', result)
self.assertIn("Main Title", result)
self.assertIn("Subtitle 1", result)
self.assertIn("Custom HTML content with Example Corp", result)
@@ -47,7 +47,7 @@ class TestProcessors(unittest.TestCase):
def test_empty_segment(self):
segment = {"segment_type": "empty_segment", "content": []}
result = render_universal_segment(segment, self.context_data)
- self.assertEqual(result, "")
+ self.assertEqual(result, '
\n
')
def test_missing_html(self):
segment = {
diff --git a/backend/core/tests/test_utils.py b/backend/core/tests/test_utils.py
index 0c68a11..4296120 100644
--- a/backend/core/tests/test_utils.py
+++ b/backend/core/tests/test_utils.py
@@ -128,4 +128,45 @@ class UtilsTests(TestCase):
graph_data = generate_risk_graph(risks_with_controls)
self.assertIsInstance(graph_data, str)
- self.assertTrue(len(graph_data) > 1000)
\ No newline at end of file
+ self.assertTrue(len(graph_data) > 1000)
+
+ def test_generate_residual_risk_graph_base64(self):
+ risks_with_controls = [
+ {
+ 'risk': {'id': 1, 'name': 'Risk 1'},
+ 'residual_impact': 3,
+ 'residual_likelihood': 4,
+ },
+ {
+ 'risk': {'id': 2, 'name': 'Risk 2'},
+ 'residual_impact': 2,
+ 'residual_likelihood': 2,
+ }
+ ]
+
+ graph_data = generate_residual_risk_graph(risks_with_controls)
+ self.assertIsInstance(graph_data, str)
+ self.assertTrue(len(graph_data) > 1000)
+
+def test_get_safeguard_summary_table_basic(self):
+ from backend.core.tables import get_safeguard_summary_table
+ risks_with_controls = [
+ {
+ 'risk': {'id': 1, 'name': 'Risk 1'},
+ 'controls': [
+ {'control': 101, 'control__name': 'Control A'},
+ {'control': 102, 'control__name': 'Control B'},
+ ]
+ },
+ {
+ 'risk': {'id': 2, 'name': 'Risk 2'},
+ 'controls': [
+ {'control': 101, 'control__name': 'Control A'},
+ ]
+ }
+ ]
+ summary = get_safeguard_summary_table(risks_with_controls)
+ self.assertEqual(summary, [
+ {'id': 101, 'name': 'Control A', 'count': 2},
+ {'id': 102, 'name': 'Control B', 'count': 1},
+ ])
\ No newline at end of file
diff --git a/backend/core/utils.py b/backend/core/utils.py
index 1d2ea27..1cb168a 100644
--- a/backend/core/utils.py
+++ b/backend/core/utils.py
@@ -294,4 +294,51 @@ def generate_risk_graph(risks_with_controls):
buffer.close()
plt.close()
- return base64.b64encode(image_png).decode("utf-8")
\ No newline at end of file
+ return base64.b64encode(image_png).decode("utf-8")
+
+def generate_residual_risk_graph(risks_with_controls):
+ impacts = [risk.get('residual_impact', 0) for risk in risks_with_controls]
+ likelihoods = [risk.get('residual_likelihood', 0) for risk in risks_with_controls]
+ risk_ids = [risk['risk']['id'] for risk in risks_with_controls]
+
+ bg_img_path = find('img/graph_matrix.png')
+ bg_img = mpimg.imread(bg_img_path)
+
+ fig, ax = plt.subplots(figsize=(10, 8))
+
+ ax.imshow(bg_img, extent=[0.0, 5.4, 0.0, 5.4], aspect='auto')
+
+ scatter = ax.scatter(
+ likelihoods, impacts,
+ c="blue", edgecolors="white", s=500, alpha=0.9
+ )
+
+ for i, risk_id in enumerate(risk_ids):
+ ax.annotate(
+ str(risk_id),
+ (likelihoods[i], impacts[i]),
+ color="white",
+ fontsize=12,
+ ha="center",
+ va="center",
+ weight="bold",
+ )
+
+ ax.set_xticks([])
+ ax.set_yticks([])
+ ax.set_xticklabels([])
+ ax.set_yticklabels([])
+
+ ax.spines['top'].set_visible(False)
+ ax.spines['right'].set_visible(False)
+ ax.spines['left'].set_visible(False)
+ ax.spines['bottom'].set_visible(False)
+
+ buffer = io.BytesIO()
+ plt.savefig(buffer, format="png", transparent=True, bbox_inches='tight', pad_inches=0)
+ buffer.seek(0)
+ image_png = buffer.getvalue()
+ buffer.close()
+ plt.close()
+
+ return base64.b64encode(image_png).decode("utf-8")
diff --git a/backend/core/views.py b/backend/core/views.py
index f28b080..76530eb 100644
--- a/backend/core/views.py
+++ b/backend/core/views.py
@@ -6,8 +6,8 @@ from .forms import OrganizationForm
from .models import Organization,Document, DocumentTemplate
from backend.accounts.utils import send_confirmation_email, send_document_email
from django.contrib.admin.views.decorators import staff_member_required
-from .utils import generate_pdf, generate_risk_graph
-from .tables import risk_matrix_table ,get_risk_table
+from .utils import generate_pdf, generate_risk_graph, generate_residual_risk_graph
+from .tables import risk_matrix_table ,get_risk_table, get_safeguard_summary_table
from django.conf import settings
site_domain = settings.SITE_DOMAIN
from .processors import render_template
@@ -74,8 +74,9 @@ def document(request, document_id):
document = get_object_or_404(Document, id=document_id)
risks_with_controls = get_risk_table(document)
table_risk_matrix = risk_matrix_table()
+ safeguard_summary_table = get_safeguard_summary_table(risks_with_controls)
graph_base64 = generate_risk_graph(risks_with_controls)
-
+ residual_graph_base64 = generate_residual_risk_graph(risks_with_controls)
template_obj = get_object_or_404(DocumentTemplate, name="Default Template")
template_content = template_obj.content
@@ -88,9 +89,15 @@ def document(request, document_id):
'risks_with_controls': risks_with_controls,
'graph': graph_base64,
'table_risk_matrix': table_risk_matrix,
+ 'residual_graph': residual_graph_base64,
+ 'safeguard_summary_table': safeguard_summary_table,
+ 'table_risk_matrix_header' : table_risk_matrix[0],
+ 'table_risk_matrix_rows': table_risk_matrix[1:],
}
rendered_content = render_template(template_segments, context)
- return render(request, 'document.html', {'rendered_html': rendered_content})
+ return render(request, 'document.html',
+ {'rendered_html': rendered_content,
+ 'document': document,})
@staff_member_required
diff --git a/controls.csv b/controls.csv
index d02fa9d..d9aa27f 100644
--- a/controls.csv
+++ b/controls.csv
@@ -1,481 +1,154 @@
-Risk #,Risk Description,CIS v8.1 Safeguards (Sub-Controls),Weight (0-10)
-1,"Ransomware Attack on Critical Systems","3.1 - Establish and Maintain Inventory of Enterprise Assets",3
-1,"Ransomware Attack on Critical Systems","3.3 - Manage Assets",4
-1,"Ransomware Attack on Critical Systems","5.1 - Establish and Maintain a Secure Configuration Process",5
-1,"Ransomware Attack on Critical Systems","5.3 - Securely Configure Enterprise Assets and Software",7
-1,"Ransomware Attack on Critical Systems","8.1 - Establish and Maintain a Vulnerability Management Process",6
-1,"Ransomware Attack on Critical Systems","9.2 - Deploy and Maintain Anti-Malware Software",9
-1,"Ransomware Attack on Critical Systems","10.8 - Perform and Test Data Backups",10
-1,"Ransomware Attack on Critical Systems","15.1 - Develop an Incident Response Plan",8
-2,"Large-Scale Data Breach Due to External Attack","3.1 - Establish and Maintain Inventory of Enterprise Assets",4
-2,"Large-Scale Data Breach Due to External Attack","3.4 - Manage Sensitive Assets",8
-2,"Large-Scale Data Breach Due to External Attack","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
-2,"Large-Scale Data Breach Due to External Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-2,"Large-Scale Data Breach Due to External Attack","6.3 - Implement and Manage Network Segmentation",8
-2,"Large-Scale Data Breach Due to External Attack","7.1 - Establish and Maintain a Data Management Process",6
-2,"Large-Scale Data Breach Due to External Attack","7.2 - Implement and Enforce Data Retention",5
-2,"Large-Scale Data Breach Due to External Attack","7.3 - Implement Data Loss Prevention (DLP)",9
-2,"Large-Scale Data Breach Due to External Attack","12.5 - Enforce Encryption of Data-at-Rest",8
-2,"Large-Scale Data Breach Due to External Attack","12.6 - Enforce Encryption of Data-in-Transit",7
-3,"Insider Threat Leading to Data Exfiltration","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-3,"Insider Threat Leading to Data Exfiltration","4.3 - Manage Privileged Access",9
-3,"Insider Threat Leading to Data Exfiltration","4.4 - Manage Service Accounts",6
-3,"Insider Threat Leading to Data Exfiltration","4.6 - Manage External Accounts",5
-3,"Insider Threat Leading to Data Exfiltration","7.3 - Implement Data Loss Prevention (DLP)",8
-3,"Insider Threat Leading to Data Exfiltration","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
-3,"Insider Threat Leading to Data Exfiltration","16.1 - Conduct Security Awareness and Skills Training",6
-4,"Supply Chain Disruption Impacting Operations","3.1 - Establish and Maintain Inventory of Enterprise Assets",2
-4,"Supply Chain Disruption Impacting Operations","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",1
-4,"Supply Chain Disruption Impacting Operations","4.6 - Manage External Accounts",6
-4,"Supply Chain Disruption Impacting Operations","13.1 - Establish and Maintain a Security Awareness Program",3
-4,"Supply Chain Disruption Impacting Operations","18.1 - Establish and Maintain a Penetration Testing Program",4
-4,"Supply Chain Disruption Impacting Operations","19.1 - Establish and Maintain an Incident Response Plan",7
-4,"Supply Chain Disruption Impacting Operations","20.1 - Establish and Maintain a Business Continuity Plan",10
-5,"Reputational Damage from Social Media Incident","13.1 - Establish and Maintain a Security Awareness Program",9
-5,"Reputational Damage from Social Media Incident","16.1 - Conduct Security Awareness and Skills Training",8
-5,"Reputational Damage from Social Media Incident","16.2 - Train Workforce Members on Social Engineering Attacks",7
-5,"Reputational Damage from Social Media Incident","19.1 - Establish and Maintain an Incident Response Plan",6
-5,"Reputational Damage from Social Media Incident","19.8 - Perform Post-Incident Reviews",5
-6,"Compliance Failure Leading to Fines","1.1 - Establish and Maintain Enterprise Governance",10
-6,"Compliance Failure Leading to Fines","1.2 - Establish and Maintain Enterprise Security Policies",9
-6,"Compliance Failure Leading to Fines","1.3 - Establish and Maintain Enterprise Agreements",8
-6,"Compliance Failure Leading to Fines","2.1 - Establish and Maintain an Inventory of Authorized Software",4
-6,"Compliance Failure Leading to Fines","3.4 - Manage Sensitive Assets",7
-7,"Loss of Critical Business Data Due to System Failure","10.8 - Perform and Test Data Backups",10
-7,"Loss of Critical Business Data Due to System Failure","10.9 - Perform Off-Site Backups",9
-7,"Loss of Critical Business Data Due to System Failure","10.10 - Securely Store Backups",8
-7,"Loss of Critical Business Data Due to System Failure","5.3 - Securely Configure Enterprise Assets and Software",6
-7,"Loss of Critical Business Data Due to System Failure","19.1 - Establish and Maintain an Incident Response Plan",5
-8,"Business Email Compromise (BEC) Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-8,"Business Email Compromise (BEC) Attack","16.2 - Train Workforce Members on Social Engineering Attacks",8
-8,"Business Email Compromise (BEC) Attack","11.1 - Implement and Manage Email Protections",7
-8,"Business Email Compromise (BEC) Attack","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
-9,"Physical Security Breach Leading to Asset Theft","17.1 - Implement Physical Access Controls",10
-9,"Physical Security Breach Leading to Asset Theft","17.2 - Monitor Physical Environment",9
-9,"Physical Security Breach Leading to Asset Theft","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
-9,"Physical Security Breach Leading to Asset Theft","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",4
-10,"Denial-of-Service (DoS) Attack Disrupting Services","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",6
-10,"Denial-of-Service (DoS) Attack Disrupting Services","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-10,"Denial-of-Service (DoS) Attack Disrupting Services","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",10
-10,"Denial-of-Service (DoS) Attack Disrupting Services","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
-11,"Unpatched Software Vulnerabilities Exploited","8.2 - Remediate Vulnerabilities Based on Risk",10
-11,"Unpatched Software Vulnerabilities Exploited","8.3 - Verify Application of Security Patches",9
-11,"Unpatched Software Vulnerabilities Exploited","3.2 - Utilize an Automated Asset Discovery Tool",4
-12,"Third-Party Vendor Security Breach Impacting Data","4.6 - Manage External Accounts",8
-12,"Third-Party Vendor Security Breach Impacting Data","13.5 - Manage Supplier Access",9
-12,"Third-Party Vendor Security Breach Impacting Data","13.6 - Monitor Supplier Security",7
-13,"Mobile Device Compromise Leading to Data Loss","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
-13,"Mobile Device Compromise Leading to Data Loss","4.5 - Manage Mobile Devices",9
-13,"Mobile Device Compromise Leading to Data Loss","12.5 - Enforce Encryption of Data-at-Rest",7
-14,"Cloud Service Configuration Errors Exposing Data","5.4 - Securely Configure Cloud Infrastructure",9
-14,"Cloud Service Configuration Errors Exposing Data","5.5 - Securely Configure Cloud Workloads",8
-14,"Cloud Service Configuration Errors Exposing Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-15,"Lack of Employee Security Awareness Leading to Phishing Success","16.1 - Conduct Security Awareness and Skills Training",10
-15,"Lack of Employee Security Awareness Leading to Phishing Success","16.2 - Train Workforce Members on Social Engineering Attacks",9
-15,"Lack of Employee Security Awareness Leading to Phishing Success","11.1 - Implement and Manage Email Protections",7
-16,"Unsecured APIs Exposing Sensitive Information","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
-16,"Unsecured APIs Exposing Sensitive Information","12.6 - Enforce Encryption of Data-in-Transit",9
-16,"Unsecured APIs Exposing Sensitive Information","18.1 - Establish and Maintain a Penetration Testing Program",7
-17,"Accidental Data Leak by Employee","7.3 - Implement Data Loss Prevention (DLP)",8
-17,"Accidental Data Leak by Employee","16.1 - Conduct Security Awareness and Skills Training",7
-17,"Accidental Data Leak by Employee","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
-18,"Weak Password Policies Leading to Account Compromise","4.7 - Enforce Account Password Requirements",9
-18,"Weak Password Policies Leading to Account Compromise","4.8 - Enforce Multi-Factor Authentication for All Users",8
-18,"Weak Password Policies Leading to Account Compromise","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
-19,"Uncontrolled Use of Shadow IT","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",8
-19,"Uncontrolled Use of Shadow IT","2.1 - Establish and Maintain an Inventory of Authorized Software",7
-19,"Uncontrolled Use of Shadow IT","13.1 - Establish and Maintain a Security Awareness Program",6
-20,"Insider Trading Based on Stolen Information","4.3 - Manage Privileged Access",9
-20,"Insider Trading Based on Stolen Information","7.3 - Implement Data Loss Prevention (DLP)",7
-20,"Insider Trading Based on Stolen Information","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",8
-21,"Loss of Key Personnel with Critical Security Knowledge","16.4 - Establish and Maintain a Role-Based Security Training Program",7
-21,"Loss of Key Personnel with Critical Security Knowledge","16.5 - Conduct Skills Gap Assessments",6
-21,"Loss of Key Personnel with Critical Security Knowledge","1.3 - Establish and Maintain Enterprise Agreements",5
-22,"Natural Disaster Impacting Data Centers","17.3 - Plan and Implement Environmental Protections",9
-22,"Natural Disaster Impacting Data Centers","20.1 - Establish and Maintain a Business Continuity Plan",10
-22,"Natural Disaster Impacting Data Centers","10.9 - Perform Off-Site Backups",8
-23,"Industrial Control System (ICS) Compromise","5.6 - Securely Configure Industrial Control Systems (ICS)",10
-23,"Industrial Control System (ICS) Compromise","6.6 - Implement and Manage Network Segmentation for ICS",9
-23,"Industrial Control System (ICS) Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
-24,"Misconfiguration of Network Devices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",9
-24,"Misconfiguration of Network Devices","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
-24,"Misconfiguration of Network Devices","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-25,"Lack of Regular Security Audits","1.5 - Conduct Periodic Security Risk Assessments",9
-25,"Lack of Regular Security Audits","14.7 - Conduct Security Controls Testing and Validation",8
-25,"Lack of Regular Security Audits","18.1 - Establish and Maintain a Penetration Testing Program",7
-26,"AI/ML System Bias Leading to Unfair Outcomes","1.2 - Establish and Maintain Enterprise Security Policies",6
-26,"AI/ML System Bias Leading to Unfair Outcomes","7.1 - Establish and Maintain a Data Management Process",7
-26,"AI/ML System Bias Leading to Unfair Outcomes","15.4 - Establish and Maintain a Security Architecture",5
-27,"IoT Device Vulnerabilities Exploited","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
-27,"IoT Device Vulnerabilities Exploited","5.3 - Securely Configure Enterprise Assets and Software",7
-27,"IoT Device Vulnerabilities Exploited","9.2 - Deploy and Maintain Anti-Malware Software",6
-28,"Geopolitical Risks Impacting Cybersecurity","1.4 - Establish and Maintain a Threat Intelligence Program",9
-28,"Geopolitical Risks Impacting Cybersecurity","19.1 - Establish and Maintain an Incident Response Plan",7
-28,"Geopolitical Risks Impacting Cybersecurity","13.1 - Establish and Maintain a Security Awareness Program",6
-29,"Unsecured Code in Custom Applications","2.2 - Utilize Standard Security Configurations for Enterprise Software and Hardware",7
-29,"Unsecured Code in Custom Applications","8.4 - Perform Application Security Testing",9
-29,"Unsecured Code in Custom Applications","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
-30,"Failure to Adequately Vet New Technologies","15.4 - Establish and Maintain a Security Architecture",7
-30,"Failure to Adequately Vet New Technologies","1.5 - Conduct Periodic Security Risk Assessments",8
-30,"Failure to Adequately Vet New Technologies","13.1 - Establish and Maintain a Security Awareness Program",6
-31,"Social Engineering Attack Targeting Executives","16.2 - Train Workforce Members on Social Engineering Attacks",10
-31,"Social Engineering Attack Targeting Executives","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
-31,"Social Engineering Attack Targeting Executives","11.1 - Implement and Manage Email Protections",7
-32,"Vulnerability in Open-Source Software Components","2.1 - Establish and Maintain an Inventory of Authorized Software",6
-32,"Vulnerability in Open-Source Software Components","8.1 - Establish and Maintain a Vulnerability Management Process",9
-32,"Vulnerability in Open-Source Software Components","8.2 - Remediate Vulnerabilities Based on Risk",8
-33,"Cryptojacking on Enterprise Assets","9.2 - Deploy and Maintain Anti-Malware Software",9
-33,"Cryptojacking on Enterprise Assets","5.3 - Securely Configure Enterprise Assets and Software",7
-33,"Cryptojacking on Enterprise Assets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-34,"Data Spillage in Cloud Environments","7.3 - Implement Data Loss Prevention (DLP)",8
-34,"Data Spillage in Cloud Environments","5.4 - Securely Configure Cloud Infrastructure",7
-34,"Data Spillage in Cloud Environments","12.5 - Enforce Encryption of Data-at-Rest",6
-35,"Malicious Browser Extensions Compromising Users","9.1 - Establish and Maintain a Software Allow List",8
-35,"Malicious Browser Extensions Compromising Users","16.1 - Conduct Security Awareness and Skills Training",7
-35,"Malicious Browser Extensions Compromising Users","11.2 - Implement and Manage Web Browser Protections",9
-36,"Domain Name System (DNS) Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
-36,"Domain Name System (DNS) Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-36,"Domain Name System (DNS) Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",6
-37,"Quantum Computing Breaking Encryption","12.7 - Plan and Implement Cryptographic Key Management",7
-37,"Quantum Computing Breaking Encryption","15.4 - Establish and Maintain a Security Architecture",6
-37,"Quantum Computing Breaking Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",5
-38,"Deepfake Technology Used for Fraud","16.2 - Train Workforce Members on Social Engineering Attacks",8
-38,"Deepfake Technology Used for Fraud","11.1 - Implement and Manage Email Protections",7
-38,"Deepfake Technology Used for Fraud","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
-39,"Misinformation Campaigns Damaging Reputation","13.1 - Establish and Maintain a Security Awareness Program",9
-39,"Misinformation Campaigns Damaging Reputation","19.1 - Establish and Maintain an Incident Response Plan",7
-39,"Misinformation Campaigns Damaging Reputation","1.4 - Establish and Maintain a Threat Intelligence Program",6
-40,"Lack of a Formal Security Culture","13.1 - Establish and Maintain a Security Awareness Program",10
-40,"Lack of a Formal Security Culture","16.1 - Conduct Security Awareness and Skills Training",9
-40,"Lack of a Formal Security Culture","1.2 - Establish and Maintain Enterprise Security Policies",8
-41,"Insufficient Physical Security at Remote Offices","17.1 - Implement Physical Access Controls",9
-41,"Insufficient Physical Security at Remote Offices","17.2 - Monitor Physical Environment",8
-41,"Insufficient Physical Security at Remote Offices","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",6
-42,"Compromise of Building Management Systems (BMS)","5.6 - Securely Configure Industrial Control Systems (ICS)",8
-42,"Compromise of Building Management Systems (BMS)","6.6 - Implement and Manage Network Segmentation for ICS",7
-42,"Compromise of Building Management Systems (BMS)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-43,"Failure to Securely Dispose of Sensitive Data","7.4 - Securely Dispose of Assets",9
-43,"Failure to Securely Dispose of Sensitive Data","3.3 - Manage Assets",7
-43,"Failure to Securely Dispose of Sensitive Data","1.2 - Establish and Maintain Enterprise Security Policies",6
-44,"Man-in-the-Middle (MitM) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
-44,"Man-in-the-Middle (MitM) Attacks","12.6 - Enforce Encryption of Data-in-Transit",9
-44,"Man-in-the-Middle (MitM) Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
-45,"Session Hijacking","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-45,"Session Hijacking","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-45,"Session Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-46,"Cross-Site Scripting (XSS) Attacks","8.4 - Perform Application Security Testing",9
-46,"Cross-Site Scripting (XSS) Attacks","12.2 - Secure Software via Secure Coding Practices",8
-46,"Cross-Site Scripting (XSS) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
-47,"SQL Injection Attacks","8.4 - Perform Application Security Testing",10
-47,"SQL Injection Attacks","12.2 - Secure Software via Secure Coding Practices",9
-47,"SQL Injection Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
-48,"Zero-Day Exploits","8.1 - Establish and Maintain a Vulnerability Management Process",7
-48,"Zero-Day Exploits","9.2 - Deploy and Maintain Anti-Malware Software",8
-48,"Zero-Day Exploits","6.3 - Implement and Manage Network Segmentation",6
-49,"Rogue Access Points on the Network","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",8
-49,"Rogue Access Points on the Network","6.3 - Implement and Manage Network Segmentation",7
-49,"Rogue Access Points on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-50,"Wireless Network Attacks","6.8 - Secure Wireless Access Points",9
-50,"Wireless Network Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
-50,"Wireless Network Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-51,"Stolen Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
-51,"Stolen Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",10
-51,"Stolen Credentials","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-52,"Unsecured Public Wi-Fi Usage","16.1 - Conduct Security Awareness and Skills Training",7
-52,"Unsecured Public Wi-Fi Usage","12.6 - Enforce Encryption of Data-in-Transit",8
-52,"Unsecured Public Wi-Fi Usage","4.9 - Manage Access to Enterprise Applications",6
-53,"Vishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
-53,"Vishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
-53,"Vishing Attacks","11.1 - Implement and Manage Email Protections",5
-54,"Smishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
-54,"Smishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
-54,"Smishing Attacks","11.3 - Implement and Manage Endpoint Protections",6
-55,"Watering Hole Attacks","11.2 - Implement and Manage Web Browser Protections",8
-55,"Watering Hole Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-55,"Watering Hole Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
-56,"Typosquatting Attacks","11.1 - Implement and Manage Email Protections",7
-56,"Typosquatting Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
-56,"Typosquatting Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
-57,"Malvertising","11.2 - Implement and Manage Web Browser Protections",9
-57,"Malvertising","9.2 - Deploy and Maintain Anti-Malware Software",7
-57,"Malvertising","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-58,"Fileless Malware Attacks","9.2 - Deploy and Maintain Anti-Malware Software",8
-58,"Fileless Malware Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-58,"Fileless Malware Attacks","11.3 - Implement and Manage Endpoint Protections",6
-59,"Advanced Persistent Threats (APTs)","1.4 - Establish and Maintain a Threat Intelligence Program",9
-59,"Advanced Persistent Threats (APTs)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
-59,"Advanced Persistent Threats (APTs)","18.1 - Establish and Maintain a Penetration Testing Program",7
-60,"Remote Code Execution (RCE) Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",10
-60,"Remote Code Execution (RCE) Vulnerabilities","8.3 - Verify Application of Security Patches",9
-60,"Remote Code Execution (Rulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-61,"Formjacking Attacks","12.2 - Secure Software via Secure Coding Practices",8
-61,"Formjacking Attacks","11.2 - Implement and Manage Web Browser Protections",7
-61,"Formjacking Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-62,"SIM Swapping Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-62,"SIM Swapping Attacks","16.1 - Conduct Security Awareness and Skills Training",7
-62,"SIM Swapping Attacks","1.3 - Establish and Maintain Enterprise Agreements",6
-63,"Unsecured Database Configurations","5.3 - Securely Configure Enterprise Assets and Software",9
-63,"Unsecured Database Configurations","7.1 - Establish and Maintain a Data Management Process",8
-63,"Unsecured Database Configurations","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-64,"API Sprawl and Lack of API Governance","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
-64,"API Sprawl and Lack of API Governance","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
-64,"API Sprawl and Lack of API Governance","15.4 - Establish and Maintain a Security Architecture",6
-65,"Insecure Default Configurations","5.1 - Establish and Maintain a Secure Configuration Process",9
-65,"Insecure Default Configurations","5.3 - Securely Configure Enterprise Assets and Software",8
-65,"Insecure Default Configurations","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
-66,"Insufficient Data Encryption","12.5 - Enforce Encryption of Data-at-Rest",10
-66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit
-66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit",9
-66,"Insufficient Data Encryption","7.2 - Implement and Enforce Data Retention",6
-67,"Legacy Systems with Known Vulnerabilities","3.3 - Manage Assets",7
-67,"Legacy Systems with Known Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
-67,"Legacy Systems with Known Vulnerabilities","6.3 - Implement and Manage Network Segmentation",8
-68,"Poorly Implemented Patch Management","8.2 - Remediate Vulnerabilities Based on Risk",10
-68,"Poorly Implemented Patch Management","8.3 - Verify Application of Security Patches",9
-68,"Poorly Implemented Patch Management","3.2 - Utilize an Automated Asset Discovery Tool",6
-69,"Unsecured Configuration Management Practices","5.1 - Establish and Maintain a Secure Configuration Process",9
-69,"Unsecured Configuration Management Practices","5.3 - Securely Configure Enterprise Assets and Software",8
-69,"Unsecured Configuration Management Practices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
-70,"Lack of Network Segmentation","6.3 - Implement and Manage Network Segmentation",10
-70,"Lack of Network Segmentation","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
-70,"Lack of Network Segmentation","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-71,"Compromised Software Update Mechanisms","8.3 - Verify Application of Security Patches",8
-71,"Compromised Software Update Mechanisms","9.2 - Deploy and Maintain Anti-Malware Software",7
-71,"Compromised Software Update Mechanisms","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-72,"Weaknesses in Cloud Identity and Access Management","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
-72,"Weaknesses in Cloud Identity and Access Management","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
-72,"Weaknesses in Cloud Identity and Access Management","5.4 - Securely Configure Cloud Infrastructure",7
-73,"Insufficient Security Logging and Monitoring","14.1 - Establish and Maintain a Security Logging and Monitoring Process",10
-73,"Insufficient Security Logging and Monitoring","14.2 - Integrate Threat Intelligence into Security Monitoring",8
-73,"Insufficient Security Logging and Monitoring","14.3 - Establish and Maintain Alerting and Escalation Processes",7
-74,"Lack of an Effective Incident Response Plan","19.1 - Establish and Maintain an Incident Response Plan",10
-74,"Lack of an Effective Incident Response Plan","19.2 - Establish and Maintain an Incident Response Team",9
-74,"Lack of an Effective Incident Response Plan","19.3 - Develop and Conduct Incident Response Exercises",8
-75,"Poor Data Backup and Recovery Procedures","10.8 - Perform and Test Data Backups",10
-75,"Poor Data Backup and Recovery Procedures","10.9 - Perform Off-Site Backups",9
-75,"Poor Data Backup and Recovery Procedures","10.10 - Securely Store Backups",8
-76,"Insufficient Security Awareness Training for Employees","16.1 - Conduct Security Awareness and Skills Training",10
-76,"Insufficient Security Awareness Training for Employees","16.2 - Train Workforce Members on Social Engineering Attacks",9
-76,"Insufficient Security Awareness Training for Employees","13.1 - Establish and Maintain a Security Awareness Program",8
-77,"Lack of a Formal Risk Management Program","1.5 - Conduct Periodic Security Risk Assessments",10
-77,"Lack of a Formal Risk Management Program","1.1 - Establish and Maintain Enterprise Governance",9
-77,"Lack of a Formal Risk Management Program","1.2 - Establish and Maintain Enterprise Security Policies",8
-78,"Inadequate Third-Party Risk Management","13.5 - Manage Supplier Access",9
-78,"Inadequate Third-Party Risk Management","13.6 - Monitor Supplier Security",8
-78,"Inadequate Third-Party Risk Management","4.6 - Manage External Accounts",7
-79,"Failure to Enforce Least Privilege","4.3 - Manage Privileged Access",10
-79,"Failure to Enforce Least Privilege","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-79,"Failure to Enforce Least Privilege","4.4 - Manage Service Accounts",7
-80,"Unsecured Remote Access Solutions","4.9 - Manage Access to Enterprise Applications",9
-80,"Unsecured Remote Access Solutions","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
-80,"Unsecured Remote Access Solutions","12.6 - Enforce Encryption of Data-in-Transit",7
-81,"Insufficient Protection of Critical Infrastructure","17.1 - Implement Physical Access Controls",8
-81,"Insufficient Protection of Critical Infrastructure","6.3 - Implement and Manage Network Segmentation",7
-81,"Insufficient Protection of Critical Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-82,"Lack of Data Loss Prevention (DLP) Measures","7.3 - Implement Data Loss Prevention (DLP)",10
-82,"Lack of Data Loss Prevention (DLP) Measures","3.4 - Manage Sensitive Assets",8
-82,"Lack of Data Loss Prevention (DLP) Measures","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
-83,"Ineffective Vulnerability Scanning Practices","8.1 - Establish and Maintain a Vulnerability Management Process",9
-83,"Ineffective Vulnerability Scanning Practices","8.2 - Remediate Vulnerabilities Based on Risk",8
-83,"Ineffective Vulnerability Scanning Practices","3.2 - Utilize an Automated Asset Discovery Tool",7
-84,"Poorly Defined Security Roles and Responsibilities","1.2 - Establish and Maintain Enterprise Security Policies",8
-84,"Poorly Defined Security Roles and Responsibilities","1.3 - Establish and Maintain Enterprise Agreements",7
-84,"Poorly Defined Security Roles and Responsibilities","16.4 - Establish and Maintain a Role-Based Security Training Program",6
-85,"Lack of a Formal Change Management Process","5.2 - Implement and Manage a Change Management Process",9
-85,"Lack of a Formal Change Management Process","5.3 - Securely Configure Enterprise Assets and Software",7
-85,"Lack of a Formal Change Management Process","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-86,"Insufficient Security Architecture and Design","15.4 - Establish and Maintain a Security Architecture",10
-86,"Insufficient Security Architecture and Design","6.3 - Implement and Manage Network Segmentation",8
-86,"Insufficient Security Architecture and Design","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",7
-87,"Failure to Secure Containerized Environments","5.7 - Securely Configure Containers",9
-87,"Failure to Secure Containerized Environments","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
-87,"Failure to Secure Containerized Environments","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-88,"Inadequate Protection of API Keys and Secrets","12.3 - Manage Credentials",9
-88,"Inadequate Protection of API Keys and Secrets","12.5 - Enforce Encryption of Data-at-Rest",7
-88,"Inadequate Protection of API Keys and Secrets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-89,"Lack of a Formal Security Assessment Process for New Projects","1.5 - Conduct Periodic Security Risk Assessments",8
-89,"Lack of a Formal Security Assessment Process for New Projects","15.4 - Establish and Maintain a Security Architecture",7
-89,"Lack of a Formal Security Assessment Process for New Projects","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",6
-90,"Insufficient Budget Allocation for Cybersecurity","1.1 - Establish and Maintain Enterprise Governance",9
-90,"Insufficient Budget Allocation for Cybersecurity","1.2 - Establish and Maintain Enterprise Security Policies",8
-90,"Insufficient Budget Allocation for Cybersecurity","1.5 - Conduct Periodic Security Risk Assessments",7
-91,"Lack of Executive Support for Security Initiatives","1.1 - Establish and Maintain Enterprise Governance",10
-91,"Lack of Executive Support for Security Initiatives","1.2 - Establish and Maintain Enterprise Security Policies",9
-91,"Lack of Executive Support for Security Initiatives","13.1 - Establish and Maintain a Security Awareness Program",7
-92,"Mergers and Acquisitions Leading to Security Integration Challenges","1.3 - Establish and Maintain Enterprise Agreements",8
-92,"Mergers and Acquisitions Leading to Security Integration Challenges","15.4 - Establish and Maintain a Security Architecture",7
-92,"Mergers and Acquisitions Leading to Security Integration Challenges","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
-93,"Decentralized Security Management Leading to Inconsistencies","1.1 - Establish and Maintain Enterprise Governance",8
-93,"Decentralized Security Management Leading to Inconsistencies","1.2 - Establish and Maintain Enterprise Security Policies",7
-93,"Decentralized Security Management Leading to Inconsistencies","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
-94,"Rapid Cloud Adoption Without Adequate Security Controls","5.4 - Securely Configure Cloud Infrastructure",9
-94,"Rapid Cloud Adoption Without Adequate Security Controls","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-94,"Rapid Cloud Adoption Without Adequate Security Controls","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-95,"Increased Use of Personal Devices for Work (BYOD)","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
-95,"Increased Use of Personal Devices for Work (BYOD)","4.5 - Manage Mobile Devices",7
-95,"Increased Use of Personal Devices for Work (BYOD)","12.5 - Enforce Encryption of Data-at-Rest",6
-96,"Growing Attack Surface Due to Digital Transformation","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
-96,"Growing Attack Surface Due to Digital Transformation","15.4 - Establish and Maintain a Security Architecture",8
-96,"Growing Attack Surface Due to Digital Transformation","8.1 - Establish and Maintain a Vulnerability Management Process",6
-97,"Talent Shortage in Cybersecurity","16.3 - Establish and Maintain a Security Skills Development Program",9
-97,"Talent Shortage in Cybersecurity","16.5 - Conduct Skills Gap Assessments",8
-97,"Talent Shortage in Cybersecurity","1.3 - Establish and Maintain Enterprise Agreements",5
-98,"Increased Regulatory Scrutiny and Complexity","1.1 - Establish and Maintain Enterprise Governance",9
-98,"Increased Regulatory Scrutiny and Complexity","1.2 - Establish and Maintain Enterprise Security Policies",8
-98,"Increased Regulatory Scrutiny and Complexity","3.4 - Manage Sensitive Assets",7
-99,"Evolving Threat Landscape","1.4 - Establish and Maintain a Threat Intelligence Program",10
-99,"Evolving Threat Landscape","18.1 - Establish and Maintain a Penetration Testing Program",8
-99,"Evolving Threat Landscape","13.1 - Establish and Maintain a Security Awareness Program",7
-100,"Failure to Adapt Security Strategy to Business Changes","1.2 - Establish and Maintain Enterprise Security Policies",8
-100,"Failure to Adapt Security Strategy to Business Changes","1.5 - Conduct Periodic Security Risk Assessments",9
-100,"Failure to Adapt Security Strategy to Business Changes","15.4 - Establish and Maintain a Security Architecture",7
-101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","14.2 - Integrate Threat Intelligence into Security Monitoring",9
-101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","18.1 - Establish and Maintain a Penetration Testing Program",8
-101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
-102,"Zero-Day Exploits Targeting Unpatched Applications","8.2 - Remediate Vulnerabilities Based on Risk",9
-102,"Zero-Day Exploits Targeting Unpatched Applications","6.3 - Implement and Manage Network Segmentation",7
-102,"Zero-Day Exploits Targeting Unpatched Applications","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
-103,"Sophisticated Phishing Campaigns Bypassing Email Security","11.1 - Implement and Manage Email Protections",8
-103,"Sophisticated Phishing Campaigns Bypassing Email Security","16.2 - Train Workforce Members on Social Engineering Attacks",9
-103,"Sophisticated Phishing Campaigns Bypassing Email Security","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
-104,"Malware Delivered Through Supply Chain Compromise","13.3 - Implement and Manage Secure Software Supply Chain Practices",9
-104,"Malware Delivered Through Supply Chain Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
-104,"Malware Delivered Through Supply Chain Compromise","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-105,"Ransomware Targeting Backup Infrastructure","10.8 - Perform and Test Data Backups",8
-105,"Ransomware Targeting Backup Infrastructure","10.10 - Securely Store Backups",9
-105,"Ransomware Targeting Backup Infrastructure","6.3 - Implement and Manage Network Segmentation",7
-106,"Data Exfiltration Through DNS Tunneling","6.7 - Implement and Manage Domain Name System (DNS) Security",9
-106,"Data Exfiltration Through DNS Tunneling","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
-106,"Data Exfiltration Through DNS Tunneling","7.3 - Implement Data Loss Prevention (DLP)",7
-107,"Compromise of Cloud Service Provider Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-107,"Compromise of Cloud Service Provider Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-107,"Compromise of Cloud Service Provider Credentials","5.4 - Securely Configure Cloud Infrastructure",7
-108,"Lateral Movement within the Network Post-Breach","6.3 - Implement and Manage Network Segmentation",10
-108,"Lateral Movement within the Network Post-Breach","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
-108,"Lateral Movement within the Network Post-Breach","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
-109,"Exploitation of Unsecured APIs","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
-109,"Exploitation of Unsecured APIs","12.4 - Implement and Manage Security for Software Applications",9
-109,"Exploitation of Unsecured APIs","18.1 - Establish and Maintain a Penetration Testing Program",8
-110,"Credential Stuffing Attacks Against Web Applications","4.7 - Enforce Account Password Requirements",7
-110,"Credential Stuffing Attacks Against Web Applications","4.8 - Enforce Multi-Factor Authentication for All Users",9
-110,"Credential Stuffing Attacks Against Web Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-111,"Brute-Force Attacks Targeting Cloud Services","4.7 - Enforce Account Password Requirements",8
-111,"Brute-Force Attacks Targeting Cloud Services","4.8 - Enforce Multi-Factor Authentication for All Users",9
-111,"Brute-Force Attacks Targeting Cloud Services","5.4 - Securely Configure Cloud Infrastructure",7
-112,"Cryptojacking Exploiting Web Browser Vulnerabilities","11.2 - Implement and Manage Web Browser Protections",9
-112,"Cryptojacking Exploiting Web Browser Vulnerabilities","9.2 - Deploy and Maintain Anti-Malware Software",7
-112,"Cryptojacking Exploiting Web Browser Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-113,"Business Logic Flaws in Applications Leading to Data Breach","12.4 - Implement and Manage Security for Software Applications",9
-113,"Business Logic Flaws in Applications Leading to Data Breach","8.4 - Perform Application Security Testing",8
-113,"Business Logic Flaws in Applications Leading to Data Breach","7.1 - Establish and Maintain a Data Management Process",7
-114,"Malicious Insiders Exfiltrating Data Using Approved Tools","4.3 - Manage Privileged Access",8
-114,"Malicious Insiders Exfiltrating Data Using Approved Tools","7.3 - Implement Data Loss Prevention (DLP)",9
-114,"Malicious Insiders Exfiltrating Data Using Approved Tools","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
-115,"Rogue or Shadow IT Devices on the Network","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",9
-115,"Rogue or Shadow IT Devices on the Network","6.3 - Implement and Manage Network Segmentation",7
-115,"Rogue or Shadow IT Devices on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
-116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-117,"Insecurely Configured Cloud Storage Buckets","5.4 - Securely Configure Cloud Infrastructure",10
-117,"Insecurely Configured Cloud Storage Buckets","7.1 - Establish and Maintain a Data Management Process",8
-117,"Insecurely Configured Cloud Storage Buckets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-118,"Exploitation of Memory Corruption Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
-118,"Exploitation of Memory Corruption Vulnerabilities","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
-118,"Exploitation of Memory Corruption Vulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-119,"Data Breaches Due to Misconfigured Security Groups","5.4 - Securely Configure Cloud Infrastructure",9
-119,"Data Breaches Due to Misconfigured Security Groups","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-119,"Data Breaches Due to Misconfigured Security Groups","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-120,"Use of Default or Weak Encryption Keys","12.7 - Plan and Implement Cryptographic Key Management",9
-120,"Use of Default or Weak Encryption Keys","12.5 - Enforce Encryption of Data-at-Rest",8
-120,"Use of Default or Weak Encryption Keys","12.6 - Enforce Encryption of Data-in-Transit",7
-121,"Vulnerabilities in Third-Party Libraries and Dependencies","8.1 - Establish and Maintain a Vulnerability Management Process",8
-121,"Vulnerabilities in Third-Party Libraries and Dependencies","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
-121,"Vulnerabilities in Third-Party Libraries and Dependencies","2.1 - Establish and Maintain an Inventory of Authorized Software",7
-122,"Targeted Attacks on Operational Technology (OT) Systems","5.6 - Securely Configure Industrial Control Systems (ICS)",9
-122,"Targeted Attacks on Operational Technology (OT) Systems","6.6 - Implement and Manage Network Segmentation for ICS",10
-122,"Targeted Attacks on Operational Technology (OT) Systems","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
-123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","7.1 - Establish and Maintain a Data Management Process",8
-123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","3.4 - Manage Sensitive Assets",9
-123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","1.2 - Establish and Maintain Enterprise Security Policies",7
-124,"AI Poisoning Attacks Manipulating Machine Learning Models","15.4 - Establish and Maintain a Security Architecture",8
-124,"AI Poisoning Attacks Manipulating Machine Learning Models","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-124,"AI Poisoning Attacks Manipulating Machine Learning Models","1.4 - Establish and Maintain a Threat Intelligence Program",6
-125,"Quantum Computing Attacks Breaking Current Encryption","12.7 - Plan and Implement Cryptographic Key Management",9
-125,"Quantum Computing Attacks Breaking Current Encryption","15.4 - Establish and Maintain a Security Architecture",7
-125,"Quantum Computing Attacks Breaking Current Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",6
-126,"Deepfake Technology Used for Social Engineering","16.2 - Train Workforce Members on Social Engineering Attacks",9
-126,"Deepfake Technology Used for Social Engineering","11.1 - Implement and Manage Email Protections",7
-126,"Deepfake Technology Used for Social Engineering","13.1 - Establish and Maintain a Security Awareness Program",6
-127,"Blockchain Vulnerabilities Leading to Financial Loss","12.4 - Implement and Manage Security for Software Applications",8
-127,"Blockchain Vulnerabilities Leading to Financial Loss","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
-127,"Blockchain Vulnerabilities Leading to Financial Loss","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-128,"Serverless Function Vulnerabilities","5.4 - Securely Configure Cloud Infrastructure",8
-128,"Serverless Function Vulnerabilities","12.4 - Implement and Manage Security for Software Applications",7
-128,"Serverless Function Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-129,"Insider Threats Leveraging Data in Motion","7.3 - Implement Data Loss Prevention (DLP)",8
-129,"Insider Threats Leveraging Data in Motion","12.6 - Enforce Encryption of Data-in-Transit",7
-129,"Insider Threats Leveraging Data in Motion","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
-130,"Compromise of Hardware Supply Chain (Hardware Implants)","13.4 - Implement and Manage Secure Hardware Supply Chain Practices",9
-130,"Compromise of Hardware Supply Chain (Hardware Implants)","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
-130,"Compromise of Hardware Supply Chain (Hardware Implants)","18.1 - Establish and Maintain a Penetration Testing Program",6
-131,"Formjacking Attacks Stealing Payment Card Data","12.4 - Implement and Manage Security for Software Applications",9
-131,"Formjacking Attacks Stealing Payment Card Data","11.2 - Implement and Manage Web Browser Protections",7
-131,"Formjacking Attacks Stealing Payment Card Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-132,"SIM Swapping Leading to Account Takeover","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
-132,"SIM Swapping Leading to Account Takeover","16.1 - Conduct Security Awareness and Skills Training",7
-132,"SIM Swapping Leading to Account Takeover","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
-133,"Attacks Targeting APIs of Third-Party Services","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
-133,"Attacks Targeting APIs of Third-Party Services","12.4 - Implement and Manage Security for Software Applications",8
-133,"Attacks Targeting APIs of Third-Party Services","13.6 - Monitor Supplier Security",7
-134,"Insufficient Segmentation of Cloud Workloads","5.4 - Securely Configure Cloud Infrastructure",9
-134,"Insufficient Segmentation of Cloud Workloads","6.3 - Implement and Manage Network Segmentation",8
-134,"Insufficient Segmentation of Cloud Workloads","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
-135,"Compromise of Managed Service Provider (MSP) Infrastructure","4.6 - Manage External Accounts",8
-135,"Compromise of Managed Service Provider (MSP) Infrastructure","13.5 - Manage Supplier Access",9
-135,"Compromise of Managed Service Provider (MSP) Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","8.4 - Perform Application Security Testing",9
-136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","12.2 - Secure Software via Secure Coding Practices",8
-136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
-137,"Exploitation of Race Conditions in Applications","12.2 - Secure Software via Secure Coding Practices",8
-137,"Exploitation of Race Conditions in Applications","8.4 - Perform Application Security Testing",7
-137,"Exploitation of Race Conditions in Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
-138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.3 - Implement and Manage Network Segmentation",7
-138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-139,"DNS Spoofing and Cache Poisoning Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
-139,"DNS Spoofing and Cache Poisoning Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-139,"DNS Spoofing and Cache Poisoning Attacks","11.2 - Implement and Manage Web Browser Protections",6
-140,"Border Gateway Protocol (BGP) Hijacking","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
-140,"Border Gateway Protocol (BGP) Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-140,"Border Gateway Protocol (BGP) Hijacking","1.4 - Establish and Maintain a Threat Intelligence Program",6
-141,"ICMP Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
-141,"ICMP Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-141,"ICMP Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-142,"SYN Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
-142,"SYN Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
-142,"SYN Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-143,"Smurf Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
-143,"Smurf Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-143,"Smurf Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-144,"Fraggle Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
-144,"Fraggle Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-144,"Fraggle Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-145,"GTP Tunneling Exploits in Mobile Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-145,"GTP Tunneling Exploits in Mobile Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-145,"GTP Tunneling Exploits in Mobile Networks","1.4 - Establish and Maintain a Threat Intelligence Program",5
-146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
-146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
-146,"SIP Flood Attacks Targeting VoIP Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-147,"LLMNR/NBT-NS Poisoning","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
-147,"LLMNR/NBT-NS Poisoning","6.3 - Implement and Manage Network Segmentation",8
-147,"LLMNR/NBT-NS Poisoning","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
-148,"Pass-the-Hash Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
-148,"Pass-the-Hash Attacks","4.3 - Manage Privileged Access",8
-148,"Pass-the-Hash Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-149,"Pass-the-Ticket Attacks (Kerberoasting)","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
-149,"Pass-the-Ticket Attacks (Kerberoasting)","4.3 - Manage Privileged Access",9
-149,"Pass-the-Ticket Attacks (Kerberoasting)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
-150,"Golden SAML Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
-150,"Golden SAML Attacks","4.3 - Manage Privileged Access",8
-150,"Golden SAML Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
+Safeguard ID,Name,Description
+1.1,Establish and Maintain Detailed Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
+1.2,Address Unauthorized Assets,Inventory and Control of Enterprise Assets
+1.3,Utilize an Active Discovery Tool,Inventory and Control of Enterprise Assets
+1.4,Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory,Inventory and Control of Enterprise Assets
+1.5,Use a Passive Asset Discovery Tool,Inventory and Control of Enterprise Assets
+2.1,Establish and Maintain a Software Inventory,Inventory and Control of Software Assets
+2.2,Ensure Authorized Software is Currently Supported,Inventory and Control of Software Assets
+2.3,Address Unauthorized Software,Inventory and Control of Software Assets
+2.4,Utilize Automated Software Inventory Tools,Inventory and Control of Software Assets
+2.5,Allowlist Authorized Software,Inventory and Control of Software Assets
+2.6,Allowlist Authorized Libraries,Inventory and Control of Software Assets
+2.7,Allowlist Authorized Scripts,Inventory and Control of Software Assets
+3.1,Establish and Maintain a Data Management Process,Data Protection
+3.2,Establish and Maintain a Data Inventory,Data Protection
+3.3,Configure Data Access Control Lists,Data Protection
+3.4,Enforce Data Retention,Data Protection
+3.5,Securely Dispose of Data,Data Protection
+3.6,Encrypt Data on End-User Devices,Data Protection
+3.7,Establish and Maintain a Data Classification Scheme,Data Protection
+3.8,Document Data Flows,Data Protection
+3.9,Encrypt Data on Removable Media,Data Protection
+3.10,Encrypt Sensitive Data in Transit,Data Protection
+3.11,Encrypt Sensitive Data At Rest,Data Protection
+3.12,Segment Data Processing and Storage Based on Sensitivity,Data Protection
+3.13,Deploy a Data Loss Prevention Solution,Data Protection
+3.14,Log Sensitive Data Access,Data Protection
+4.1,Establish and Maintain a Secure Configuration Process,Secure Configuration of Enterprise Assets and Software
+4.2,Establish and Maintain a Secure Configuration Process for Network Infrastructure,Secure Configuration of Enterprise Assets and Software
+4.3,Configure Automatic Session Locking on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
+4.4,Implement and Manage a Firewall on Servers,Secure Configuration of Enterprise Assets and Software
+4.5,Implement and Manage a Firewall on End-User Devices,Secure Configuration of Enterprise Assets and Software
+4.6,Securely Manage Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
+4.7,Manage Default Accounts on Enterprise Assets and Software,Secure Configuration of Enterprise Assets and Software
+4.8,Uninstall or Disable Unnecessary Services on Enterprise Assets and Applications,Secure Configuration of Enterprise Assets and Software
+4.9,Configure Trusted Domain Name System (DNS) Servers on Enterprise Assets,Secure Configuration of Enterprise Assets and Software
+4.10,Enforce Automatic Device Lockout on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
+4.11,Enforce Remote Wipe Capability on Portable End-User Devices,Secure Configuration of Enterprise Assets and Software
+4.12,Separate Enterprise Workspaces on Mobile End-User Devices,Secure Configuration of Enterprise Assets and Software
+5.1,Establish and Maintain an Inventory of Accounts,Account Management
+5.2,Use Unique Passwords,Account Management
+5.3,Disable Dormant Accounts,Account Management
+5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,Account Management
+5.5,Establish and Maintain an Inventory of Service Accounts,Account Management
+5.6,Centralize Account Management,Account Management
+6.1,Establish an Access Granting Process,Access Control Management
+6.2,Establish an Access Revolving Process,Access Control Management
+6.3,Require MFA for Externally-Exposed Applications,Access Control Management
+6.4,Require MFA for Remote Network Access,Access Control Management
+6.5,Require MFA for Administrative Access,Access Control Management
+6.6,Establish and Maintain an Inventory of Authentication and Authorization Systems,Access Control Management
+6.7,Centralize Access Control,Access Control Management
+6.8,Define and Maintain Role-Based Access Control,Access Control Management
+7.1,Establish and Maintain a Vulnerability Management Process,Continuous Vulnerability Management
+7.2,Establish and Maintain a Remediation Process,Continuous Vulnerability Management
+7.3,Perform Automated Operating System Patch Management,Continuous Vulnerability Management
+7.4,Perform Automated Application Patch Management,Continuous Vulnerability Management
+7.5,Perform Automated Vulnerability Scans of Internal Enterprise Assets,Continuous Vulnerability Management
+7.6,Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets,Continuous Vulnerability Management
+7.7,Remediate Detected Vulnerabilities,Continuous Vulnerability Management
+8.1,Establish and Maintain an Audit Log Management Process,Audit Log Management
+8.2,Collect Audit Logs,Audit Log Management
+8.3,Ensure Adequate Audit Log Storage,Audit Log Management
+8.4,Standardize Time Synchronization,Audit Log Management
+8.5,Collect Detailed Audit Logs,Audit Log Management
+8.6,Collect DNS Query Audit Logs,Audit Log Management
+8.7,Collect URL Request Audit Logs,Audit Log Management
+8.8,Collect Command-Line Audit Logs,Audit Log Management
+8.9,Centralize Audit Logs,Audit Log Management
+8.10,Retain Audit Logs,Audit Log Management
+8.11,Conduct Audit Log Reviews,Audit Log Management
+8.12,Collect Service Provider Logs,Audit Log Management
+9.1,Ensure Use of Only Fully Supported Browsers and Email Clients,Email and Web Browser Protections
+9.2,Use DNS Filtering Services,Email and Web Browser Protections
+9.3,Maintain and Enforce Network-Based URL Filters,Email and Web Browser Protections
+9.4,Restrict Unnecessary or Unauthorized Browser and Email Client Extensions,Email and Web Browser Protections
+9.5,Implement DMARC,Email and Web Browser Protections
+9.6,Block Unnecessary File Types,Email and Web Browser Protections
+9.7,Deploy and Maintain Email Server Anti-Malware Protections,Email and Web Browser Protections
+10.1,Deploy and Maintain Anti-Malware Software,Malware Defenses
+10.2,Configure Automatic Anti-Malware Signature Updates,Malware Defenses
+10.3,Disable Autorun and Autoplay for Removable Media,Malware Defenses
+10.4,Configure Automatic Anti-Malware Scanning of Removable Media,Malware Defenses
+10.5,Enable Anti-Exploitation Features,Malware Defenses
+10.6,Centrally Manage Anti-Malware Software,Malware Defenses
+10.7,Use Behavior-Based Anti-Malware Software,Malware Defenses
+11.1,Establish and Maintain a Data Recovery Process,Data Recovery
+11.2,Perform Automated Backups,Data Recovery
+11.3,Protect Recovery Data,Data Recovery
+11.4,Establish and Maintain an Isolated Instance of Recovery Data,Data Recovery
+11.5,Test Data Recovery,Data Recovery
+12.1,Ensure Network Infrastructure is Up-to-Date,Network Infrastructure Management
+12.2,Establish and Maintain a Secure Network Architecture,Network Infrastructure Management
+12.3,Securely Manage Network Infrastructure,Network Infrastructure Management
+12.4,Establish and Maintain Architecture Diagram(s),Network Infrastructure Management
+12.5,Centralize Network Authentication, Authorization, and Auditing (AAA),Network Infrastructure Management
+12.6,Use of Secure Network Management and Communication Protocols,Network Infrastructure Management
+12.7,Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure,Network Infrastructure Management
+12.8,Establish and Maintain Dedicated Computing Resources For All Administrative Work,Network Infrastructure Management
+13.1,Centralize Security Event Alerting,Network Monitoring and Defense
+13.2,Deploy a Host-Based Intrusion Detection Solution,Network Monitoring and Defense
+13.3,Deploy a Network Intrusion Detection Solution,Network Monitoring and Defense
+13.4,Perform Traffic Filtering Between Network Segments,Network Monitoring and Defense
+13.5,Manage Access Control for Remote Assets,Network Monitoring and Defense
+13.6,Collect Network Traffic Flow Logs,Network Monitoring and Defense
+13.7,Deploy a Host-Based Intrusion Prevention Solution,Network Monitoring and Defense
+13.8,Deploy a Network Intrusion Prevention Solution,Network Monitoring and Defense
+13.9,Deploy Port-Level Access Control,Network Monitoring and Defense
+13.10,Perform Application Layer Filtering,Network Monitoring and Defense
+13.11,Tune Security Event Alerting Thresholds,Network Monitoring and Defense
+14.1,Establish and Maintain a Security Awareness Program,Security Awareness and Skills Training
+14.2,Train Workforce Members to Recognize Social Engineering Attacks,Security Awareness and Skills Training
+14.3,Train Workforce Members on Authentication Best Practices,Security Awareness and Skills Training
+14.4,Train Workforce on Data Handling Best Practices,Security Awareness and Skills Training
+14.5,Train Workforce Members on Causes of Unintentional Data Exposure,Security Awareness and Skills Training
+14.6,Train Workforce Members on Recognizing and Reporting Security Incidents,Security Awareness and Skills Training
+14.7,Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates,Security Awareness and Skills Training
+14.8,Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks,Security Awareness and Skills Training
+14.9,Conduct Role-Specific Security Awareness and Skills Training,Security Awareness and Skills Training
+15.1,Establish and Maintain an Inventory of Service Providers,Service Provider Management
+15.2,Establish and Maintain a Service Provider Management Policy,Service Provider Management
+15.3,Classify Service Providers,Service Provider Management
+15.4,Ensure Service Provider Contracts Include Security Requirements,Service Provider Management
+15.5,Assess Service Providers,Service Provider Management
+15.6,Monitor Service Providers,Service Provider Management
+15.7,Securely Decommission Service Providers,Service Provider Management
+16.1,Establish and Maintain a Secure Application Development Process,Application Software Security
+16.2,Establish and Maintain a Process to Accept and Address Software Vulnerabilities,Application Software Security
+16.3,Perform Root Cause Analysis on Security Vulnerabilities,Application Software Security
+16.4,Establish and Manage an Inventory of Third-Party Software Components,Application Software Security
+16.5,Use Up-to-Date and Trusted Third-Party Software Components,Application Software Security
+16.6,Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities,Application Software Security
+16.7,Use Standard Hardening Configuration Templates for Application Infrastructure,Application Software Security
+16.8,Separate Production and Non-Production Systems,Application Software Security
+16.9,Train Developers in Application Security Concepts and Secure Coding,Application Software Security
+16.10,Apply Secure Design Principles in Application Architectures,Application Software Security
+16.11,Leverage Vetted Modules or Services for Application Security Components,Application Software Security
+16.12,Implement Code-Level Security Checks,Application Software Security
+16.13,Conduct Application Penetration Testing,Application Software Security
+16.14,Conduct Threat Modeling,Application Software Security
+17.1,Designate Personnel to Manage Incident Handling,Incident Response Management
+17.2,Establish and Maintain Contact Information for Reporting Security Incidents,Incident Response Management
+17.3,Establish and Maintain an Enterprise Process for Reporting Incidents,Incident Response Management
+17.4,Establish and Maintain an Incident Response Process,Incident Response Management
+17.5,Assign Key Roles and Responsibilities,Incident Response Management
+17.6,Define Mechanisms for Communicating During Incident Response,Incident Response Management
+17.7,Conduct Routine Incident Response Exercises,Incident Response Management
+17.8,Conduct Post-Incident Reviews,Incident Response Management
+17.9,Establish and Maintain Security Incident Thresholds,Incident Response Management
+18.1,Establish and Maintain a Penetration Testing Program,Penetration Testing
+18.2,Perform Periodic External Penetration Tests,Penetration Testing
+18.3,Remediate Penetration Test Findings,Penetration Testing
+18.4,Validate Security Measures,Penetration Testing
+18.5,Perform Periodic Internal Penetration Tests,Penetration Testing
\ No newline at end of file
diff --git a/document_template.yml b/document_template.yml
index 6b33e63..7ac8f94 100644
--- a/document_template.yml
+++ b/document_template.yml
@@ -1,356 +1,343 @@
- segment_type: "organization"
content:
- - title: "{{ document.organization.name }} - Risk Report"
- description: |
- Created at: {{ document.created_at|date:'Y-m-d' }}
+ - name: "{{ document.organization.name }}"
+ date: |
+ Date of Report: {{ document.created_at|date:'Y-m-d' }}
- segment_type: "executive_summary"
content:
- title: "Executive Summary"
description: |
- This Cyber Risk Assessment Report provides a comprehensive evaluation of {{ document.organization.name }}’s cybersecurity posture, focusing on identifying critical risks, prioritizing mitigation strategies, and aligning practices with internationally recognized frameworks such as CIS CSC18 v8.1, NIST CSF 2.0, ISO 27001:2022, and regulatory requirements like NIS2, DORA and GDPR. The assessment was conducted by StackSight LLC, leveraging insights from data provided by the representatives of {{ document.organization.name }}, consultancy and industry reports, and threat intelligence sources, to provide actionable guidance tailored to {{ document.organization.name }}’s unique operational environment.
-
- - subtitle: "Key Findings"
+ This Cyber Risk Assessment Report provides a comprehensive evaluation of {{ document.organization.name }}'s cybersecurity posture. The assessment focused on identifying critical risks, prioritizing mitigation strategies, and aligning practices with internationally recognized frameworks such as CIS CSC v8.1, NIST CSF 2.0, ISO 27001:2022, and regulatory requirements including NIS2, DORA, and GDPR. Conducted by StackSight LLC, the assessment leveraged data provided by representatives of {{ document.organization.name }}, insights from consultancy and industry reports, and threat intelligence sources to deliver actionable guidance tailored to {{ document.organization.name }}'s unique operational environment.
+ Key findings from the assessment reveal several areas where {{ document.organization.name }} faces heightened cybersecurity risks, particularly within the domains of phishing, ransomware, vendor risks, and unpatched software vulnerabilities. These identified risks pose significant threats to operational continuity, sensitive data, and regulatory compliance. The top risks are detailed in the findings section of this report.
+ To address these challenges effectively, a strategic roadmap comprising targeted safeguards is proposed. Each safeguard is prioritized based on its potential effectiveness in reducing both the likelihood and impact of identified risks. Key recommendations include the deployment of advanced email filtering systems, organization-wide enforcement of multi-factor authentication (MFA), implementation of a comprehensive patch management program, utilization of Endpoint Detection and Response (EDR) tools, ensuring frequent and securely stored data backups, and the establishment of robust vendor security standards coupled with continuous monitoring.
+ Implementation of these recommendations is projected to yield substantial quantifiable and qualitative benefits for {{ document.organization.name }}, including an estimated 75% reduction in financial exposure stemming from cyber incidents through targeted risk mitigation, increased adherence to relevant regulatory mandates, and enhanced operational continuity with significantly reduced downtime during potential cyber events.
+
+- segment_type: "key_findings"
+ content:
+ - title: "Key Findings"
description: |
- The assessment revealed several areas where "{{ document.organization.name }}" - faces heightened cybersecurity risks, particularly in the domains of phishing, ransomware, vendor risks, and unpatched software vulnerabilities. These risks pose significant threats to operational continuity, sensitive data, and regulatory compliance. The following are the top risks identified:
- - Phishing Attacks: High likelihood due to reliance on email communication and remote workforce operations.
- - Ransomware Incidents: Elevated impact, threatening critical data and operational systems.
- - Vendor Risks: Increased exposure due to reliance on over {{ document.organization.third_party_vendor_access }} third-party vendors without robust monitoring.
-
- - subtitle: "Recommendations"
+ The assessment revealed several areas where {{ document.organization.name }} faces heightened cybersecurity risks. These risks pose significant threats to operational continuity, sensitive data, and regulatory compliance. The top risks identified are: - Phishing Attacks: High likelihood due to reliance on email communication and remote workforce operations.
+ -
Phishing Attacks: Assessed with a high likelihood, primarily attributed to the organization's reliance on email communication and the prevalence of remote workforce operations.
+ -
Ransomware Incidents: Evaluated as having an elevated impact, capable of threatening critical data assets and operational systems, potentially causing significant disruption.
+ -
Vendor Risks: Indicating increased exposure resulting from reliance on a substantial number ({{ document.organization.third_party_vendor_access }}) of third-party vendors without the presence of robust monitoring mechanisms.
+ -
Unpatched Software Vulnerabilities: (Identified as a contributing factor to risks like Ransomware Infection and addressed by recommended controls).
+
+- segment_type: "recommendations"
+ content:
+ - title: "Recommendations"
description: |
- To address these risks, we propose a strategic roadmap comprising targeted safeguards, each prioritized for its effectiveness in reducing risk likelihood and impact. Key recommendations include:
-
- - Phishing Risk Mitigation:
- - Deploy advanced email filtering systems to reduce spam and malicious emails.
- - Enforce multi-factor authentication (MFA) organization-wide to secure access.
- - Conduct phishing simulations and training programs to enhance employee awareness.
-
- - Ransomware Prevention:
- - Implement a comprehensive patch management program to address software vulnerabilities.
- - Utilize endpoint detection and response (EDR) tools to monitor and contain threats.
- - Ensure frequent data backups, stored securely offline, to enable recovery.
-
- - Vendor Risk Management:
- - Establish robust vendor security standards, aligned with ISO 27001.
- - Conduct regular third-party risk assessments to monitor compliance and address vulnerabilities.
- - Integrate continuous monitoring solutions for vendor activities accessing critical systems.
-
- - subtitle: "Value Proposition"
+ To address the identified risks effectively, we propose a strategic roadmap of targeted safeguards. These safeguards are prioritized based on their potential effectiveness in reducing risk likelihood and impact. Key recommendations are categorized by the risks they primarily mitigate:
+ - subtitle: "Phishing Risk Mitigation:"
description: |
- By implementing these recommendations, {{ document.organization.name }} stands to achieve the following benefits:
- - 75% reduction in financial exposure from cyber incidents through targeted risk mitigation.
- - Increased compliance with regulatory mandates.
- - Enhanced operational continuity and reduced downtime during potential cyber events.
+ - Deploy advanced email filtering systems to significantly reduce the volume of spam and malicious emails reaching end-users.
+ - Enforce multi-factor authentication (MFA) organization-wide to secure access to systems and data, adding a critical layer of defense against compromised credentials.
+ - Conduct regular phishing simulations and comprehensive security awareness training programs to enhance employee vigilance and their ability to identify and report suspicious activity.
- - subtitle: "Next Steps"
+ - subtitle: "Ransomware Prevention and Recovery:"
description: |
- We recommend initiating a phased implementation plan, focusing first on high-priority safeguards such as MFA, patch management, and vendor assessments, to address the most pressing risks. Additionally, a regular risk register review cycle should be established to adapt to the evolving threat landscape.
+ - Implement a comprehensive patch management program to promptly address known software vulnerabilities across all relevant systems and applications.
+ - Utilize endpoint detection and response (EDR) tools to provide real-time monitoring, detection, and containment capabilities against malicious activities, including ransomware.
+ - Ensure frequent and verified data backups are performed, stored securely offline or in an immutable state, to enable effective recovery in the event of a ransomware attack or other data loss incidents.
+
+ - subtitle: "Vendor Risk Management:"
+ description: |
+ - Establish and enforce robust vendor security standards aligned with recognized frameworks such as ISO 27001, requiring third parties to meet defined security requirements.
+ - Conduct regular third-party risk assessments to evaluate the security posture of vendors, monitor their compliance with established standards, and identify and address potential vulnerabilities introduced through the supply chain.
+ - Integrate continuous monitoring solutions for vendor activities, particularly those accessing critical systems or sensitive data, to detect and respond to suspicious behavior promptly.
+
+- segment_type: "value_proposition"
+ content:
+ - title: "Value Proposition"
+ description: |
+ By diligently implementing the recommendations outlined in this report, {{ document.organization.name }} is positioned to achieve significant strategic and operational benefits:
+ -
Estimated 75% Reduction in Financial Exposure: Through the targeted mitigation of high-impact cyber risks, the potential financial losses associated with security incidents can be substantially reduced.
+ -
Increased Compliance with Regulatory Mandates: Alignment with frameworks such as GDPR, NIS2, and DORA will be enhanced, reducing the risk of non-compliance penalties and reputational damage.
+ -
Enhanced Operational Continuity and Reduced Downtime: Proactive risk mitigation and improved incident response capabilities will minimize the likelihood and impact of disruptive cyber events, ensuring business operations remain resilient.
+
+- segment_type: "next_steps"
+ content:
+ - title: "Next Steps"
+ description: |
+ We formally recommend initiating a phased implementation plan to address the identified risks. The initial phase should prioritize the deployment of high-impact safeguards, including organization-wide MFA enforcement, establishing a robust patch management program, and conducting initial vendor risk assessments to address the most pressing risks identified in this report. Concurrently, a structured and regular risk register review cycle should be established to ensure the organization's cybersecurity posture continuously adapts to the evolving threat landscape and changes in the operational environment.
- segment_type: "inherent_limitations"
content:
- title: "Inherent Limitations"
- subtitle: "Dynamic Nature of Cyber Threats"
description: |
- Cybersecurity threats evolve rapidly, driven by advancements in attack techniques, changes in technology, and new vulnerabilities. This report reflects a "point-in-time" snapshot of the organization’s risk landscape and does not account for changes occurring after the assessment. Regular updates are crucial to ensure that the organization remains resilient against emerging threats.
-
- A phishing risk rated as medium during this assessment could escalate due to unforeseen factors, such as a surge in targeted attacks within the industry.
-
- - subtitle: "Focus on Risk Management Frameworks"
+ This assessment, while conducted with due professional care and based on available information, is subject to certain inherent limitations that warrant explicit mention:
+ - subtitle: "Dynamic Nature of Cyber Threats:"
description: |
- This assessment adopts a risk-based approach, aligning findings with frameworks such as ISO 27001, CIS CSC18, NIST CSF, and regulatory requirements that include GDPR, NIS2, PCI DSS, and DORA. While these frameworks are comprehensive, they are not exhaustive. The recommendations are tailored to organizational priorities and risk tolerances, but residual risks are an inherent part of this approach.
-
- Residual Risk
- The level of risk remaining after the implementation of all recommended safeguards. For example, while multi-factor authentication (MFA) significantly reduces phishing risks, user behavior may still leave a small residual risk.
-
- - subtitle: "Scope and Context"
+ The landscape of cybersecurity threats is inherently dynamic, characterized by rapid advancements in attack techniques, continuous changes in technology, and the emergence of new vulnerabilities. This report represents a "point-in-time" snapshot of the organization's risk landscape as assessed on the report date and does not account for changes or new threats that may materialize subsequent to the assessment. Regular, periodic updates to the risk assessment are therefore crucial to ensure the organization remains resilient against emerging threats.
+ For instance, a phishing risk rated as medium during this assessment could potentially escalate rapidly in severity due to unforeseen external factors, such as a sudden surge in highly sophisticated targeted attacks specifically directed at the healthcare industry.
+ - subtitle: "Focus on Risk Management Frameworks:"
+ description: |
+ This assessment adopts a risk-based approach, aligning findings and recommendations with established international frameworks such as ISO 27001, CIS CSC v8.1, NIST CSF 2.0, and relevant regulatory requirements including GDPR, NIS2, PCI DSS, and DORA. While these frameworks provide a comprehensive basis for cybersecurity governance, they are not exhaustive. The recommendations provided are tailored to {{ document.organization.name }}'s specific organizational priorities and risk tolerances; however, it is important to acknowledge that residual risks will inevitably remain even after the implementation of recommended controls. Residual risk is an inherent characteristic of any risk management approach.
+ - subtitle: "Residual Risk:"
+ description: |
+ Residual risk is formally defined as the level of risk that persists after the implementation of all feasible and recommended controls. By way of example, while the implementation of multi-factor authentication (MFA) is highly effective in significantly reducing phishing risks, a small degree of residual risk may still persist due to factors such as potential human error or the emergence of novel attack vectors not fully mitigated by current controls.
+ - subtitle: "Scope and Context:"
description: |
This report is an organization-level assessment, emphasizing risks related to strategic and operational cybersecurity governance. It does not provide a system-level evaluation (e.g., penetration testing or vulnerability scanning) or an asset-level analysis of specific infrastructure components, devices, or applications.
-
For a more detailed understanding of individual systems or assets, supplementary assessments, such as technical audits, vulnerability scans, or penetration tests, are recommended.
-
- - subtitle: "Reliance on Provided Inputs"
+ - subtitle: "Control Maturity Assumptions:"
description: |
- The accuracy and reliability of this assessment are contingent upon the quality and completeness of the information provided by {{ document.organization.name }}. Any gaps, inaccuracies, or omissions in the input data may influence the findings and recommendations.
-
- If incomplete information about third-party integrations is provided, the resulting vendor risk analysis may underestimate potential vulnerabilities.
-
- - subtitle: "Control Maturity Assumptions"
+ Residual risk calculations presented in this report are predicated on the assumption that all recommended controls are implemented and maintained at the highest achievable maturity levels (e.g., aligned with CMMI Level 5 principles for process management). However, the actual maturity level of implemented controls within {{ document.organization.name }} may vary in practice, influenced by factors such as available resources, implementation timelines, and the effectiveness of ongoing maintenance and operational efforts.
+ For example, while a comprehensive patch management program is designed to significantly reduce software vulnerabilities, its ultimate effectiveness is directly dependent on operational factors such as the frequency and timeliness of patch deployment and adherence to established organizational policies and procedures.
+ - subtitle: "Scope of External Factors:"
description: |
- Residual risk calculations in this report assume that all recommended controls are implemented at highest maturity levels (e.g., CMMI Level 5). However, the maturity of controls within {{ document.organization.name }} may vary based on resources, implementation timelines, and ongoing maintenance efforts.
-
- For example, while patch management can significantly reduce software vulnerabilities, its effectiveness depends on factors like update frequency and organizational policies.
-
- - subtitle: "Scope of External Factors"
+ While this assessment focuses primarily on internal cybersecurity risks that are largely within {{ document.organization.name }}'s direct control, it does not encompass an evaluation of broader external factors that could potentially impact the organization's risk profile. These external factors may include, but are not limited to, geopolitical risks, the impact of natural disasters on infrastructure, or systemic vulnerabilities inherent within wider third-party ecosystems beyond {{ document.organization.name }}'s immediate vendor relationships.
+ - subtitle: "Dependency on Timely Implementation:"
description: |
- While this assessment focuses on internal risks under {{document.organization.name}}’s control, it does not evaluate broader external factors such as geopolitical risks, natural disasters, or systemic vulnerabilities in third-party ecosystems.
-
- - subtitle: "Dependency on Timely Implementation"
+ The effectiveness of the recommendations provided in this report in reducing risk is directly dependent upon the timely and effective implementation of the proposed controls. Delays in implementation, partial adoption of recommendations, or inadequate ongoing maintenance of controls may result in higher residual risks than those estimated in this assessment.
+ For instance, a delayed adoption and operationalization of endpoint detection and response (EDR) tools could leave the organization exposed to the full impact of ransomware attacks for a longer duration than would otherwise be necessary.
+ - subtitle: "Regular Reassessment Requirement:"
description: |
- The recommendations provided in this report assume the timely and effective implementation of proposed controls. Delays, partial implementations, or inadequate maintenance may result in higher residual risks than estimated in this assessment.
-
- Delayed adoption of endpoint detection and response (EDR) tools could leave the organization exposed to ransomware attacks for longer than necessary.
-
- - subtitle: "Regular Reassessment Requirement"
- description: |
- This report serves as a baseline assessment of cybersecurity risks. Given the dynamic nature of cyber threats and changes in technology and business processes, we recommend periodic reassessments to keep the risk register updated and aligned with the evolving threat landscape.
-
- A risk identified as low today might increase in severity due to changes in attack vectors, regulatory environments, or organizational growth.
+ This report serves as a baseline assessment of {{ document.organization.name }}'s cybersecurity risks at a specific point in time. Given the dynamic nature of cyber threats, continuous changes in technology, and evolving business processes, we formally recommend periodic reassessments of the cybersecurity risk landscape. Such reassessments are essential to keep the risk register updated, ensure alignment with the evolving threat environment, and validate the effectiveness of implemented controls.
+ A risk initially identified as low severity at the time of this report might increase significantly in severity over time due to changes in prevalent attack vectors, shifts in the regulatory environment, or organizational growth and expansion.
- segment_type: "approach_and_methodologies"
content:
- title: "Approach and Methodologies"
subtitle: "Methodology Overview"
description: |
- The risk assessment methodology employed in this report is rooted in the NIST 800-30 Guide for Conducting Risk Assessments, which defines risk as a function of likelihood and impact. This method is widely adopted due to its scalability and alignment with organizational needs. It is also compliant with ISO 27001, ISO31000, PCI DSS, ENISA, and CSA CCM, by focusing on the common key elements:
- 1. Risk Identification: Identifying threats, vulnerabilities, and potential impacts.
- 2. Risk Assessment: Evaluating the likelihood and severity of risks.
- 3. Risk Mitigation/Treatment: Implementing strategies to reduce, transfer, or accept risks.
- 4. Documentation: Keeping a detailed record of the risk assessment process.
- 5. Continuous Monitoring: Ongoing assessment to ensure that new risks are identified and mitigated.
- 6. Communication: Ensuring that risk findings are communicated to relevant stakeholders.
-
+ The risk assessment methodology employed in the preparation of this report is formally rooted in the principles and guidance outlined in the NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. This widely recognized standard defines risk as a function of the likelihood of a threat exploiting a vulnerability and the resulting impact. This methodology is broadly adopted across industries due to its scalability and inherent alignment with organizational risk management needs. The approach is also compliant with key international standards and frameworks, including ISO 27001, ISO 31000, PCI DSS, ENISA guidelines, and the CSA Cloud Controls Matrix (CCM), by focusing on the following common key elements:
+ 1.
Risk Identification: The systematic process of identifying potential threats, existing vulnerabilities, and the potential adverse impacts that could result from a cybersecurity event.
+ 2.
Risk Assessment: The formal evaluation of identified risks, involving the determination of both the likelihood of occurrence and the severity of the potential impact.
+ 3.
Risk Mitigation/Treatment: The process of selecting and implementing appropriate strategies and controls to reduce, transfer, or formally accept identified risks based on organizational risk tolerance.
+ 4.
Documentation: Maintaining a detailed and accurate record of the entire risk assessment process, including methodologies, findings, analysis, and treatment decisions.
+ 5.
Continuous Monitoring: Establishing ongoing processes to monitor the risk environment, assess the effectiveness of implemented controls, and identify new risks as they emerge.
+ 6.
Communication: Ensuring that risk findings, assessment results, and treatment plans are effectively communicated to relevant stakeholders across the organization.
- subtitle: "Inputs and Data Collection"
description: |
- This assessment was tailored using the following inputs from {{ document.organization.name }}:
- 1. Organizational Scale: Employee headcount and annual revenue.
- 2. Technology Landscape: Dependency on critical applications and network segmentation.
- 3. Regulatory Frameworks: Requirements such as GDPR, ISO 27001, and NIST CSF compliance.
- 4. Operational Context: Industry sector and reliance on third-party vendors.
+ This assessment was specifically tailored to {{ document.organization.name }}'s operational context using a combination of internal data and external threat intelligence. The primary inputs from {{ document.organization.name }} included:
+ - Organizational Scale: Data pertaining to employee headcount and annual revenue, providing context for potential financial impact calculations.
+ - Technology Landscape: Information on critical applications, network architecture, and segmentation, informing the identification of technical vulnerabilities and dependencies.
+ - Regulatory Frameworks: Details on applicable regulatory requirements and compliance obligations, such as GDPR, ISO 27001, and NIST CSF compliance status.
+ - Operational Context: Information regarding the industry sector in which {{ document.organization.name }} operates and the extent of its reliance on third-party vendors, informing the assessment of sector-specific and supply chain risks.
+ These internal insights were further enriched by incorporating relevant data and trend analysis from leading industry and consultancy sources.
-
- Insights were further enriched by incorporating data from leading sources, such as:
- - Verizon DBIR, emphasizing phishing and ransomware trends.
- - PwC’s Global Digital Trust Insights, highlighting gaps in vendor security management.
- - EY’s Cybersecurity Risk Radar, identifying emerging threats to specific industries.
-
-
- The outcome of the assessment is a Risk Register with top 10 organization-wide cybersecurity risks.
-
- - subtitle: "Risk Assessment Process"
+- segment_type: "risk_assessment_process"
+ content:
+ - title: "Risk Assessment Process - Scales"
description: |
- StackSight utilizes key concepts from standard NIST 800-30: Guide for Conducting Risk Assessments. A key calculation of risk provided by this document is one that ascribes a risk score to the likelihood of that risk being exploited, multiplied by the impact of the risk being exploited. This scoring methodology has been generally adopted globally and is considered by most to be the standard.
-
- This standard utilizes the concepts of inherent risk and residual risk. Inherent risk is the likelihood and impact of a risk being exploited without any mitigating factors or controls. While this is typically never the actual case, it represents the worst-case scenario presented by a given risk and serves as a solid “starting point” for how to measure the eventual reduction of that risk. Residual risk, on the other hand, considers all mitigating factors associated with a given risk, namely, controls. While the actual values and scale utilized are different between organizations, a scale of 1-5 is very common. In this scale, 1 is low and 5 is high.
-
- For further use we define the risk impact scored as:
- - 1: Less than (0.05% of annual revenue or x% of materiality) loss, no time required on individual contributors nor management to resolve. No reputational impact.
- - 2: Above (0.05% of annual revenue or x% of materiality) loss, 1-10hrs individual contributors time to resolve, and 10-20hrs of management time to resolve. Minimal concern of reputational impact.
- - 3: Above $(0.1% of annual revenue or x% of materiality) loss, 40-80hrs individual contributors time to resolve, and 10-20 hrs. of management time to resolve. Moderate concern of reputational impact.
- - 4: $(0.5% of annual revenue or x% of materiality), 80-160hrs individual contributors time to resolve, and 20-30 hrs. of management time to resolve. Major concern of reputational impact.
- - 5: $(1% of annual revenue or materiality) + loss, 160+ individual contributors time to resolve and 40hrs of management time to resolve. Enormous concern of reputational impact ("extremely out of line with regulations/unethical behavior").
-
- Material impact definition can depend on the organizational type. For companies above 1b annual revenue, it is set at 1% of annual revenue, and for organizations below that amount, it is 10%. For non-profit organizations, other stated guidelines are used.
-
-- segment_type: impact_definition_table
- content:
- description: |
- Impact is aslo defined with the following table:
- headers: ["Level", "Financial Cost", "Reputational Impact", "Management Effort", "Operational Resources", "RPO", "RTO"]
- rows:
- - ["Insignificant (1)", "< 0.05% Material", "Normal", "Normal", "Normal", "16 hr", "64 hr"]
- - ["Significant (2)", "> 0.5% Material", "Minor", "Minor", "Minor", "8 hr", "32 hr"]
- - ["Severe (3)", "> 10% Material", "Moderate", "Moderate", "Moderate", "4 hr", "16 hr"]
- - ["Material (4)", "> 50% Material", "Critical", "Critical", "Critical", "2 hr", "8 hr"]
- - ["Major (5)", "> Material", "Precarious", "Precarious", "Precarious", "1 hr", "4 hr"]
-
-- segment_type: "list_stack_sights"
- content:
+ For determining likelihood, StackSight LLC utilizes a commonly referenced scale, presented below:
+ - headers: ["Likelihood Score", "Probability of Happening in a Year", "Descriptor", "Criteria"]
+ rows:
+ - ["1", "0-10%", "Rare", "Has never occurred or has not occurred in the prior 10 years. Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will."]
+ - ["2", "11-24%", "Unlikely", "Has occurred in the past 10 to 4 years. Not expected, but there's a slight possibility it may occur at some time."]
+ - ["3", "25-50%", "Probable", "Has occurred in the past 4 to 2 years. The event might occur at some time as there is a history of casual occurrence at similar organizations."]
+ - ["4", "51-89%", "Likely", "Has occurred in the past 2 to 1 years. There is a strong probability the event will occur as there is a history of frequent occurrence at similar organizations."]
+ - ["5", "90-100%", "Almost Certain", "Currently occurs or has occurred in the last year. The event is expected to occur in most circumstances as there is a history of regular occurrence at similar organizations."]
- description: |
- For determining likelihood, we use StackSight's commonly referenced scale:
- - level: 1
- description: 1. "0-3% chance of happening in a year"
- - level: 2
- description: 2. "4-10% chance of happening in a year"
- - level: 3
- description: 3. "11-50% chance of happening in a year"
- - level: 4
- description: 4. "51-90% chance of happening in a year"
- - level: 5
- description: 5. "91-100% chance of happening in a year"
+ The risk impact is formally scored using the following definitions and corresponding operational recovery metrics (RPO/RTO):
+ - headers: ["Impact/Severity", "Cost", "Reputation (Internal & External)", "Management Effort", "Operational Resources", "Compliance/SOX/CRA/NIS2 Impact"]
+ rows:
+ - ["Insignificant (1)", "0% to .04% of Gross Revenue", "Unaware – A reasonable person does not have knowledge of the situation or fact. Additionally there is no obligation to divulge the incident.", "Normal Activity - Usual, average or typical company processes. Typically no extra managements cumulative time needed.", "Additional Resources - No extra Internal or External personnel needed to bring resolution to the issue outside of normal processes.", "Low direct regulatory implications. Baseline operational obligations and internal controls are expected to be maintained."]
+ - ["Significant (2)", "~.05% to .25% Gross Revenue", "Minimum Concern - If a reasonable person obtains knowledge of the situation or fact and there is no reaction either positive or negative. Additionally, there is no obligation to divulge the incident.", "Minimum Management Effort - 1-10hrs of managements cumulative time.", "Minor Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 4- 40hrs worth of cumulative time.", "Primarily an internal control issue. Notification to designated authorities may be required. Potential for initial warnings or minor penalties depending on the nature."]
+ - ["Severe (3)", "~.25% to .5% Gross Revenue", "Moderate Concern – A reasonable person obtain knowledge of the situation that could violate, laws, regulations or compliance but the narrative is that management is in control and are rectifying the situation appropriately.", "Moderate Management Effort - 10 to 20 hrs. of managements cumulative time.", "Moderate Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 40 - 80hrs (2 weeks) worth of cumulative time.", "A clear deviation from expected operational or product/service standards, requiring notification and remediation actions. Mandatory reporting to authorities. Risk of financial penalties and increased regulatory scrutiny."]
+ - ["Material (4)", "~ .5% to 1% Gross Revenue", "Severe Concern – A reasonable person obtains knowledge of the situation that could violate, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation.", "Severe Management Effort - 20 to 40hrs of managements cumulative time", "Severe Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 80hrs (2 weeks) - 160hrs (4 weeks) worth of cumulative time.", "Serious non-compliance with established standards. Risk of significant operational disruptions, including potential product/service restrictions or recalls. Mandatory and detailed reporting to authorities is required. High likelihood of substantial financial penalties, potential suspension of services, and personal accountability for responsible management."]
+ - ["Major (5)", "~ 1% Gross Revenue", "Outrage from a reasonable person – A reasonable person obtains knowledge of the situation that violates, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation or is not rectifying the situation.", "Precarious Management Effort - 40hrs or more of managements cumulative time, potential management will be removed from their position.", "Precarious Operational Resources - Internal or External personnel may be needed to bring resolution to the issue over 160 hrs. (4 weeks) worth of cumulative time.", "Systemic failure with severe consequences. Significant regulatory sanctions expected. Mandatory, multi-stage, and comprehensive reporting to authorities is required. Maximum financial penalties are likely, with potential for temporary prohibition of managerial functions and other stringent enforcement actions. The possibility of criminal liability may be considered depending on applicable law or regulation."]
+ - description: |
+ The specific definition of material impact is contingent upon the organizational type and scale. For companies exceeding 1 billion USD in annual revenue, the materiality threshold for major impact is set at 1% of annual revenue. For organizations below this revenue threshold, it is set at 10%. For non-profit organizations, alternative, pre-defined guidelines are utilized.
-- segment_type: "likelihood_table"
+- segment_type: "risk_matrix"
content:
- description: |
- Likelihood is defined on the probability of the risk materializing in the next 12 months.
- html: |
-
- {% for row in table_risk_matrix %}
-
- {% for cell in row %}
- {% if forloop.parentloop.first %}
- | {{ cell }} |
- {% else %}
- {% if forloop.first %}
- {{ cell }} |
- {% else %}
-
- {{ cell.1 }}
{{ cell.0 }}
- |
- {% endif %}
- {% endif %}
+ - title: "Risk Matrix"
+ description: |
+ The Risk Score is calculated as the product of the Inherent Impact Score and the Inherent Likelihood Score.
+ - html: |
+
+
+
+
+ {% for cell in table_risk_matrix_header %}
+ | {{ cell }} |
{% endfor %}
-
- {% endfor %}
-
+
+
+
+ {% for row in table_risk_matrix_rows %}
+
+ | {{ row.0 }} |
+ {% for cell in row|slice:"1:" %}
+ {{ cell.0 }} |
+ {% endfor %}
+
+ {% endfor %}
+
+
+
+ - description: |
+ Risk Tolerance Range: Scores between 5 and 7 are generally considered within the acceptable risk tolerance range for capcarap, subject to formal acceptance by leadership.
+ - warning: |
+ Intolerable Risks: Risks with scores of 8 or above are formally classified as intolerable and require immediate treatment.
+ - subtitle: "Risk Matrix Visualization - Inherent Risk"
+ description: |
+ The chart below visually represents the inherent risk scores of the top 10 identified risks based on their Inherent Likelihood and Impact, mapped onto the risk matrix gradient. The size of the marker indicates the number of risks at that specific Likelihood/Impact intersection.
+ image: "data:image/png;base64,{{ graph }}"
-- segment_type: "aproach_continuation"
+- segment_type: "results_and_recommendations"
content:
- description: |
- Baseline Risk Tolerance is defined at the risk level 7 and below, established by taking the maximum Impact (5) and Likelihood (5) which divides the risk matrix diagonally between the minimum and maximum risk ranges of 0-25 which establishes the Tolerance Range.
- subtitle: "Risk Treatment Planning"
- description: |
- Risks are categorized by priority, with treatment strategies that include mitigation, avoidance, or transference, depending on severity and organizational capacity. Identified risks are mapped to safeguards from CIS CSC18, prioritized by effectiveness in reducing likelihood and impact. Each control is weighted based on its potential to mitigate the risk, and residual risk scores are calculated assuming full control maturity. Each mapped safeguard provides in-depth information on its utility specific to the risk.
- Identified safeguards are grouped into CIS Control as a guidance for security program building. Other CIS safeguards, belonging to the same CIS Control group are documented for further considerations. Also any control defined as a dependencies are listed as well. Implementation of these extended security programs could help reduce identified risks by additional 12%.
- subtitle: "Residual Risk Assessment"
- description: |
- After implementing the recommended controls, the residual risks are quantified, offering a clearer view of the organization’s risk posture. Research has shown that implementing recommended safeguards will reduce the related risk by 80%, if the controls are functioning at the highest maturity level.
- subtitle: "Technical Term: Residual Risk:"
- description: |
- The level of risk that remains after implementing all feasible controls. For example, while MFA reduces phishing risk, a small residual risk persists due to potential human error.
+ - title: "Results and Recommendations"
+ - subtitle: "Organizational Context:"
+ description: |
+ {{ document.organization.name }} operates within the {{ document.organization.industry_sector }} sector, employing {{ document.organization.employee_headcount }} ersonnel and annual revenues estimated to be between {{ document.organization.annual_revenue }}. The organization exhibits a {{ document.organization.it_dependency }} dependency on technology for its core operations and service delivery. The operational environment is subject to stringent regulatory mandates including but not limited to {{ document.organization.compliance_frameworks }}. These regulatory requirements underscore the critical need for robust and demonstrable cybersecurity governance and controls.
+ - subtitle: "Top 10 Risks Identified:"
+ description: |
+ Based on the comprehensive assessment methodology applied, the following top 10 cybersecurity risks have been formally identified and prioritized for {{ document.organization.name }} based on their inherent risk scores:
+ - html: |
+
+ - description: |
+ Each identified risk has been assigned an inherent impact and likelihood score, which are then used to calculate the inherent risk score. These risks are visually represented on the risk matrix chart to facilitate prioritization and understanding of their relative positions within the risk landscape.
-- segment_type: "results_and_recomendation"
+- segment_type: "risks_with_residuals"
content:
- - title: "Results and Recomendation"
- subtitle: "Organizational Context"
+ - title: "Risks with Residuals"
+ subtitle: "Risk Treatment Plan:"
description: |
- {{document.organization.name }} operates in the {{document.organization.industry_sector }} sector, employing {{document.organization.employee_headcount }} personnel with annual revenues of approximately {{document.organization.annual_revenue}}. The organization relies heavily on technology, with a dependency score of {{document.organization.it_dependency}}. Regulatory mandates such as {{document.organization.compliance_frameworks}} drive the need for robust cybersecurity governance.
-
-- segment_type: "top_ten_risks"
- content:
- - subtitle: "Top 10 Risk Identified"
- description: |
- Based on the assessment, the following top 10 risks have been prioritized:
- html: |
-
+ To effectively address the identified risks, a comprehensive risk treatment plan is formally proposed. This plan prioritizes the implementation of controls based on their assessed capacity to reduce the inherent risk. Standard risk treatment strategies considered include:
+ 1.
Implementing specific safeguards and controls designed to reduce the likelihood of a risk event occurring or minimize its potential impact.
+ 2.
Making a conscious decision to refrain from engaging in activities or adopting architectures that introduce a specific high-level risk.
+ 3.
Shifting the financial or operational impact of a risk to a third party, typically through mechanisms such as cybersecurity insurance or contractual agreements with vendors.
+ 4.
An informed decision by organizational leadership to acknowledge a specific risk and choose not to implement further controls, based on a formal assessment that the residual risk is within acceptable tolerance levels.
-- segment_type: "graph_risk_likelihood"
- content:
- description: |
- Each risk is assigned an impact and likelihood score, and plotted on a risk matrix to visualize prioritization.
- image: "data:image/png;base64,{{ graph }}"
+ Where the implementation of controls is assessed as feasible and effective, all risks should be formally treated. Based on the established risk assessment procedure, any risk with an inherent risk score of 8 or above is formally classified as intolerable and must be treated in a timely and prioritized manner to reduce it to an acceptable residual level.
+ Prior to formally considering the acceptance of any risk, a rigorous evaluation must be conducted to ensure that the risk has been reduced to the smallest possible residual level through the application of one or more appropriate risk treatment approaches.
+ - html: |
+
-- segment_type: "result_continuation"
+- segment_type: "residual_risk_matrix"
content:
- subtitle: "Recommended Controls"
- description: |
- For each risk, tailored safeguards are recommended based on the CIS CSC18 framework. For example:
- • Phishing Mitigation:
- ◦ Deploy advanced email filtering tools.
- ◦ Mandate organization-wide multi-factor authentication (MFA).
- ◦ Conduct regular phishing simulations and employee training.
- • Vendor Risk Management:
- ◦ Establish vendor security standards aligned with ISO 27001.
- ◦ Conduct third-party risk assessments.
- ◦ Implement continuous monitoring for vendor compliance.
- subtitle: "Key Insight:"
- description: |
- According to CIS report xxxxx risk can be reduced by 80%/////
+ - title: "Risk Matrix Visualization - Residual Risk"
+ description: |
+ The chart below visually represents the residual risk scores of the top 10 identified risks based on their Residual Likelihood and Impact after applying proposed mitigating controls. The size of the marker indicates the number of risks at that specific Likelihood/Impact intersection.
+ image: "data:image/png;base64,{{ residual_graph }}"
- subtitle: "Risk Treatment Plan"
- description: |
- To address identified risks, a comprehensive risk treatment plan is proposed, prioritizing controls with the highest risk reduction capacity. Strategies include:
- 1. Mitigation: Implementing safeguards to reduce likelihood or impact.
- 2. Avoidance: Refraining from high-risk activities or architectures.
- 3. Transference: Shifting risk through insurance or contractual agreements.
- 4. Acceptance: Informed decision by organizational leadership not to take any action.
- Where feasible, all risks should be treated. If the risk score is 8 or above based on the risk assessment procedure, it must be treated in a timely manner. Before considering accepting a risk, the risk should be reduced to the smallest possible residual risk using one or more risk treatment approaches.
- content:
- title: "Risks with Residuals"
- html: |
-
+- segment_type: "framework_alignment"
+ content:
+ - title: "Framework Alignment"
+ - subtitle: "CIS Critical Security Controls (CSC) v8.1:"
+ description: |
+ The CIS Critical Security Controls (CSC) v8.1 is a globally recognized, prioritized set of cybersecurity best practices designed to help organizations improve their cyber defenses against known attack vectors. Developed by the Center for Internet Security (CIS), the framework provides a structured approach to implementing and managing essential cybersecurity safeguards. CIS CSC v8.1 consists of 18 top-level Controls, each supported by a set of Safeguards (formerly known as Sub-Controls). The framework is designed to be actionable and provide a clear path for organizations of varying sizes and complexities to enhance their cybersecurity posture effectively.
+ - subtitle: "NIST Cybersecurity Framework (CSF) 2.0:"
+ description: |
+ The NIST Cybersecurity Framework (CSF) 2.0 provides a structured and flexible approach for organizations to understand, manage, reduce, and communicate cybersecurity risks. Developed by the National Institute of Standards and Technology (NIST), CSF 2.0 maintains the core structure of its predecessor but introduces enhancements, including a new Govern function to emphasize cybersecurity governance. The framework is organized around six key functions that represent the lifecycle of managing cybersecurity risk: Identify, Govern, Protect, Detect, Respond, and Recover. CSF 2.0 is designed to be adaptable to various technologies and sectors, providing a common language for internal and external stakeholders to discuss and manage cybersecurity risks effectively.
+ - subtitle: "Cybersecurity Capability Maturity Levels (CMMI Adaptation):"
+ description: |
+ The table below presents an assessment of the organization's cybersecurity capabilities across key functions derived from the NIST CSF 2.0, mapped against maturity levels adapted from the Capability Maturity Model Integration (CMMI) framework. These levels describe a progression from initial, chaotic processes (Level 1) to optimized, continuously improving processes (Level 5).
+ headers: ["NIST CSF 2.0 Function", "Level 1 (Initial)", "Level 2 (Managed)", "Level 3 (Defined)", "Level 4 (Quantitatively Managed)", "Level 5 (Optimizing)"]
+ rows:
+ - ["Govern", "Reactive and ad hoc.", "Nascent and unreliable.", "Established, predictable, reliable.", "Provides direction and shapes program.", "Key pillar, known and reportable state."]
+ - ["Identify", "Little to no identification.", "Immature process.", "Standard, well-defined process.", "Proactively monitored periodically.", "Continuously monitored, incorporated into business decisions."]
+ - ["Protect", "Reactive and ad hoc.", "Implemented across environment.", "Formally defined, protected in accordance with classification.", "Proactively monitored via protective technologies.", "Operationalized through automation and advanced technologies."]
+ - ["Detect", "Not detected timely.", "Established through tools and procedures.", "Baseline of 'normal' activity established and applied.", "Continuous monitoring program established for real-time threats.", "Continuously learning behaviors and adjusting capabilities."]
+ - ["Respond", "Reactive or non-existent.", "Reactive or non-existent.", "Analysis capabilities applied consistently by IR roles.", "IR Plan defines steps for preparation, analysis, containment, eradication, post-incident.", "Times and impacts monitored and minimized."]
+ - ["Recover", "Applied consistently to incidents impacting business operations.", "Continuity & Disaster Recovery Plan defines steps to continue critical functions and resume operations.", "Recovery times and impacts monitored and minimized.", "Capabilities of all IT personnel, procedures, technologies regularly tested and updated.", "Capabilities of all IT personnel, procedures, technologies regularly tested and updated."]
-- segment_type: "frameworks_and_standards"
+- segment_type: "industry_and_consultancy_benchmarks"
content:
- -title: "Frameworks and Standards"
- subtitle: "CIS CSC18"
- description: |
- The report aligns with the CIS Critical Security Controls (CSC18) framework, a globally recognized standard for implementing scalable and high-impact controls.
+ - title: "Industry and Consultancy Benchmarks"
+ description: |
+ The insights and analysis presented in this report were informed by incorporating data and trend analysis from leading industry and consultancy publications. These sources provide valuable context regarding prevalent threats, attack methodologies, and effective control strategies observed across various sectors.
-- segment_type: cmmi_table
+- segment_type: "risks_with_mitigating_controls"
content:
- headers: ["Category", "Level 1", "Level 2", "Level 3", "Level 4", "Level 5"]
- rows:
- - ["Govern", "Governance and oversight of cybersecurity risk is reactive and ad hoc.", "Governance and oversight of cybersecurity risk exists, but is nascent and unreliable.", "Governance and oversight of cybersecurity risk is established, predictable and reliable.", "Governance and oversight of cybersecurity risk provides direction and shapes the overall program.", "Governance is a key pillar of the cybersecurity risk program and current-state of all safeguards and controls is known and reportable."]
- - ["Identify", "Little to no cybersecurity risk identification.", "Process for cybersecurity risk identification exists, but it is immature.", "Risks to IT assets are identified and managed in a standard, well-defined process.", "Risk to the business environment are identified and proactively monitored on a periodic basis.", "Cybersecurity risks are continuously monitored and incorporated into business decisions."]
- - ["Protect", "Asset protection is reactive and ad hoc.", "Data protection mechanisms are implemented across the environment.", "Data is formally defined and protected in accordance with its classification.", "The environment is proactively monitored via protective technologies.", "Protection standards are operationalized through automation and advanced technologies."]
- - ["Detect", "Anomalies or events are not detected or not detected in a timely manner.", "Anomaly detection is established through detection tools and monitoring procedures.", "A baseline of 'normal' activity is established and applied against tools/procedures to better identify malicious activity.", "A continuous monitoring program is established to detect threats in real-time.", "Detection and monitoring solutions are continuously learning behaviors and adjusting detection capabilities."]
- - ["Respond", "The process for responding to incidents is reactive or non-existent.", "The process for recovering from incidents is reactive or non-existent.", "Analysis capabilities are applied consistently to incidents by Incident Response (IR) roles.", "An IR Plan defines steps for incident preparation, analysis, containment, eradication, and post-incident.", "Response times and impacts of incidents are monitored and minimized."]
- - ["Recover", "Resiliency and recovery capabilities are applied consistently to incidents impacting business operations.", "A Continuity & Disaster Recovery Plan defines steps to continue critical functions and resume normal operations.", "Recovery times and impacts of incidents are monitored and minimized.", "The capabilities of all IT personnel, procedures, and technologies are regularly tested and updated.", "The capabilities of all IT personnel, procedures, and technologies are regularly tested and updated."]
-
-- segment_type: "framework_continuation"
- content:
- subtitle: "NIST CSF"
+ - title: "Risks with Mitigating Controls"
description: |
- The NIST Cybersecurity Framework (CSF) provides a structured approach to risk management, emphasizing identification, protection, detection, response, and recovery.
- Industry and Consultancy Benchmarks
- • Verizon DBIR: Insights into phishing, ransomware, and insider threats.
- • PwC’s Digital Trust Insights: Trends in vendor risk management and supply chain vulnerabilities.
-
-- segment_type: "risk_controls_table"
- content:
- - title: "Risks with Controls"
- html: |
+ The following section details the top identified risks and lists relevant mitigating controls. The controls are referenced using their corresponding CIS CSC v8.1 identifier and are assigned a weight indicating their relative effectiveness or importance in mitigating the specific risk. Controls are listed in numerical order by Safeguard ID.
+ - html: |
+- html: |
{% for item in risks_with_controls %}
-
{% endfor %}
-- segment_type: "continous_improvment"
+- segment_type: "cis_control_safeguard_summary"
content:
- - title: "Continuous Improvement"
+ - title: "CIS Control Safeguard Summary"
+ description: |
+ The following table summarizes the CIS Control Safeguards referenced as mitigating controls for the identified risks and indicates the number of times each safeguard was listed across all risk mitigation sections. Safeguards are listed by their reference number and description, grouped by their respective CIS Control.
+ - html: |
+
+ - note: |
+ Note: The mapping of Safeguard IDs to CIS v8 Control Titles is based on the most relevant control description in CIS v8. Some Safeguard IDs in the source document may not align perfectly with the numbering conventions of the current CIS v8 framework.
+
+
+- segment_type: "continuous_improvement"
+ content:
+ - title: "Continuous Improvement"
+ description: |
+ Cybersecurity is formally recognized as a continuous journey, not a static destination. To effectively adapt to the evolving threat landscape and changes in the operational environment, {{ document.organization.name }} should establish processes for regular risk register reviews and cybersecurity maturity assessments. Implementing a structured cybersecurity improvement roadmap will ensure that controls remain effective, are continuously optimized, and remain aligned with organizational priorities and strategic objectives.
+ The risk register should be reviewed and updated on a regular, defined cycle. This review process must include a formal re-assessment of existing risks based on identified changes to organizational information systems, the environments in which the systems operate (change monitoring), and changes in the feasibility or effectiveness of ongoing risk response measures. Risks that have been formally accepted should also be re-evaluated during each cycle to confirm that the residual risk remains within acceptable tolerance levels. Concerted efforts should be made to optimize risk response measures where feasible, aiming for continuous reduction of residual risk.
+
+- segment_type: "disclaimer"
+ content:
+ - subtitle: "Disclaimer"
description: |
- Cybersecurity is a continuous journey. {{document.organization.name}} should establish regular risk register reviews and maturity assessments to adapt to evolving threats. Implementing a cybersecurity improvement roadmap will ensure that controls remain effective and aligned with organizational priorities.
- The risk register should be reviewed regularly. The review must include a re-assessment of risks based on identified changes to organizational information systems and the environments in which the systems operate that may affect risk (change monitoring) including changes in the feasibility of the ongoing implementation of risk response measures. Risks that have been accepted should be re-evaluated at every cycle. Efforts should be made to optimize risk response measures, where feasible.
\ No newline at end of file
+ This report is provided for informational purposes only and is based on the data and information available to StackSight LLC at the time of the assessment. The findings and recommendations contained herein are intended solely to provide guidance to {{ document.organization.name }} in enhancing its cybersecurity posture. Cybersecurity risks are inherently dynamic and subject to continuous evolution. StackSight LLC makes no warranties, express or implied, regarding the completeness, accuracy, or suitability of this report for any specific purpose or outcome. The implementation of the recommendations outlined in this report does not constitute a guarantee of complete protection against all potential cyber threats or incidents.
+ {{ document.organization.name }} assumes full responsibility for all decisions made based on the content of this report and for the implementation, ongoing management, and effectiveness of its cybersecurity controls and risk management program. This report should not be construed as, nor relied upon as, legal or regulatory advice.
\ No newline at end of file
'
+ f'