ProcessUnity GRX Validation
See list of Critical Controls
Independent validation may be requested by Customers who request ProcessUnity GRX assessments. The objective of the validation process is to provide Customers with information that allows them to establish a level of confidence in the accuracy of their Third Parties’ assessment results (beyond a reasonable doubt, can the Third Party prove, via evidence, that they actually do what they say they do in the assessment?).
The validation process consists of two rounds (if necessary) of evidence request, followed by evidence collection, finally evidence evaluation; and repeat if necessary.
Evidence Preparation & Guidance for Third Parties
Identifying the appropriate evidence artifacts can be difficult, so we’ve developed this guidance to provide some helpful recommendations, tips, and tricks.
- Be sure that the evidence you provide clearly supports the answers chosen in your assessment.
- Example: If you answered that you encrypt data at rest, a screenshot of a valid SSL certificate is not appropriate evidence, even though it addresses the use of encryption. Instead, consider providing a screenshot from a whole disk encryption solution.
- Consider adding a notation or comment for the GRX Assessor if an explanation is needed to clarify the evidence provided. This can significantly reduce the amount of time it takes to complete the validation process.
- Label provided evidence with the number of the corresponding control(s). This too can significantly reduce the amount of time it will take an Assessor to evaluate the evidence and complete the validation process.
- Remember that verbal evidence alone, without the support of documentation or other evidence artifacts, is not sufficient to validate assessment answers. Verbal evidence includes conversations or interviews with GRX Assessors as well as written explanations submitted as evidence.
- Example: Providing a note that says, “We de-activate accounts after 5 unsuccessful login attempts.” would not be sufficient evidence to validate subcontrol 3.3.2.7 Account Lockout. Instead, consider sending a screenshot from a group policy that shows the setting for the account lockout threshold.
- Written policies can provide excellent evidence for assessment answers that focus on the existence, development, update, or execution of policy. Policies generally do not provide clear evidence of the actual implementation or effectiveness of technical security controls (e.g. Server Hardening).
- Whenever possible, ensure that the evidence you provide can be attributed to your organization. An isolated snippet from one paragraph of an SOP may support an assessment answer but will likely result in a follow-up request from the GRX Assessor. Instead, consider sending the entire SOP or SOP section that includes your organization’s branding.
- Ensure that provided evidence is clearly associated with the type of asset (e.g. workstations, servers, mobile devices, etc.) that is the focus of your chosen assessment answer.
- Example: If you indicated that you’ve implemented anti-malware tools on desktops and laptops, an isolated screenshot of an anti-malware agent typically will not provide sufficient evidence. This is because there is no way for the Assessor to confirm the type of device on which the anti-malware software has been installed. However, combining the screenshot with a runbook for imaging laptops, for example, can clarify the asset type on which the anti-malware solution has been implemented.
- Previously completed assessment reports or audit reports can be used as evidence, but they must meet the following criteria:
- The assessment must have been conducted by a trusted independent organization
- The assessment must have been conducted within the previous 12 months (or be within its expiry period)
- The scope of the assessment and its relation to the Third Party must be explicitly defined
- The method and results of each tested activity must be clearly documented
- When in doubt, reach out to your ProcessUnity GRX Assessment Coordinator. We are here to facilitate the timely and accurate completion of your assessment and are happy to answer your questions or provide clarification as needed.
Validated Controls
The GRX has identified 60 controls to be used for validation that describe safeguards to prevent today’s most pervasive and dangerous cyber-attacks.
The following list includes the validated controls and examples of evidence that Third Parties may provide to validate the implementation and effectiveness of these controls.
If you respond, ‘Yes’ that this control is in place and applicable to your environment, please begin collecting evidence, as it will be requested for the review of our Validation Team.
Critical Controls
Control Number |
Sub-control Name and Description |
Administrative Evidence Examples |
Logical Evidence Examples |
Example Technologies or Guidance |
1.1.2.1 |
Risk Assessment Establish inherent risk and conduct assessments to capture the residual risk of organizational activities. |
• Requirements documents governing the organization's risk assessment / management program • Procedural documents (runbooks, response plans, etc.) describing how the organization assesses and manages risk, who engages in risk assessment activities, and how identified risks are tracked • Sample security assessment reports |
• Screenshot(s) from GRC or risk register tools showing the types of risks being tracked, the individuals responsible for mitigating risks, and how often identified risks are reviewed • Screenshot(s) from ticketing systems used to document and track identified risks |
ISO Cert |
1.3.3.1 |
Cyber Security Policy and Standards Approval and Dissemination Obtain approval of cybersecurity policies and standards from senior leadership, and disseminate them throughout the enterprise. |
• Requirements documents governing the organizations cyber security or a cyber security charter. • Requirements documents governing the commutation of cybersecurity information. |
• Screenshots(s) from GRC tools showing the organization's chosen policies, security standards, and their approval. |
• RiskLens • SecuraStar • RSA Archer • R-Sam • Logic Manager • MetricStream • ISO Cert |
1.4.1.1 |
Cyber Security Audit and Compliance Design Design and implement a cybersecurity audit and compliance function |
• Requirements documents that govern the organization's compliance function • Procedural documents (runbooks, response plans, etc.) describing how the organization conducts audits |
|
• ISO Cert • PCI |
2.1.2.1 |
Threat Analysis Collect, analyze, and report data on potential threats to the organization and indicators of compromise (IOCs). |
• Threat assessment, analysis or supporting documents that indicate the type threats analyzed (i.e. attack kill chains, modeling of attacks, etc.) • Threat assessment, analysis or supporting documents that indicate the stakeholders associated with threat assessment activities (i.e. security personnel, IT operations, business unit l) |
• Example brief of threat intelligence that is ingested into organization tools and processes • Screenshot of organizational tools that indicates ingestion of threat information (i.e. Known Bad IP Addresses, indicators of compromise ) |
•STIX/TAXII/CYBOX • AlienVault • OpenIOC • OASIS Cyber Threat Intelligence • FSR BITS • Cyber Threat Alliance • ISAC Feeds
|
2.2.2.1 |
Vulnerability Scans Perform vulnerability scans to identify vulnerabilities in then environment. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation; however, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical or demonstrated evidence is provided. |
• Screenshot of vulnerability scan tool or other tools that shows the assets being scanned • Screenshot of vulnerability scan tool or other tool that shows the frequency of scans conducted |
• Nessus Security Center • SCAP • Rapid 7 • Qualys • Cronus • Vericode |
2.2.2.3 |
Penetration Tests Conduct penetration testing to identify security vulnerabilities (e.g. staff, systems, and facilities). |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation; however, administrative evidence alone is not adequate to validate this control.This control can only be validated if logical or demonstrated evidence is provided. |
• Samples penetration tests performed on the organization. |
• Kali Linux • Wireshark |
2.2.3.1 |
Vulnerability Prioritization Establish a vulnerability prioritization framework that effectively and quickly prioritizes the vulnerabilities across all asset classes in the environment. |
• Requirements documents describing vulnerability prioritization and the assets covered • Procedural documents (runbooks, response plans, etc.) describing methods for vulnerability prioritization • Sample documented after action reports describing efforts to remove vulnerabilities from organizational environments |
• Screenshot(s) of a ticketing system that tracks vulnerability remediation • Screenshot(s) of a vulnerability scanner(s) |
• Veracode • Qualys • Tenable |
2.3.2.1 |
Assess - Security Alerting and Analytics Leverage data from security monitoring and analytics platforms to alert on known signatures, unknown attacks, and abnormal behavior. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation; however, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical or demonstrated evidence is provided. |
• Sample alert from SIEM tool • Sample alert from other monitoring tools (malware, configuration management, etc.) • Screenshot(s) from automated monitoring tools showing alerting configuration |
• SIEM tools (e.g. Splunk, QRadar, LogRhythm, ArcSite, etc.) • NetWatcher Network Monitoring • Tenable Security Center |
2.4.2.1 |
Incident Classification Establish a capability to classify security incidents into distinct categories to enable rapid response capabilities. |
• Requirements documents governing the organization's incident / event response program • Procedural documents (runbooks, response plans, etc.) describing the scope and implementation of the organization's incident / event response capability |
• Screenshot(s) of a incident management showing incident validation/classification • Screenshot(s) of a incident management showing incident notification and/or reporting |
• Zendesk • SolarWinds • Webhelpdesk • Servicenow
|
2.4.3.1 |
Incident Containment Utilize people, process, and technology capabilities to contain a security incident in the environment. |
• Requirements documents governing the organization's incident / event response program • Procedural documents (runbooks, response plans, etc.) describing the scope and implementation of the organization's incident / event response capability |
• Screenshot of incident management/forensics tool illustrating threat removal process. |
• Documents associated with NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response • Documents associated with NIST 800-61 Computer Security Incident Handling Guide • Documents associated with ISO/IEC 27035 Information security incident management • SANS INvestigative Tool Kits (SIFT) • Sluethkit • GRC workflows (RSA Archer Incident Management)
|
2.5.1.1 |
Restore Normal Operations Establish an incident recovery plan to restore normal operations following a security incident. |
• Requirements documents governing the organization's contingency planning, disaster recovery, and/or resiliency program • Procedural documents (runbooks, response plans, etc.) describing the implementation and scope of the organization's backup and recovery capability |
• Screenshot(s) from data backup tools showing the types of backups that are scheduled and the target data |
• Veeam Backup & Replication • Dell EMC • Code42 • Veritas NetBackup
|
2.5.3.2 |
Incident Reporting and Notification Establish a process and content for notifying key stakeholders of cyber security incidents. |
• Requirements documents governing the organization's incident/event response program that indicate the capabilities of the incident response program • Procedural documents (runbooks, response plans, etc.) describing the scope and implementation of the organization's incident / event response capability and indicating who is notified in the event of a breach • Sample notification documents demonstrating stakeholders notified of data breaches and time frame of notification • Requirements documents describing time frames for threat removal and assets covered by threat removal capabilities •Procedural documents (runbooks, response plans, etc.) describing methods for removing threats from organizational environments and organizational assets • Sample documented after action reports describing efforts to remove threats from organizational environments |
• Screenshot(s) of incident response tools indicating execution of incident response plans. |
• Incident-Tracker • Zendesk • Resolver
|
2.6.2.1 |
Business Continuity Plan Build a business continuity contingency plan that supports the recovery objectives identified in your Business Impact Analysis. |
• DR/BC plan documentation that describes recovery objectives, testing, RTO/RPO, etc for emergency and contingency purposes |
|
|
2.6.3.1 |
Business Continuity Plan (BCP) Testing Regularly test your contingency plan to ensure it meets recovery objectives. |
• Documents that describes testing scenerios, frequency and results, and allows sign-off by stakeholders for emergency and contingency purposes |
• Test results • Sign-off by stakeholders for emergency and contingency purposes |
|
3.1.1.2 |
Compliance Monitoring Implement compliance monitoring capabilities to detect non-compliance in the environment. |
• Requirements documents that govern you compliance management program and regulations the organization must comply with. |
• Screenshot(s) from the organizations GRC tool, ERP, or manual tool used to monitor compliance requirements in the organization. • Cloud service provider scans • Scanning tools with profiles specific to compliance |
• AWS • AZURE • Nessus
|
3.2.1.1 |
Background Screening Conduct personnel background screenings and ensure you understand the risk associated with your various personnel roles. |
• Requirements documents governing the organization's background screening requirements • Procedural documents (runbooks, response plans, etc.) describing how the organization's background screenings are conducted |
• Redacted background screening report |
• SOC
|
3.2.1.3 |
Security Awareness Training Require end users with access to systems or sensitive information to complete security awareness training. |
• Requirements documents governing the organization's security awareness training program • Procedural documents (runbooks, response plans, etc.) describing the implementation and scope of the organization's security awareness training activities • Sample of security awareness training modules and content • Sample Rules of Behavior (RoB) documentation including training requirements |
• Screenshot(s) from security awareness training modules • Screenshot(s) from security awareness training tracking tools |
|
3.2.2.3 |
Customer Notifications Establish a capability to notify customers in the event of a data breach. |
• Requirements documents govern how, when and how quickly customers are notified of a potential security breach • Sample customer notifications such as emails or public blog posts • Sample Service Level Agreement (SLA) language that is included in agreements with customers |
|
|
3.3.1.2 |
Least Privilege Grant entitlements to system resources based on the principle of least privilege, ensuring users only have the access necessary for their role. |
• Documentation describing how least privilege is implemented, monitored, and enforced • Sample user account request form |
• Screenshot(s) from account management tools • Screenshot(s) from physical access management consoles • Screenshot(s) from user access request ticketing system |
• Active Directory • NetIQ • BadgePass • HID VertX • Genetec |
3.3.2.2 |
Shared Account Restrictions Restrict or prohibit the use of shared accounts to ensure traceability of system activity and protect against unauthorized access. |
• Requirements documents governing the organization's identity and access management program • Procedural documents (runbooks, response plans, etc.) describing how shared accounts are prohibited, implemented, monitored, and reviewed • Sample user account request form • Documented account review log |
• Screenshot(s) from account management tools • Screenshot(s) from a user access request ticketing system • Screenshot(s) of logs showing account activity (shared account activity if applicable) |
• Active Directory • NetIQ • Splunk • LogRhythm • Windows Event Viewer |
3.3.2.5 |
Password Change Requirements Utilize regular password changes and single use passwords to ensure user passwords are initialized and refreshed. |
• Requirements documents governing the organization's credential and authentication management program • Procedural documents (runbooks, response plans, etc.) describing how credentials are assigned, provisioned, and managed • Rules of Behavior (RoB) |
• Screenshot(s) from credential management tools • Screenshot(s) from local settings on devices |
• Active Directory GPO (Password Settings) • NetIQ • CyberArk • Linux/Unix Password expiry • Oracle password expiration |
3.3.2.7 |
Account Lockout Implement account lockout rules to protect against unauthorized access. |
• Requirements documents governing the organization's credential and authentication management program • Procedural documents (runbooks, response plans, etc.) describing how credentials are assigned, provisioned, and managed • Rules of Behavior (RoB) • Security Awareness Training documents |
• Screenshot(s) from credential management tools • Screenshot(s) from local settings on devices |
• AWS IAM • NetIQ • Active Directory GPO (Password Settings) |
3.3.3.2 |
Access Reviews Implement a program to regularly review system access rights and verify the need for continued access. |
• Requirements documents governing the organization's identity and access management program • Procedural documents (runbooks, response plans, etc.) describing how accounts are approved and reviewed • Sample user account request form • Documented account review log |
• Screenshot(s) from GRC tools showing access review dates • Emails or other notifications indicating that periodic access reviews have been completed |
• Archer • R-Sam • Protiviti • Logic Manager • ServiceNow
|
3.3.5.1 |
Certificate Management Use digital certificates to protect enterprise data and communications. |
• Requirements documents governing the organization's certificate management usage. • Procedural documents (runbooks, response plans, etc.) describing the implementation, scope, and management of certificates |
• Screenshot(s) from a certificate management software. |
• DigiCert Certificate utility • Comodo PKI Certificate Management for Enterprise • Venafi |
3.4.2.1 |
Application and Services Security Design Establish security requirements for internally and externally developed applications. |
• Requirements documents governing the organization's security controls have been implemented • Procedural documents (runbooks, response plans, etc.) describing the implementation and scope of the organization's security controls that govern the protection of secure code repositories |
• Screenshots from ticketing tools showing security design processes in place |
• JIRA • ServiceNow
|
3.5.1.1 |
Data Classification Create and deploy a data classification standard to ensure sensitive information is classified and protected appropriately. |
• Requirements documents governing the organization's data classification governance • Procedural documents (runbooks, response plans, etc.) describing the organization's capability to define it data classification granularity |
• Screenshot(s) from a DLP solution • Screenshots(s) from a SIEM solution |
• LogRhythm • CA Technologies DLP • Trustwave DLP
|
3.5.2.1 |
Data at Rest Encryption Encrypt data at rest. |
• Procedural documents (runbooks, response plans, etc.) describing how and where encryption is implemented and at what strength |
• Screenshot(s) showing database encryption settings • Screenshot(s) showing bootup password for full device encryption • Screenshot(s) from backup server configurations showing encryption settings • Screenshot(s) of NAS configuration settings |
• Symantec Backup Exec • Synology • Microsoft SQL EncryptByKey • Drobo |
3.5.4.1 |
Encryption of Data in Motion Encrypt data while in transit. |
• Procedural documents (runbooks, response plans, etc.) that describe how encryption is implemented and managed for data in motion |
• Screenshot(s) from web applications that show that TLS (1.2 or higher) is being used • Screenshot(s) from VPN management consoles |
• HTTPS / TLS (1.2 or higher) • IPSec • Symantec Gateway Email Encryption • Secure Real-Time Transport Protocol (SRTP) |
3.5.4.3 |
Removable Media Standard Control the use of removable media. |
• Requirements documents that govern the use of removable media • Procedural documents (runbooks, response plans, etc.) that describe the processes used to control and/or prohibit removable media • Sample security training documentation that addresses the proper use of removable media • Configuration standards that show how removable media controls are implemented as part of standard system builds • Logs or reports listing any approved removable media exceptions |
• Screenshot(s) from log aggregation tools that show logs related to removable media (i.e. port activity) • Screenshot(s) of BYOD monitoring logs |
• IronKey • McAfee File and Removable Media Protection • Check Point Media Encryption
|
3.5.5.1 |
Key Management Securely manage the encryption keys used to protect sensitive data |
• Requirements documents that describe management requirements for management of keys used to encrypt data. • Documentation of vendor specific capabilities around key management (e.g. server side management on cloud based servers). • Documentation indicating capabilities and use of Hardware Security Modules. |
• Screenshot(s) from key management tools indicating capabilities including generation, distribution, and secure storage of encryption keys. |
• Documents based on ISO/IEC 11770 • Gemalto • KeyNexus • Vormetric • Townsend
|
3.5.6.2 |
Cloud Document Protection Protect documents stored in the cloud by managing cloud providers, using strong authentication, and monitoring usage. |
• Requirements documents that govern the organization's use of cloud-based document storage platforms • Procedural documents describing how the organization cloud-based document storage platforms |
• Screenshot(s) from cloud based document storage platforms showing configuration settings • Screenshot(s) from log aggregation tools, showing logs originating from cloud-based document storage platforms |
• DocuSign • Microsoft Office 365 • Box.com • Google G Suite |
3.6.1.1 |
Desktop and Laptop Hardening Harden desktop and laptop configurations to protect against malicious attacks. |
• Runbooks or checklists describing how devices are hardened and patched |
• Screenshot(s) of disabled service(s) (e.g. Windows Media Player Sharing Service) • Screenshot(s) describing logging and auditing are in place • Screenshot(s) from configuration management tools |
• Microsoft Windows Services • Chef • BigFix |
3.6.1.4 |
Desktop and Laptop Secure Browsing Enable secure browsing controls and capabilities on desktop and laptop web browsers. |
• Sample browser configuration standard |
• Screenshot(s) showing browser settings • Enterprise internet protection settings (white listing) |
• Google Chrome • Internet Explorer • Mozilla Firefox |
3.6.1.5 |
Desktop and Laptop Malware Detection Use antivirus and anti-malware tools to protect desktops and laptops from malware threats. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from anti malware tools used for desktops and laptops |
• Symantec SEP • ESET Antivirus • Kaspersky Antivirus • Malware Bytes
|
3.6.2.1 |
Server Hardening Harden servers to protect against malicious attacks. |
• Runbooks or checklists describing how devices are hardened and patched |
• Screenshot(s) of disabled service(s) • Screenshot(s) describing logging and auditing are in place • Screenshot(s) from configuration management tools |
• Microsoft Windows • Chef • BigFix |
3.6.2.6 |
Server Logging Capture and securely store server logs. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from log aggregation tools • Screenshot(s) from server logging agents • Screenshot(s) of NTP or authoritative time server settings |
• Splunk • LogRhythm • Graylog • Logmatic
|
3.6.3.1 |
Virtualized Endpoint Security Harden virtualized endpoints to protect against malicious attacks. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) of disabled service(s) (e.g. Windows Media Player Sharing Service) • Screenshot(s) describing logging and auditing are in place • Screenshot(s) showing login is required • Screenshot(s) from configuration management tools |
• Microsoft Windows • Linux/Unix • MacOS • Chef • BigFix |
3.6.4.1 |
Mobile Device Management (MDM) Control and manage mobile devices that store or have access to company information. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from MDM tools that indicate capabilities implemented to manage mobile devices. |
• Trend Micro MDM • MobileIron • VMware Airwatch • Blackberry MDM • IBM MDM |
3.6.4.5 |
Mobile Device Remote Lock and Wipe Implement mobile device remote lock and wipe capabilities to protect company information on mobile endpoints. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from MDM tools showing remote management options |
• Trend Micro MDM • MobileIron • VMware Airwatch • Blackberry MDM • IBM MDM |
3.7.1.4 |
Denial of Service (DoS) Protection Protect against Denial-of Service attacks. |
• Third party provider contract information |
• Screenshot(s) from a Denial of Service tool showing the configuration of the control |
• Cloudflare • Akamai • Azure |
3.7.2.1 |
Network Device Hardening Harden network devices to protect against network attacks. |
• Runbooks or checklists describing how devices are hardened and patched |
• Screenshot(s) from network device management consoles showing what types of functionality is active. • Screenshot(s) from network device management consoles showing most recent version/FW is in place • Screenshot(s) from network device management consoles showing high-availability configuration or redundancy |
• HPE Officemconnect • Aruba • Ubiquity/UniFi • BROCADE • Ruckus Wireless • Aerohive |
3.7.2.2 |
Network Firewalls Use network firewall capabilities to provide a layer of perimeter defense against malicious network attacks. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from firewall management consoles showing what types of functionality is active • Screenshot(s) from firewall management consoles or GRC tools showing the date of firewall rule reviews • Firewall rules |
• Cisco ASA • SonicWall • Fortinet Fortigate •Palo Alto *Cisco Meraki |
3.7.2.4 |
Network Intrusion Detection Utilize network intrusion detection technologies to identify potentially malicious activity entering the network. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control.mThis control can only be validated if logical evidence is provided. |
• Screenshot(s) from IDS tools |
• Snort • Cisco IDS • FireEye • SecureWorks |
3.7.2.8 |
Segmentation Security Isolate or segment your network to minimize the impact of a malicious attack moving across the network. |
• Diagrams showing the placement of network devices throughout the enterprise |
• Screenshot(s) from network device management consoles showing what types of functionality have been put in place |
• Cisco • Avaya • Extreme Network
|
3.7.3.1 |
Email Filtering Detect and block potentially harmful email content. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from email configuration pages • Screenshot(s) from email security tool or web portal |
• Barracuda • MailWasher • RoaringPenguin • Office365 • G Suite • Proofpoint |
3.7.3.2 |
Web Filtering Detect and block potentially harmful web content. |
NOTE: Administrative evidence, such as policies and procedures, may be helpful for describing the context of the control implementation. However, administrative evidence alone is not adequate to validate this control. This control can only be validated if logical evidence is provided. |
• Screenshot(s) from web filtering / monitoring tools that show the functions that are enabled, the traffic being monitored, and the actions the tool takes in response to a anomalous or malicious web traffic • Screenshot(s) from web filtering / monitoring tools that show any white lists or black lists in place |
• Cisco Umbrella • Barracuda • Sophos UTM • Fortinet • Websense |
4.1.2.1 |
Asset Acquisition Acquire assets through a standardized process. |
• Asset acquisition/procurement form |
• Screenshot(s) from asset management tools showing the asset characteristics that are documented • Screenshot(s) from asset discovery tools showing scheduled scans • Screenshot(s) from ticketing systems that show the steps taken to properly dispose of an asset |
• SpiceWorks • ServiceDesk Plus • Samanage *ServiceNow *Remedy |
4.1.3.1 |
Asset Inventory and Use Maintain an inventory of company assets including necessary asset attributes and asset use for effective lifecycle management. |
• Documented asset inventories |
• Screenshot(s) from asset management tools showing the asset characteristics that are documented • Screenshot(s) from asset discovery tools showing scheduled scans |
• SpiceWorks • SolarWinds • ServiceDesk Plus • Samanage *ServiceNow *Remedy
|
4.1.4.2 |
Asset Disposal Implement procedures for secure disposal of assets and data. |
• Sample logs showing asset disposition and data sanitization records |
• Screenshot(s) from ticketing systems that show the steps taken to properly dispose of an asset |
• Flexera • BMC Software • ServiceNow • Zendesk • Samanage
|
4.2.2.1 |
Configuration Management Design and Implementation Establish configuration standards to improve the security of default configurations of hardware and software. |
• Requirements documents governing organizational configuration standards and scope • Procedural documents (runbooks, response plans, etc.) describing how configuration standards are implemented, monitored, and enforced |
• Screenshot(s) from configuration management tools that show the types of assets covered • Screenshot(s) from configuration scanning tools that show the frequency and scope of scans |
• Chef • Puppet • Ansible • BigFix • Tripwire
|
4.2.5.1 |
Change Management Establish a change management process. |
• Requirements documents that address change management • Procedural documents (runbooks, response plans, etc.) that describe change control processes • Sample change logs • Sample security impact assessments for proposed changes • CAB meeting minutes |
• Screenshot(s) from ticketing systems that show the change proposal, review, approval, and implementation process |
• Zendesk • Samanage • SpiceWorks
|
4.4.1.1 |
Security Controls Planning Establish a security controls framework that incorporates all levels of your security controls across people, process, and technology and routinely assesses the control environment to ensure effectiveness. |
• Requirements documents governing the organization's security controls assessment program • Procedural documents (runbooks, response plans, etc.) describing the implementation and scope of the organization's security controls assessment activities • Sample security assessment reports including identified risks and mitigation strategies • Copy of security control catalog used by the organization |
• Screenshot(s) from GRC tools |
• NIST SP 800- 37/800-53 • NIST CSF • ISO 27001/27002 • COBIT • RSA Archer • R-Sam • Logic Manager • MetricStream • SOC • PCI • NYDFS
|
4.4.3.1 |
Security Controls Selection Select security controls based on organizational requirements and level of impact to people, process, and technology. |
• Requirements documents governing the organization's security controls assessment program • Procedural documents (runbooks, response plans, etc.) describing the implementation and scope of the organization's security controls assessment activities • Sample security assessment reports including identified risks and mitigation strategies • Copy of security control catalog used by the organization |
• Screenshot(s) from GRC tools showing controls in place and history of evaluation |
• RSA Archer • R-Sam • Logic Manager • MetricStream • SOC • PCI • NYDFS
|
4.5.3.1 |
Security Performance Operational Effectiveness Maintain the effectiveness of security and privacy performance metrics through adequate coverage, routine metric reviews, and automation. |
• Sample reports or metrics generated to inform organizational leadership of security control effectiveness |
• Screenshot(s) from GRC tools or ticketing system |
• RSA Archer • R-Sam • Logic Manager • MetricStream • Salesforce • Zendesk
|
4.6.1.1 |
Third Party Risk Planning Establish a third party risk management framework. |
• Requirements documents (policy, standards, etc.) that addresses third party management • Procedural documents (runbooks, response plans, etc.)that describe the process for conducting third party risk analysis • Sample third party risk assessment results |
• Screenshot(s) from GRC tools that show results of third party risk assessment |
• RSA Archer • R-Sam • Logic Manager • MetricStream • SOC
|
4.6.3.1 |
Third Party Risk Mitigation Procedures Establish a process for prioritizing and mitigating third party risks. |
• Documentation (runbooks, response plans, etc.) describing risk treatment • Artifacts associated with third party risk management program that demonstrates how your organization addresses mitigation of risks with third parties |
• Screenshot(s) from a third party risk management tool or ticketing system |
• GRC Tools (e.g. RSA Archer, R-Sam, etc.)
|
4.7.3.1 |
Security Staff Training Establish a robust security training framework to acquire and maintain the skills necessary for effective job performance, career growth, and retention of security talent. |
• Artifacts associated with security training management program that demonstrates how your organization addresses mitigation of risks with third parties |
• Screenshot(s) of a CBT system(s) • Screenshot(s) of online based training systems |
• CyberVista • ITPro.tv • SANS
|
4.8.1.1 |
Information Sharing Planning Establish a cyber security information sharing program. |
• Documentation governing how cyber threat information is integrated into the organization and organizational tools |
• Example brief of threat intelligence that is ingested into organization tools and processes • Screenshot of organizational tools that indicates ingestion of threat information (i.e. Known Bad IP Addresses, indicators of compromise ) |
• STIX/TAXII/ CYBOX • AlienVault • OpenIOC • OASIS Cyber Threat Intelligence • FSR BITS • Cyber Threat Alliance • ISAC Feeds |
PRI.1.2.1 |
Privacy Governance Program Establish accountability, privacy governance policies, risk management strategies, and governance monitoring for your privacy data. |
• Requirements documents (policy, standards, etc.) governing the privacy program |
• Screenshot(s) from GRC tools showing revision dates |
• GRC Tools (e.g. RSA Archer, R-Sam, etc.)
|
PRI.1.4.1 |
Privacy Transparency Ensure organizations and individuals understand how data is processed and the associated privacy risks. |
• Requirements documents (policy, standards, etc.) governing the privacy program |
• Screenshot(s) from GRC tools showing revision dates |
• GRC Tools (e.g. RSA Archer, R-Sam, etc.) |
Comments
0 comments
Please sign in to leave a comment.