain an Inventory of Authorized Software",7
|
||||
19,"Uncontrolled Use of Shadow IT","13.1 - Establish and Maintain a Security Awareness Program",6
|
||||
20,"Insider Trading Based on Stolen Information","4.3 - Manage Privileged Access",9
|
||||
20,"Insider Trading Based on Stolen Information","7.3 - Implement Data Loss Prevention (DLP)",7
|
||||
20,"Insider Trading Based on Stolen Information","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",8
|
||||
21,"Loss of Key Personnel with Critical Security Knowledge","16.4 - Establish and Maintain a Role-Based Security Training Program",7
|
||||
21,"Loss of Key Personnel with Critical Security Knowledge","16.5 - Conduct Skills Gap Assessments",6
|
||||
21,"Loss of Key Personnel with Critical Security Knowledge","1.3 - Establish and Maintain Enterprise Agreements",5
|
||||
22,"Natural Disaster Impacting Data Centers","17.3 - Plan and Implement Environmental Protections",9
|
||||
22,"Natural Disaster Impacting Data Centers","20.1 - Establish and Maintain a Business Continuity Plan",10
|
||||
22,"Natural Disaster Impacting Data Centers","10.9 - Perform Off-Site Backups",8
|
||||
23,"Industrial Control System (ICS) Compromise","5.6 - Securely Configure Industrial Control Systems (ICS)",10
|
||||
23,"Industrial Control System (ICS) Compromise","6.6 - Implement and Manage Network Segmentation for ICS",9
|
||||
23,"Industrial Control System (ICS) Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
|
||||
24,"Misconfiguration of Network Devices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",9
|
||||
24,"Misconfiguration of Network Devices","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
|
||||
24,"Misconfiguration of Network Devices","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
25,"Lack of Regular Security Audits","1.5 - Conduct Periodic Security Risk Assessments",9
|
||||
25,"Lack of Regular Security Audits","14.7 - Conduct Security Controls Testing and Validation",8
|
||||
25,"Lack of Regular Security Audits","18.1 - Establish and Maintain a Penetration Testing Program",7
|
||||
26,"AI/ML System Bias Leading to Unfair Outcomes","1.2 - Establish and Maintain Enterprise Security Policies",6
|
||||
26,"AI/ML System Bias Leading to Unfair Outcomes","7.1 - Establish and Maintain a Data Management Process",7
|
||||
26,"AI/ML System Bias Leading to Unfair Outcomes","15.4 - Establish and Maintain a Security Architecture",5
|
||||
27,"IoT Device Vulnerabilities Exploited","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
|
||||
27,"IoT Device Vulnerabilities Exploited","5.3 - Securely Configure Enterprise Assets and Software",7
|
||||
27,"IoT Device Vulnerabilities Exploited","9.2 - Deploy and Maintain Anti-Malware Software",6
|
||||
28,"Geopolitical Risks Impacting Cybersecurity","1.4 - Establish and Maintain a Threat Intelligence Program",9
|
||||
28,"Geopolitical Risks Impacting Cybersecurity","19.1 - Establish and Maintain an Incident Response Plan",7
|
||||
28,"Geopolitical Risks Impacting Cybersecurity","13.1 - Establish and Maintain a Security Awareness Program",6
|
||||
29,"Unsecured Code in Custom Applications","2.2 - Utilize Standard Security Configurations for Enterprise Software and Hardware",7
|
||||
29,"Unsecured Code in Custom Applications","8.4 - Perform Application Security Testing",9
|
||||
29,"Unsecured Code in Custom Applications","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
|
||||
30,"Failure to Adequately Vet New Technologies","15.4 - Establish and Maintain a Security Architecture",7
|
||||
30,"Failure to Adequately Vet New Technologies","1.5 - Conduct Periodic Security Risk Assessments",8
|
||||
30,"Failure to Adequately Vet New Technologies","13.1 - Establish and Maintain a Security Awareness Program",6
|
||||
31,"Social Engineering Attack Targeting Executives","16.2 - Train Workforce Members on Social Engineering Attacks",10
|
||||
31,"Social Engineering Attack Targeting Executives","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
|
||||
31,"Social Engineering Attack Targeting Executives","11.1 - Implement and Manage Email Protections",7
|
||||
32,"Vulnerability in Open-Source Software Components","2.1 - Establish and Maintain an Inventory of Authorized Software",6
|
||||
32,"Vulnerability in Open-Source Software Components","8.1 - Establish and Maintain a Vulnerability Management Process",9
|
||||
32,"Vulnerability in Open-Source Software Components","8.2 - Remediate Vulnerabilities Based on Risk",8
|
||||
33,"Cryptojacking on Enterprise Assets","9.2 - Deploy and Maintain Anti-Malware Software",9
|
||||
33,"Cryptojacking on Enterprise Assets","5.3 - Securely Configure Enterprise Assets and Software",7
|
||||
33,"Cryptojacking on Enterprise Assets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
34,"Data Spillage in Cloud Environments","7.3 - Implement Data Loss Prevention (DLP)",8
|
||||
34,"Data Spillage in Cloud Environments","5.4 - Securely Configure Cloud Infrastructure",7
|
||||
34,"Data Spillage in Cloud Environments","12.5 - Enforce Encryption of Data-at-Rest",6
|
||||
35,"Malicious Browser Extensions Compromising Users","9.1 - Establish and Maintain a Software Allow List",8
|
||||
35,"Malicious Browser Extensions Compromising Users","16.1 - Conduct Security Awareness and Skills Training",7
|
||||
35,"Malicious Browser Extensions Compromising Users","11.2 - Implement and Manage Web Browser Protections",9
|
||||
36,"Domain Name System (DNS) Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
|
||||
36,"Domain Name System (DNS) Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
36,"Domain Name System (DNS) Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",6
|
||||
37,"Quantum Computing Breaking Encryption","12.7 - Plan and Implement Cryptographic Key Management",7
|
||||
37,"Quantum Computing Breaking Encryption","15.4 - Establish and Maintain a Security Architecture",6
|
||||
37,"Quantum Computing Breaking Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",5
|
||||
38,"Deepfake Technology Used for Fraud","16.2 - Train Workforce Members on Social Engineering Attacks",8
|
||||
38,"Deepfake Technology Used for Fraud","11.1 - Implement and Manage Email Protections",7
|
||||
38,"Deepfake Technology Used for Fraud","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
|
||||
39,"Misinformation Campaigns Damaging Reputation","13.1 - Establish and Maintain a Security Awareness Program",9
|
||||
39,"Misinformation Campaigns Damaging Reputation","19.1 - Establish and Maintain an Incident Response Plan",7
|
||||
39,"Misinformation Campaigns Damaging Reputation","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
40,"Lack of a Formal Security Culture","13.1 - Establish and Maintain a Security Awareness Program",10
|
||||
40,"Lack of a Formal Security Culture","16.1 - Conduct Security Awareness and Skills Training",9
|
||||
40,"Lack of a Formal Security Culture","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
41,"Insufficient Physical Security at Remote Offices","17.1 - Implement Physical Access Controls",9
|
||||
41,"Insufficient Physical Security at Remote Offices","17.2 - Monitor Physical Environment",8
|
||||
41,"Insufficient Physical Security at Remote Offices","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",6
|
||||
42,"Compromise of Building Management Systems (BMS)","5.6 - Securely Configure Industrial Control Systems (ICS)",8
|
||||
42,"Compromise of Building Management Systems (BMS)","6.6 - Implement and Manage Network Segmentation for ICS",7
|
||||
42,"Compromise of Building Management Systems (BMS)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
43,"Failure to Securely Dispose of Sensitive Data","7.4 - Securely Dispose of Assets",9
|
||||
43,"Failure to Securely Dispose of Sensitive Data","3.3 - Manage Assets",7
|
||||
43,"Failure to Securely Dispose of Sensitive Data","1.2 - Establish and Maintain Enterprise Security Policies",6
|
||||
44,"Man-in-the-Middle (MitM) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
|
||||
44,"Man-in-the-Middle (MitM) Attacks","12.6 - Enforce Encryption of Data-in-Transit",9
|
||||
44,"Man-in-the-Middle (MitM) Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
|
||||
45,"Session Hijacking","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
45,"Session Hijacking","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
45,"Session Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
46,"Cross-Site Scripting (XSS) Attacks","8.4 - Perform Application Security Testing",9
|
||||
46,"Cross-Site Scripting (XSS) Attacks","12.2 - Secure Software via Secure Coding Practices",8
|
||||
46,"Cross-Site Scripting (XSS) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
|
||||
47,"SQL Injection Attacks","8.4 - Perform Application Security Testing",10
|
||||
47,"SQL Injection Attacks","12.2 - Secure Software via Secure Coding Practices",9
|
||||
47,"SQL Injection Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
|
||||
48,"Zero-Day Exploits","8.1 - Establish and Maintain a Vulnerability Management Process",7
|
||||
48,"Zero-Day Exploits","9.2 - Deploy and Maintain Anti-Malware Software",8
|
||||
48,"Zero-Day Exploits","6.3 - Implement and Manage Network Segmentation",6
|
||||
49,"Rogue Access Points on the Network","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",8
|
||||
49,"Rogue Access Points on the Network","6.3 - Implement and Manage Network Segmentation",7
|
||||
49,"Rogue Access Points on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
50,"Wireless Network Attacks","6.8 - Secure Wireless Access Points",9
|
||||
50,"Wireless Network Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
|
||||
50,"Wireless Network Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
51,"Stolen Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
|
||||
51,"Stolen Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",10
|
||||
51,"Stolen Credentials","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
52,"Unsecured Public Wi-Fi Usage","16.1 - Conduct Security Awareness and Skills Training",7
|
||||
52,"Unsecured Public Wi-Fi Usage","12.6 - Enforce Encryption of Data-in-Transit",8
|
||||
52,"Unsecured Public Wi-Fi Usage","4.9 - Manage Access to Enterprise Applications",6
|
||||
53,"Vishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
53,"Vishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
|
||||
53,"Vishing Attacks","11.1 - Implement and Manage Email Protections",5
|
||||
54,"Smishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
54,"Smishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
|
||||
54,"Smishing Attacks","11.3 - Implement and Manage Endpoint Protections",6
|
||||
55,"Watering Hole Attacks","11.2 - Implement and Manage Web Browser Protections",8
|
||||
55,"Watering Hole Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
55,"Watering Hole Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
56,"Typosquatting Attacks","11.1 - Implement and Manage Email Protections",7
|
||||
56,"Typosquatting Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
|
||||
56,"Typosquatting Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
57,"Malvertising","11.2 - Implement and Manage Web Browser Protections",9
|
||||
57,"Malvertising","9.2 - Deploy and Maintain Anti-Malware Software",7
|
||||
57,"Malvertising","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
58,"Fileless Malware Attacks","9.2 - Deploy and Maintain Anti-Malware Software",8
|
||||
58,"Fileless Malware Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
58,"Fileless Malware Attacks","11.3 - Implement and Manage Endpoint Protections",6
|
||||
59,"Advanced Persistent Threats (APTs)","1.4 - Establish and Maintain a Threat Intelligence Program",9
|
||||
59,"Advanced Persistent Threats (APTs)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
|
||||
59,"Advanced Persistent Threats (APTs)","18.1 - Establish and Maintain a Penetration Testing Program",7
|
||||
60,"Remote Code Execution (RCE) Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",10
|
||||
60,"Remote Code Execution (RCE) Vulnerabilities","8.3 - Verify Application of Security Patches",9
|
||||
60,"Remote Code Execution (Rulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
61,"Formjacking Attacks","12.2 - Secure Software via Secure Coding Practices",8
|
||||
61,"Formjacking Attacks","11.2 - Implement and Manage Web Browser Protections",7
|
||||
61,"Formjacking Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
62,"SIM Swapping Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
62,"SIM Swapping Attacks","16.1 - Conduct Security Awareness and Skills Training",7
|
||||
62,"SIM Swapping Attacks","1.3 - Establish and Maintain Enterprise Agreements",6
|
||||
63,"Unsecured Database Configurations","5.3 - Securely Configure Enterprise Assets and Software",9
|
||||
63,"Unsecured Database Configurations","7.1 - Establish and Maintain a Data Management Process",8
|
||||
63,"Unsecured Database Configurations","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
64,"API Sprawl and Lack of API Governance","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
|
||||
64,"API Sprawl and Lack of API Governance","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
|
||||
64,"API Sprawl and Lack of API Governance","15.4 - Establish and Maintain a Security Architecture",6
|
||||
65,"Insecure Default Configurations","5.1 - Establish and Maintain a Secure Configuration Process",9
|
||||
65,"Insecure Default Configurations","5.3 - Securely Configure Enterprise Assets and Software",8
|
||||
65,"Insecure Default Configurations","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
|
||||
66,"Insufficient Data Encryption","12.5 - Enforce Encryption of Data-at-Rest",10
|
||||
66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit
|
||||
66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit",9
|
||||
66,"Insufficient Data Encryption","7.2 - Implement and Enforce Data Retention",6
|
||||
67,"Legacy Systems with Known Vulnerabilities","3.3 - Manage Assets",7
|
||||
67,"Legacy Systems with Known Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
|
||||
67,"Legacy Systems with Known Vulnerabilities","6.3 - Implement and Manage Network Segmentation",8
|
||||
68,"Poorly Implemented Patch Management","8.2 - Remediate Vulnerabilities Based on Risk",10
|
||||
68,"Poorly Implemented Patch Management","8.3 - Verify Application of Security Patches",9
|
||||
68,"Poorly Implemented Patch Management","3.2 - Utilize an Automated Asset Discovery Tool",6
|
||||
69,"Unsecured Configuration Management Practices","5.1 - Establish and Maintain a Secure Configuration Process",9
|
||||
69,"Unsecured Configuration Management Practices","5.3 - Securely Configure Enterprise Assets and Software",8
|
||||
69,"Unsecured Configuration Management Practices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
|
||||
70,"Lack of Network Segmentation","6.3 - Implement and Manage Network Segmentation",10
|
||||
70,"Lack of Network Segmentation","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
|
||||
70,"Lack of Network Segmentation","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
71,"Compromised Software Update Mechanisms","8.3 - Verify Application of Security Patches",8
|
||||
71,"Compromised Software Update Mechanisms","9.2 - Deploy and Maintain Anti-Malware Software",7
|
||||
71,"Compromised Software Update Mechanisms","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
72,"Weaknesses in Cloud Identity and Access Management","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
|
||||
72,"Weaknesses in Cloud Identity and Access Management","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
|
||||
72,"Weaknesses in Cloud Identity and Access Management","5.4 - Securely Configure Cloud Infrastructure",7
|
||||
73,"Insufficient Security Logging and Monitoring","14.1 - Establish and Maintain a Security Logging and Monitoring Process",10
|
||||
73,"Insufficient Security Logging and Monitoring","14.2 - Integrate Threat Intelligence into Security Monitoring",8
|
||||
73,"Insufficient Security Logging and Monitoring","14.3 - Establish and Maintain Alerting and Escalation Processes",7
|
||||
74,"Lack of an Effective Incident Response Plan","19.1 - Establish and Maintain an Incident Response Plan",10
|
||||
74,"Lack of an Effective Incident Response Plan","19.2 - Establish and Maintain an Incident Response Team",9
|
||||
74,"Lack of an Effective Incident Response Plan","19.3 - Develop and Conduct Incident Response Exercises",8
|
||||
75,"Poor Data Backup and Recovery Procedures","10.8 - Perform and Test Data Backups",10
|
||||
75,"Poor Data Backup and Recovery Procedures","10.9 - Perform Off-Site Backups",9
|
||||
75,"Poor Data Backup and Recovery Procedures","10.10 - Securely Store Backups",8
|
||||
76,"Insufficient Security Awareness Training for Employees","16.1 - Conduct Security Awareness and Skills Training",10
|
||||
76,"Insufficient Security Awareness Training for Employees","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
76,"Insufficient Security Awareness Training for Employees","13.1 - Establish and Maintain a Security Awareness Program",8
|
||||
77,"Lack of a Formal Risk Management Program","1.5 - Conduct Periodic Security Risk Assessments",10
|
||||
77,"Lack of a Formal Risk Management Program","1.1 - Establish and Maintain Enterprise Governance",9
|
||||
77,"Lack of a Formal Risk Management Program","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
78,"Inadequate Third-Party Risk Management","13.5 - Manage Supplier Access",9
|
||||
78,"Inadequate Third-Party Risk Management","13.6 - Monitor Supplier Security",8
|
||||
78,"Inadequate Third-Party Risk Management","4.6 - Manage External Accounts",7
|
||||
79,"Failure to Enforce Least Privilege","4.3 - Manage Privileged Access",10
|
||||
79,"Failure to Enforce Least Privilege","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
79,"Failure to Enforce Least Privilege","4.4 - Manage Service Accounts",7
|
||||
80,"Unsecured Remote Access Solutions","4.9 - Manage Access to Enterprise Applications",9
|
||||
80,"Unsecured Remote Access Solutions","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
|
||||
80,"Unsecured Remote Access Solutions","12.6 - Enforce Encryption of Data-in-Transit",7
|
||||
81,"Insufficient Protection of Critical Infrastructure","17.1 - Implement Physical Access Controls",8
|
||||
81,"Insufficient Protection of Critical Infrastructure","6.3 - Implement and Manage Network Segmentation",7
|
||||
81,"Insufficient Protection of Critical Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
82,"Lack of Data Loss Prevention (DLP) Measures","7.3 - Implement Data Loss Prevention (DLP)",10
|
||||
82,"Lack of Data Loss Prevention (DLP) Measures","3.4 - Manage Sensitive Assets",8
|
||||
82,"Lack of Data Loss Prevention (DLP) Measures","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
|
||||
83,"Ineffective Vulnerability Scanning Practices","8.1 - Establish and Maintain a Vulnerability Management Process",9
|
||||
83,"Ineffective Vulnerability Scanning Practices","8.2 - Remediate Vulnerabilities Based on Risk",8
|
||||
83,"Ineffective Vulnerability Scanning Practices","3.2 - Utilize an Automated Asset Discovery Tool",7
|
||||
84,"Poorly Defined Security Roles and Responsibilities","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
84,"Poorly Defined Security Roles and Responsibilities","1.3 - Establish and Maintain Enterprise Agreements",7
|
||||
84,"Poorly Defined Security Roles and Responsibilities","16.4 - Establish and Maintain a Role-Based Security Training Program",6
|
||||
85,"Lack of a Formal Change Management Process","5.2 - Implement and Manage a Change Management Process",9
|
||||
85,"Lack of a Formal Change Management Process","5.3 - Securely Configure Enterprise Assets and Software",7
|
||||
85,"Lack of a Formal Change Management Process","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
86,"Insufficient Security Architecture and Design","15.4 - Establish and Maintain a Security Architecture",10
|
||||
86,"Insufficient Security Architecture and Design","6.3 - Implement and Manage Network Segmentation",8
|
||||
86,"Insufficient Security Architecture and Design","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",7
|
||||
87,"Failure to Secure Containerized Environments","5.7 - Securely Configure Containers",9
|
||||
87,"Failure to Secure Containerized Environments","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
|
||||
87,"Failure to Secure Containerized Environments","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
88,"Inadequate Protection of API Keys and Secrets","12.3 - Manage Credentials",9
|
||||
88,"Inadequate Protection of API Keys and Secrets","12.5 - Enforce Encryption of Data-at-Rest",7
|
||||
88,"Inadequate Protection of API Keys and Secrets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
89,"Lack of a Formal Security Assessment Process for New Projects","1.5 - Conduct Periodic Security Risk Assessments",8
|
||||
89,"Lack of a Formal Security Assessment Process for New Projects","15.4 - Establish and Maintain a Security Architecture",7
|
||||
89,"Lack of a Formal Security Assessment Process for New Projects","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",6
|
||||
90,"Insufficient Budget Allocation for Cybersecurity","1.1 - Establish and Maintain Enterprise Governance",9
|
||||
90,"Insufficient Budget Allocation for Cybersecurity","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
90,"Insufficient Budget Allocation for Cybersecurity","1.5 - Conduct Periodic Security Risk Assessments",7
|
||||
91,"Lack of Executive Support for Security Initiatives","1.1 - Establish and Maintain Enterprise Governance",10
|
||||
91,"Lack of Executive Support for Security Initiatives","1.2 - Establish and Maintain Enterprise Security Policies",9
|
||||
91,"Lack of Executive Support for Security Initiatives","13.1 - Establish and Maintain a Security Awareness Program",7
|
||||
92,"Mergers and Acquisitions Leading to Security Integration Challenges","1.3 - Establish and Maintain Enterprise Agreements",8
|
||||
92,"Mergers and Acquisitions Leading to Security Integration Challenges","15.4 - Establish and Maintain a Security Architecture",7
|
||||
92,"Mergers and Acquisitions Leading to Security Integration Challenges","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
|
||||
93,"Decentralized Security Management Leading to Inconsistencies","1.1 - Establish and Maintain Enterprise Governance",8
|
||||
93,"Decentralized Security Management Leading to Inconsistencies","1.2 - Establish and Maintain Enterprise Security Policies",7
|
||||
93,"Decentralized Security Management Leading to Inconsistencies","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
|
||||
94,"Rapid Cloud Adoption Without Adequate Security Controls","5.4 - Securely Configure Cloud Infrastructure",9
|
||||
94,"Rapid Cloud Adoption Without Adequate Security Controls","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
94,"Rapid Cloud Adoption Without Adequate Security Controls","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
95,"Increased Use of Personal Devices for Work (BYOD)","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
|
||||
95,"Increased Use of Personal Devices for Work (BYOD)","4.5 - Manage Mobile Devices",7
|
||||
95,"Increased Use of Personal Devices for Work (BYOD)","12.5 - Enforce Encryption of Data-at-Rest",6
|
||||
96,"Growing Attack Surface Due to Digital Transformation","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
|
||||
96,"Growing Attack Surface Due to Digital Transformation","15.4 - Establish and Maintain a Security Architecture",8
|
||||
96,"Growing Attack Surface Due to Digital Transformation","8.1 - Establish and Maintain a Vulnerability Management Process",6
|
||||
97,"Talent Shortage in Cybersecurity","16.3 - Establish and Maintain a Security Skills Development Program",9
|
||||
97,"Talent Shortage in Cybersecurity","16.5 - Conduct Skills Gap Assessments",8
|
||||
97,"Talent Shortage in Cybersecurity","1.3 - Establish and Maintain Enterprise Agreements",5
|
||||
98,"Increased Regulatory Scrutiny and Complexity","1.1 - Establish and Maintain Enterprise Governance",9
|
||||
98,"Increased Regulatory Scrutiny and Complexity","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
98,"Increased Regulatory Scrutiny and Complexity","3.4 - Manage Sensitive Assets",7
|
||||
99,"Evolving Threat Landscape","1.4 - Establish and Maintain a Threat Intelligence Program",10
|
||||
99,"Evolving Threat Landscape","18.1 - Establish and Maintain a Penetration Testing Program",8
|
||||
99,"Evolving Threat Landscape","13.1 - Establish and Maintain a Security Awareness Program",7
|
||||
100,"Failure to Adapt Security Strategy to Business Changes","1.2 - Establish and Maintain Enterprise Security Policies",8
|
||||
100,"Failure to Adapt Security Strategy to Business Changes","1.5 - Conduct Periodic Security Risk Assessments",9
|
||||
100,"Failure to Adapt Security Strategy to Business Changes","15.4 - Establish and Maintain a Security Architecture",7
|
||||
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","14.2 - Integrate Threat Intelligence into Security Monitoring",9
|
||||
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","18.1 - Establish and Maintain a Penetration Testing Program",8
|
||||
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
|
||||
102,"Zero-Day Exploits Targeting Unpatched Applications","8.2 - Remediate Vulnerabilities Based on Risk",9
|
||||
102,"Zero-Day Exploits Targeting Unpatched Applications","6.3 - Implement and Manage Network Segmentation",7
|
||||
102,"Zero-Day Exploits Targeting Unpatched Applications","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
|
||||
103,"Sophisticated Phishing Campaigns Bypassing Email Security","11.1 - Implement and Manage Email Protections",8
|
||||
103,"Sophisticated Phishing Campaigns Bypassing Email Security","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
103,"Sophisticated Phishing Campaigns Bypassing Email Security","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
|
||||
104,"Malware Delivered Through Supply Chain Compromise","13.3 - Implement and Manage Secure Software Supply Chain Practices",9
|
||||
104,"Malware Delivered Through Supply Chain Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
|
||||
104,"Malware Delivered Through Supply Chain Compromise","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
105,"Ransomware Targeting Backup Infrastructure","10.8 - Perform and Test Data Backups",8
|
||||
105,"Ransomware Targeting Backup Infrastructure","10.10 - Securely Store Backups",9
|
||||
105,"Ransomware Targeting Backup Infrastructure","6.3 - Implement and Manage Network Segmentation",7
|
||||
106,"Data Exfiltration Through DNS Tunneling","6.7 - Implement and Manage Domain Name System (DNS) Security",9
|
||||
106,"Data Exfiltration Through DNS Tunneling","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
|
||||
106,"Data Exfiltration Through DNS Tunneling","7.3 - Implement Data Loss Prevention (DLP)",7
|
||||
107,"Compromise of Cloud Service Provider Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
107,"Compromise of Cloud Service Provider Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
107,"Compromise of Cloud Service Provider Credentials","5.4 - Securely Configure Cloud Infrastructure",7
|
||||
108,"Lateral Movement within the Network Post-Breach","6.3 - Implement and Manage Network Segmentation",10
|
||||
108,"Lateral Movement within the Network Post-Breach","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
|
||||
108,"Lateral Movement within the Network Post-Breach","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
|
||||
109,"Exploitation of Unsecured APIs","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
|
||||
109,"Exploitation of Unsecured APIs","12.4 - Implement and Manage Security for Software Applications",9
|
||||
109,"Exploitation of Unsecured APIs","18.1 - Establish and Maintain a Penetration Testing Program",8
|
||||
110,"Credential Stuffing Attacks Against Web Applications","4.7 - Enforce Account Password Requirements",7
|
||||
110,"Credential Stuffing Attacks Against Web Applications","4.8 - Enforce Multi-Factor Authentication for All Users",9
|
||||
110,"Credential Stuffing Attacks Against Web Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
111,"Brute-Force Attacks Targeting Cloud Services","4.7 - Enforce Account Password Requirements",8
|
||||
111,"Brute-Force Attacks Targeting Cloud Services","4.8 - Enforce Multi-Factor Authentication for All Users",9
|
||||
111,"Brute-Force Attacks Targeting Cloud Services","5.4 - Securely Configure Cloud Infrastructure",7
|
||||
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","11.2 - Implement and Manage Web Browser Protections",9
|
||||
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","9.2 - Deploy and Maintain Anti-Malware Software",7
|
||||
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
113,"Business Logic Flaws in Applications Leading to Data Breach","12.4 - Implement and Manage Security for Software Applications",9
|
||||
113,"Business Logic Flaws in Applications Leading to Data Breach","8.4 - Perform Application Security Testing",8
|
||||
113,"Business Logic Flaws in Applications Leading to Data Breach","7.1 - Establish and Maintain a Data Management Process",7
|
||||
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","4.3 - Manage Privileged Access",8
|
||||
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","7.3 - Implement Data Loss Prevention (DLP)",9
|
||||
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
|
||||
115,"Rogue or Shadow IT Devices on the Network","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",9
|
||||
115,"Rogue or Shadow IT Devices on the Network","6.3 - Implement and Manage Network Segmentation",7
|
||||
115,"Rogue or Shadow IT Devices on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
|
||||
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
117,"Insecurely Configured Cloud Storage Buckets","5.4 - Securely Configure Cloud Infrastructure",10
|
||||
117,"Insecurely Configured Cloud Storage Buckets","7.1 - Establish and Maintain a Data Management Process",8
|
||||
117,"Insecurely Configured Cloud Storage Buckets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
118,"Exploitation of Memory Corruption Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
|
||||
118,"Exploitation of Memory Corruption Vulnerabilities","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
|
||||
118,"Exploitation of Memory Corruption Vulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
119,"Data Breaches Due to Misconfigured Security Groups","5.4 - Securely Configure Cloud Infrastructure",9
|
||||
119,"Data Breaches Due to Misconfigured Security Groups","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
119,"Data Breaches Due to Misconfigured Security Groups","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
120,"Use of Default or Weak Encryption Keys","12.7 - Plan and Implement Cryptographic Key Management",9
|
||||
120,"Use of Default or Weak Encryption Keys","12.5 - Enforce Encryption of Data-at-Rest",8
|
||||
120,"Use of Default or Weak Encryption Keys","12.6 - Enforce Encryption of Data-in-Transit",7
|
||||
121,"Vulnerabilities in Third-Party Libraries and Dependencies","8.1 - Establish and Maintain a Vulnerability Management Process",8
|
||||
121,"Vulnerabilities in Third-Party Libraries and Dependencies","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
|
||||
121,"Vulnerabilities in Third-Party Libraries and Dependencies","2.1 - Establish and Maintain an Inventory of Authorized Software",7
|
||||
122,"Targeted Attacks on Operational Technology (OT) Systems","5.6 - Securely Configure Industrial Control Systems (ICS)",9
|
||||
122,"Targeted Attacks on Operational Technology (OT) Systems","6.6 - Implement and Manage Network Segmentation for ICS",10
|
||||
122,"Targeted Attacks on Operational Technology (OT) Systems","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
|
||||
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","7.1 - Establish and Maintain a Data Management Process",8
|
||||
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","3.4 - Manage Sensitive Assets",9
|
||||
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","1.2 - Establish and Maintain Enterprise Security Policies",7
|
||||
124,"AI Poisoning Attacks Manipulating Machine Learning Models","15.4 - Establish and Maintain a Security Architecture",8
|
||||
124,"AI Poisoning Attacks Manipulating Machine Learning Models","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
124,"AI Poisoning Attacks Manipulating Machine Learning Models","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
125,"Quantum Computing Attacks Breaking Current Encryption","12.7 - Plan and Implement Cryptographic Key Management",9
|
||||
125,"Quantum Computing Attacks Breaking Current Encryption","15.4 - Establish and Maintain a Security Architecture",7
|
||||
125,"Quantum Computing Attacks Breaking Current Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
126,"Deepfake Technology Used for Social Engineering","16.2 - Train Workforce Members on Social Engineering Attacks",9
|
||||
126,"Deepfake Technology Used for Social Engineering","11.1 - Implement and Manage Email Protections",7
|
||||
126,"Deepfake Technology Used for Social Engineering","13.1 - Establish and Maintain a Security Awareness Program",6
|
||||
127,"Blockchain Vulnerabilities Leading to Financial Loss","12.4 - Implement and Manage Security for Software Applications",8
|
||||
127,"Blockchain Vulnerabilities Leading to Financial Loss","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
|
||||
127,"Blockchain Vulnerabilities Leading to Financial Loss","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
128,"Serverless Function Vulnerabilities","5.4 - Securely Configure Cloud Infrastructure",8
|
||||
128,"Serverless Function Vulnerabilities","12.4 - Implement and Manage Security for Software Applications",7
|
||||
128,"Serverless Function Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
129,"Insider Threats Leveraging Data in Motion","7.3 - Implement Data Loss Prevention (DLP)",8
|
||||
129,"Insider Threats Leveraging Data in Motion","12.6 - Enforce Encryption of Data-in-Transit",7
|
||||
129,"Insider Threats Leveraging Data in Motion","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
|
||||
130,"Compromise of Hardware Supply Chain (Hardware Implants)","13.4 - Implement and Manage Secure Hardware Supply Chain Practices",9
|
||||
130,"Compromise of Hardware Supply Chain (Hardware Implants)","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
|
||||
130,"Compromise of Hardware Supply Chain (Hardware Implants)","18.1 - Establish and Maintain a Penetration Testing Program",6
|
||||
131,"Formjacking Attacks Stealing Payment Card Data","12.4 - Implement and Manage Security for Software Applications",9
|
||||
131,"Formjacking Attacks Stealing Payment Card Data","11.2 - Implement and Manage Web Browser Protections",7
|
||||
131,"Formjacking Attacks Stealing Payment Card Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
132,"SIM Swapping Leading to Account Takeover","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
|
||||
132,"SIM Swapping Leading to Account Takeover","16.1 - Conduct Security Awareness and Skills Training",7
|
||||
132,"SIM Swapping Leading to Account Takeover","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
|
||||
133,"Attacks Targeting APIs of Third-Party Services","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
|
||||
133,"Attacks Targeting APIs of Third-Party Services","12.4 - Implement and Manage Security for Software Applications",8
|
||||
133,"Attacks Targeting APIs of Third-Party Services","13.6 - Monitor Supplier Security",7
|
||||
134,"Insufficient Segmentation of Cloud Workloads","5.4 - Securely Configure Cloud Infrastructure",9
|
||||
134,"Insufficient Segmentation of Cloud Workloads","6.3 - Implement and Manage Network Segmentation",8
|
||||
134,"Insufficient Segmentation of Cloud Workloads","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
|
||||
135,"Compromise of Managed Service Provider (MSP) Infrastructure","4.6 - Manage External Accounts",8
|
||||
135,"Compromise of Managed Service Provider (MSP) Infrastructure","13.5 - Manage Supplier Access",9
|
||||
135,"Compromise of Managed Service Provider (MSP) Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","8.4 - Perform Application Security Testing",9
|
||||
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","12.2 - Secure Software via Secure Coding Practices",8
|
||||
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
|
||||
137,"Exploitation of Race Conditions in Applications","12.2 - Secure Software via Secure Coding Practices",8
|
||||
137,"Exploitation of Race Conditions in Applications","8.4 - Perform Application Security Testing",7
|
||||
137,"Exploitation of Race Conditions in Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
|
||||
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.3 - Implement and Manage Network Segmentation",7
|
||||
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
139,"DNS Spoofing and Cache Poisoning Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
|
||||
139,"DNS Spoofing and Cache Poisoning Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
139,"DNS Spoofing and Cache Poisoning Attacks","11.2 - Implement and Manage Web Browser Protections",6
|
||||
140,"Border Gateway Protocol (BGP) Hijacking","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
|
||||
140,"Border Gateway Protocol (BGP) Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
140,"Border Gateway Protocol (BGP) Hijacking","1.4 - Establish and Maintain a Threat Intelligence Program",6
|
||||
141,"ICMP Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
|
||||
141,"ICMP Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
141,"ICMP Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
142,"SYN Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
|
||||
142,"SYN Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
|
||||
142,"SYN Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
143,"Smurf Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
|
||||
143,"Smurf Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
143,"Smurf Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
144,"Fraggle Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
|
||||
144,"Fraggle Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
144,"Fraggle Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
145,"GTP Tunneling Exploits in Mobile Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
145,"GTP Tunneling Exploits in Mobile Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
145,"GTP Tunneling Exploits in Mobile Networks","1.4 - Establish and Maintain a Threat Intelligence Program",5
|
||||
146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
|
||||
146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
|
||||
146,"SIP Flood Attacks Targeting VoIP Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
147,"LLMNR/NBT-NS Poisoning","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
|
||||
147,"LLMNR/NBT-NS Poisoning","6.3 - Implement and Manage Network Segmentation",8
|
||||
147,"LLMNR/NBT-NS Poisoning","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
|
||||
148,"Pass-the-Hash Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
|
||||
148,"Pass-the-Hash Attacks","4.3 - Manage Privileged Access",8
|
||||
148,"Pass-the-Hash Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
149,"Pass-the-Ticket Attacks (Kerberoasting)","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
|
||||
149,"Pass-the-Ticket Attacks (Kerberoasting)","4.3 - Manage Privileged Access",9
|
||||
149,"Pass-the-Ticket Attacks (Kerberoasting)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
150,"Golden SAML Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
|
||||
150,"Golden SAML Attacks","4.3 - Manage Privileged Access",8
|
||||
150,"Golden SAML Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
|
||||
Safeguard ID,Name,Description
|
||||
1.1,Establish and Maintain Detailed Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
|
||||
1.2,Address Unauthorized Assets,Inventory and Control of Enterprise Assets
|
||||
1.3,Utilize an Active Discovery Tool,Inventory and Control of Enterprise Assets
|
||||
1.4,Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
|
||||
1.5,Use a Passive Asset Discovery Tool,Inventory and Control of Enterprise Assets
|
||||
2.1,Establish and Maintain a Software Inventory,Inventory and Control of Software Assets
|
||||
2.2,Ensure Authorized Software is Currently Supported,Inventory and Control of Software Assets
|
||||
2.3,Address Unauthorized Software,Inventory and Control of Software Assets
|
||||
2.4,Utilize Automated Software Inventory Tools,Inventory and Control of Software Assets
|
||||
2.5,Allowlist Authorized Software,Inventory and Control of Software Assets
|
||||
2.6,Allowlist Authorized Libraries,Inventory and Control of Software Assets
|
||||
2.7,Allowlist Authorized Scripts,Inventory and Control of Software Assets
|
||||
3.1,Establish and Maintain a Data Management Process,Data Protection
|
||||
3.2,Establish and Maintain a Data Inventory,Data Protection
|
||||
3.3,Configure Data Access Control Lists,Data Protection
|
||||
3.4,Enforce Data Retention,Data Protection
|
||||
3.5,Securely Dispose of Data,Data Protection
|
||||
3.6,Encrypt Data on End-User Devices,Data Protection
|
||||
3.7,Establish and Maintain a Data Classification Scheme,Data Protection
|
||||
3.8,Document Data Flows,Data Protection
|
||||
3.9,Encrypt Data on Removable Media,Data Protection
|
||||
3.10,Encrypt Sensitive Data in Transit,Data Protection
|
||||
3.11,Encrypt Sensitive Data At Rest,Data Protection
|
||||
3.12,Segment Data Processing and Storage Based on Sensitivity,Data Protection
|
||||
3.13,Deploy a Data Loss Prevention Solution,Data Protection
|
||||
3.14,Log Sensitive Data Access,Data Protection
|
||||
4.1,Establish and Maintain a Secure Configuration Process,Secure Configuration of Enterprise Assets and Software
|
||||
4.2,Establish and Maintain a Secure Configuration Process for Network Infrastructure,Secure Configuration of Enterprise Assets and Software
|
||||
4.3,Configure Automatic Session Locking on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
|
||||
4.4,Implement and Manage a Firewall on Servers,Secure Configuration of Enterprise Assets and Software
|
||||
4.5,Implement and Manage a Firewall on End-User Devices,Secure Configuration of Enterprise Assets and Software
|
||||
4.6,Securely Manage Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
|
||||
4.7,Manage Default Accounts on Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
|
||||
4.8,Uninstall or Disable Unnecessary Services on Enterprise Assets and Applications,Secure Configuration of Enterprise Assets and Software
|
||||
4.9,Configure Trusted Domain Name System (DNS) Servers on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
|
||||
4.10,Enforce Automatic Device Lockout on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
|
||||
4.11,Enforce Remote Wipe Capability on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
|
||||
4.12,Separate Enterprise Workspaces on Mobile End-User Devices,Secure Configuration of Enterprise Assets and Software
|
||||
5.1,Establish and Maintain an Inventory of Accounts,Account Management
|
||||
5.2,Use Unique Passwords,Account Management
|
||||
5.3,Disable Dormant Accounts,Account Management
|
||||
5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,Account Management
|
||||
5.5,Establish and Maintain an Inventory of Service Accounts,Account Management
|
||||
5.6,Centralize Account Management,Account Management
|
||||
6.1,Establish an Access Granting Process,Access Control Management
|
||||
6.2,Establish an Access Revolving Process,Access Control Management
|
||||
6.3,Require MFA for Externally-Exposed Applications,Access Control Management
|
||||
6.4,Require MFA for Remote Network Access,Access Control Management
|
||||
6.5,Require MFA for Administrative Access,Access Control Management
|
||||
6.6,Establish and Maintain an Inventory of Authentication and Authorization Systems,Access Control Management
|
||||
6.7,Centralize Access Control,Access Control Management
|
||||
6.8,Define and Maintain Role-Based Access Control,Access Control Management
|
||||
7.1,Establish and Maintain a Vulnerability Management Process,Continuous Vulnerability Management
|
||||
7.2,Establish and Maintain a Remediation Process,Continuous Vulnerability Management
|
||||
7.3,Perform Automated Operating System Patch Management,Continuous Vulnerability Management
|
||||
7.4,Perform Automated Application Patch Management,Continuous Vulnerability Management
|
||||
7.5,Perform Automated Vulnerability Scans of Internal Enterprise Assets,Continuous Vulnerability Management
|
||||
7.6,Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets,Continuous Vulnerability Management
|
||||
7.7,Remediate Detected Vulnerabilities,Continuous Vulnerability Management
|
||||
8.1,Establish and Maintain an Audit Log Management Process,Audit Log Management
|
||||
8.2,Collect Audit Logs,Audit Log Management
|
||||
8.3,Ensure Adequate Audit Log Storage,Audit Log Management
|
||||
8.4,Standardize Time Synchronization,Audit Log Management
|
||||
8.5,Collect Detailed Audit Logs,Audit Log Management
|
||||
8.6,Collect DNS Query Audit Logs,Audit Log Management
|
||||
8.7,Collect URL Request Audit Logs,Audit Log Management
|
||||
8.8,Collect Command-Line Audit Logs,Audit Log Management
|
||||
8.9,Centralize Audit Logs,Audit Log Management
|
||||
8.10,Retain Audit Logs,Audit Log Management
|
||||
8.11,Conduct Audit Log Reviews,Audit Log Management
|
||||
8.12,Collect Service Provider Logs,Audit Log Management
|
||||
9.1,Ensure Use of Only Fully Supported Browsers and Email Clients,Email and Web Browser Protections
|
||||
9.2,Use DNS Filtering Services,Email and Web Browser Protections
|
||||
9.3,Maintain and Enforce Network-Based URL Filters,Email and Web Browser Protections
|
||||
9.4,Restrict Unnecessary or Unauthorized Browser and Email Client Extensions,Email and Web Browser Protections
|
||||
9.5,Implement DMARC,Email and Web Browser Protections
|
||||
9.6,Block Unnecessary File Types,Email and Web Browser Protections
|
||||
9.7,Deploy and Maintain Email Server Anti-Malware Protections,Email and Web Browser Protections
|
||||
10.1,Deploy and Maintain Anti-Malware Software,Malware Defenses
|
||||
10.2,Configure Automatic Anti-Malware Signature Updates,Malware Defenses
|
||||
10.3,Disable Autorun and Autoplay for Removable Media,Malware Defenses
|
||||
10.4,Configure Automatic Anti-Malware Scanning of Removable Media,Malware Defenses
|
||||
10.5,Enable Anti-Exploitation Features,Malware Defenses
|
||||
10.6,Centrally Manage Anti-Malware Software,Malware Defenses
|
||||
10.7,Use Behavior-Based Anti-Malware Software,Malware Defenses
|
||||
11.1,Establish and Maintain a Data Recovery Process,Data Recovery
|
||||
11.2,Perform Automated Backups,Data Recovery
|
||||
11.3,Protect Recovery Data,Data Recovery
|
||||
11.4,Establish and Maintain an Isolated Instance of Recovery Data,Data Recovery
|
||||
11.5,Test Data Recovery,Data Recovery
|
||||
12.1,Ensure Network Infrastructure is Up-to-Date,Network Infrastructure Management
|
||||
12.2,Establish and Maintain a Secure Network Architecture,Network Infrastructure Management
|
||||
12.3,Securely Manage Network Infrastructure,Network Infrastructure Management
|
||||
12.4,Establish and Maintain Architecture Diagram(s),Network Infrastructure Management
|
||||
12.5,Centralize Network Authentication, Authorization, and Auditing (AAA),Network Infrastructure Management
|
||||
12.6,Use of Secure Network Management and Communication Protocols,Network Infrastructure Management
|
||||
12.7,Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure,Network Infrastructure Management
|
||||
12.8,Establish and Maintain Dedicated Computing Resources For All Administrative Work,Network Infrastructure Management
|
||||
13.1,Centralize Security Event Alerting,Network Monitoring and Defense
|
||||
13.2,Deploy a Host-Based Intrusion Detection Solution,Network Monitoring and Defense
|
||||
13.3,Deploy a Network Intrusion Detection Solution,Network Monitoring and Defense
|
||||
13.4,Perform Traffic Filtering Between Network Segments,Network Monitoring and Defense
|
||||
13.5,Manage Access Control for Remote Assets,Network Monitoring and Defense
|
||||
13.6,Collect Network Traffic Flow Logs,Network Monitoring and Defense
|
||||
13.7,Deploy a Host-Based Intrusion Prevention Solution,Network Monitoring and Defense
|
||||
13.8,Deploy a Network Intrusion Prevention Solution,Network Monitoring and Defense
|
||||
13.9,Deploy Port-Level Access Control,Network Monitoring and Defense
|
||||
13.10,Perform Application Layer Filtering,Network Monitoring and Defense
|
||||
13.11,Tune Security Event Alerting Thresholds,Network Monitoring and Defense
|
||||
14.1,Establish and Maintain a Security Awareness Program,Security Awareness and Skills Training
|
||||
14.2,Train Workforce Members to Recognize Social Engineering Attacks,Security Awareness and Skills Training
|
||||
14.3,Train Workforce Members on Authentication Best Practices,Security Awareness and Skills Training
|
||||
14.4,Train Workforce on Data Handling Best Practices,Security Awareness and Skills Training
|
||||
14.5,Train Workforce Members on Causes of Unintentional Data Exposure,Security Awareness and Skills Training
|
||||
14.6,Train Workforce Members on Recognizing and Reporting Security Incidents,Security Awareness and Skills Training
|
||||
14.7,Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates,Security Awareness and Skills Training
|
||||
14.8,Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks,Security Awareness and Skills Training
|
||||
14.9,Conduct Role-Specific Security Awareness and Skills Training,Security Awareness and Skills Training
|
||||
15.1,Establish and Maintain an Inventory of Service Providers,Service Provider Management
|
||||
15.2,Establish and Maintain a Service Provider Management Policy,Service Provider Management
|
||||
15.3,Classify Service Providers,Service Provider Management
|
||||
15.4,Ensure Service Provider Contracts Include Security Requirements,Service Provider Management
|
||||
15.5,Assess Service Providers,Service Provider Management
|
||||
15.6,Monitor Service Providers,Service Provider Management
|
||||
15.7,Securely Decommission Service Providers,Service Provider Management
|
||||
16.1,Establish and Maintain a Secure Application Development Process,Application Software Security
|
||||
16.2,Establish and Maintain a Process to Accept and Address Software Vulnerabilities,Application Software Security
|
||||
16.3,Perform Root Cause Analysis on Security Vulnerabilities,Application Software Security
|
||||
16.4,Establish and Manage an Inventory of Third-Party Software Components,Application Software Security
|
||||
16.5,Use Up-to-Date and Trusted Third-Party Software Components,Application Software Security
|
||||
16.6,Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities,Application Software Security
|
||||
16.7,Use Standard Hardening Configuration Templates for Application Infrastructure,Application Software Security
|
||||
16.8,Separate Production and Non-Production Systems,Application Software Security
|
||||
16.9,Train Developers in Application Security Concepts and Secure Coding,Application Software Security
|
||||
16.10,Apply Secure Design Principles in Application Architectures,Application Software Security
|
||||
16.11,Leverage Vetted Modules or Services for Application Security Components,Application Software Security
|
||||
16.12,Implement Code-Level Security Checks,Application Software Security
|
||||
16.13,Conduct Application Penetration Testing,Application Software Security
|
||||
16.14,Conduct Threat Modeling,Application Software Security
|
||||
17.1,Designate Personnel to Manage Incident Handling,Incident Response Management
|
||||
17.2,Establish and Maintain Contact Information for Reporting Security Incidents,Incident Response Management
|
||||
17.3,Establish and Maintain an Enterprise Process for Reporting Incidents,Incident Response Management
|
||||
17.4,Establish and Maintain an Incident Response Process,Incident Response Management
|
||||
17.5,Assign Key Roles and Responsibilities,Incident Response Management
|
||||
17.6,Define Mechanisms for Communicating During Incident Response,Incident Response Management
|
||||
17.7,Conduct Routine Incident Response Exercises,Incident Response Management
|
||||
17.8,Conduct Post-Incident Reviews,Incident Response Management
|
||||
17.9,Establish and Maintain Security Incident Thresholds,Incident Response Management
|
||||
18.1,Establish and Maintain a Penetration Testing Program,Penetration Testing
|
||||
18.2,Perform Periodic External Penetration Tests,Penetration Testing
|
||||
18.3,Remediate Penetration Test Findings,Penetration Testing
|
||||
18.4,Validate Security Measures,Penetration Testing
|
||||
18.5,Perform Periodic Internal Penetration Tests,Penetration Testing
|
||||
|
Can't render this file because it contains an unexpected character in line 228 and column 4.
|
Reference in New Issue
Block a user