CSA Cloud Controls Matrix (CCM)

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a security framework that provides organizations with the necessary controls to establish a secure cloud environment. The CCM is a comprehensive set of security controls that help organizations assess the overall security risk of a cloud provider and provide guidance on best practices to ensure the security of cloud-based systems.

Controls

Control IDControl Specification
A&A-01Establish, document, approve, communicate, apply, evaluate and maintain
audit and assurance policies and procedures and standards. Review and update
the policies and procedures at least annually.
A&A-02Conduct independent audit and assurance assessments according to
relevant standards at least annually.
A&A-03Perform independent audit and assurance assessments according to
risk-based plans and policies.
A&A-04Verify compliance with all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit.
A&A-05Define and implement an Audit Management process to support audit
planning, risk analysis, security control assessment, conclusion, remediation
schedules, report generation, and review of past reports and supporting evidence.
A&A-06Establish, document, approve, communicate, apply, evaluate and maintain
a risk-based corrective action plan to remediate audit findings, review and
report remediation status to relevant stakeholders.
AIS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization’s application
security capabilities. Review and update the policies and procedures at least
annually.
AIS-02Establish, document and maintain baseline requirements for securing
different applications.
AIS-03Define and implement technical and operational metrics in alignment
with business objectives, security requirements, and compliance obligations.
AIS-04Define and implement a SDLC process for application design, development,
deployment, and operation in accordance with security requirements defined by
the organization.
AIS-05Implement a testing strategy, including criteria for acceptance of
new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.
AIS-06Establish and implement strategies and capabilities for secure, standardized,
and compliant application deployment. Automate where possible.
AIS-07Define and implement a process to remediate application security
vulnerabilities, automating remediation when possible.
BCR-01Establish, document, approve, communicate, apply, evaluate and maintain
business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.
BCR-02Determine the impact of business disruptions and risks to establish
criteria for developing business continuity and operational resilience strategies
and capabilities.
BCR-03Establish strategies to reduce the impact of, withstand, and recover
from business disruptions within risk appetite.
BCR-04Establish, document, approve, communicate, apply, evaluate and maintain
a business continuity plan based on the results of the operational resilience
strategies and capabilities.
BCR-05Develop, identify, and acquire documentation that is relevant to
support the business continuity and operational resilience programs. Make the
documentation available to authorized stakeholders and review periodically.
BCR-06Exercise and test business continuity and operational resilience
plans at least annually or upon significant changes.
BCR-07Establish communication with stakeholders and participants in the
course of business continuity and resilience procedures.
BCR-08Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup
for resiliency.
BCR-09Establish, document, approve, communicate, apply, evaluate and maintain
a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.
BCR-10Exercise the disaster response plan annually or upon significant
changes, including if possible local emergency authorities.
BCR-11Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry
standards.
CCC-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for managing the risks associated with applying changes
to organization assets, including application, systems, infrastructure, configuration,
etc., regardless of whether the assets are managed internally or externally
(i.e., outsourced). Review and update the policies and procedures at least annually.
CCC-02Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards.
CCC-03Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced).
CCC-04Restrict the unauthorized addition, removal, update, and management
of organization assets.
CCC-05Include provisions limiting changes directly impacting CSCs owned
environments/tenants to explicitly authorized requests within service level
agreements between CSPs and CSCs.
CCC-06Establish change management baselines for all relevant authorized
changes on organization assets.
CCC-07Implement detection measures with proactive notification in case
of changes deviating from the established baseline.
CCC-08‘Implement a procedure for the management of exceptions, including
emergencies, in the change and configuration process. Align the procedure with
the requirements of GRC-04: Policy Exception Process.’
CCC-09Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns.
CEK-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually.
CEK-02Define and implement cryptographic, encryption and key management
roles and responsibilities.
CEK-03Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards.
CEK-04Use encryption algorithms that are appropriate for data protection,
considering the classification of data, associated risks, and usability of the
encryption technology.
CEK-05Establish a standard change management procedure, to accommodate
changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes.
CEK-06Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis.
CEK-07Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback.
CEK-08CSPs must provide the capability for CSCs to manage their own data
encryption keys.
CEK-09Audit encryption and key management systems, policies, and processes
with a frequency that is proportional to the risk exposure of the system with
audit occurring preferably continuously but at least annually and after any
security event(s).
CEK-10Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used.
CEK-11Manage cryptographic secret and private keys that are provisioned
for a unique purpose.
CEK-12Rotate cryptographic keys in accordance with the calculated cryptoperiod,
which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements.
CEK-13Define, implement and evaluate processes, procedures and technical
measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements.
CEK-14Define, implement and evaluate processes, procedures and technical
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements.
CEK-15Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements.
CEK-16Define, implement and evaluate processes, procedures and technical
measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements.
CEK-17Define, implement and evaluate processes, procedures and technical
measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements.
CEK-18Define, implement and evaluate processes, procedures and technical
measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements.
CEK-19Define, implement and evaluate processes, procedures and technical
measures to use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements.
CEK-20Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements.
CEK-21Define, implement and evaluate processes, procedures and technical
measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements.
DCS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure disposal of equipment used outside the
organization’s premises. If the equipment is not physically destroyed a data
destruction procedure that renders recovery of information impossible must be
applied. Review and update the policies and procedures at least annually.
DCS-02Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually.
DCS-03Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for maintaining a safe and secure working environment
in offices, rooms, and facilities. Review and update the policies and procedures
at least annually.
DCS-04Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure transportation of physical media. Review
and update the policies and procedures at least annually.
DCS-05Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
DCS-06Catalogue and track all relevant physical and logical assets located
at all of the CSP’s sites within a secured system.
DCS-07Implement physical security perimeters to safeguard personnel, data,
and information systems. Establish physical security perimeters between the
administrative and business areas and the data storage and processing facilities
areas.
DCS-08Use equipment identification as a method for connection authentication.
DCS-09Allow only authorized personnel access to secure areas, with all
ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.
DCS-10Implement, maintain, and operate datacenter surveillance systems
at the external perimeter and at all the ingress and egress points to detect
unauthorized ingress and egress attempts.
DCS-11Train datacenter personnel to respond to unauthorized ingress or
egress attempts.
DCS-12Define, implement and evaluate processes, procedures and technical
measures that ensure a risk-based protection of power and telecommunication
cables from a threat of interception, interference or damage at all facilities,
offices and rooms.
DCS-13Implement and maintain data center environmental control systems
that monitor, maintain and test for continual effectiveness the temperature
and humidity conditions within accepted industry standards.
DCS-14Secure, monitor, maintain, and test utilities services for continual
effectiveness at planned intervals.
DCS-15Keep business-critical equipment away from locations subject to high
probability for environmental risk events.
DSP-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations,
standards, and risk level. Review and update the policies and procedures at
least annually.
DSP-02Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
DSP-03Create and maintain a data inventory, at least for any sensitive
data and personal data.
DSP-04Classify data according to its type and sensitivity level.
DSP-05Create data flow documentation to identify what data is processed,
stored or transmitted where. Review data flow documentation at defined intervals,
at least annually, and after any change.
DSP-06Document ownership and stewardship of all relevant documented personal
and sensitive data. Perform review at least annually.
DSP-07Develop systems, products, and business practices based upon a principle
of security by design and industry best practices.
DSP-08Develop systems, products, and business practices based upon a principle
of privacy by design and industry best practices. Ensure that systems’ privacy
settings are configured by default, according to all applicable laws and regulations.
DSP-09Conduct a Data Protection Impact Assessment (DPIA) to evaluate the
origin, nature, particularity and severity of the risks upon the processing
of personal data, according to any applicable laws, regulations and industry
best practices.
DSP-10Define, implement and evaluate processes, procedures and technical
measures that ensure any transfer of personal or sensitive data is protected
from unauthorized access and only processed within scope as permitted by the
respective laws and regulations.
DSP-11Define and implement, processes, procedures and technical measures
to enable data subjects to request access to, modification, or deletion of their
personal data, according to any applicable laws and regulations.
DSP-12Define, implement and evaluate processes, procedures and technical
measures to ensure that personal data is processed according to any applicable
laws and regulations and for the purposes declared to the data subject.
DSP-13Define, implement and evaluate processes, procedures and technical
measures for the transfer and sub-processing of personal data within the service
supply chain, according to any applicable laws and regulations.
DSP-14Define, implement and evaluate processes, procedures and technical
measures to disclose the details of any personal or sensitive data access by
sub-processors to the data owner prior to initiation of that processing.
DSP-15Obtain authorization from data owners, and manage associated risk
before replicating or using production data in non-production environments.
DSP-16Data retention, archiving and deletion is managed in accordance with
business requirements, applicable laws and regulations.
DSP-17Define and implement, processes, procedures and technical measures
to protect sensitive data throughout it’s lifecycle.
DSP-18The CSP must have in place, and describe to CSCs the procedure to
manage and respond to requests for disclosure of Personal Data by Law Enforcement
Authorities according to applicable laws and regulations. The CSP must give
special attention to the notification procedure to interested CSCs, unless otherwise
prohibited, such as a prohibition under criminal law to preserve confidentiality
of a law enforcement investigation.
DSP-19Define and implement, processes, procedures and technical measures
to specify and document the physical locations of data, including any locations
in which data is processed or backed up.
GRC-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for an information governance program, which is sponsored
by the leadership of the organization. Review and update the policies and procedures
at least annually.
GRC-02Establish a formal, documented, and leadership-sponsored Enterprise
Risk Management (ERM) program that includes policies and procedures for identification,
evaluation, ownership, treatment, and acceptance of cloud security and privacy
risks.
GRC-03Review all relevant organizational policies and associated procedures
at least annually or when a substantial change occurs within the organization.
GRC-04Establish and follow an approved exception process as mandated by
the governance program whenever a deviation from an established policy occurs.
GRC-05Develop and implement an Information Security Program, which includes
programs for all the relevant domains of the CCM.
GRC-06Define and document roles and responsibilities for planning, implementing,
operating, assessing, and improving governance programs.
GRC-07Identify and document all relevant standards, regulations, legal/contractual,
and statutory requirements, which are applicable to your organization.
GRC-08Establish and maintain contact with cloud-related special interest
groups and other relevant entities in line with business context.
HRS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for background verification of all new employees (including
but not limited to remote employees, contractors, and third parties) according
to local laws, regulations, ethics, and contractual constraints and proportional
to the data classification to be accessed, the business requirements, and acceptable
risk. Review and update the policies and procedures at least annually.
HRS-02Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for defining allowances and conditions for the acceptable
use of organizationally-owned or managed assets. Review and update the policies
and procedures at least annually.
HRS-03Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures that require unattended workspaces to not have openly
visible confidential data. Review and update the policies and procedures at
least annually.
HRS-04Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to protect information accessed, processed or stored
at remote sites and locations. Review and update the policies and procedures
at least annually.
HRS-05Establish and document procedures for the return of organization-owned
assets by terminated employees.
HRS-06Establish, document, and communicate to all personnel the procedures
outlining the roles and responsibilities concerning changes in employment.
HRS-07Employees sign the employee agreement prior to being granted access
to organizational information systems, resources and assets.
HRS-08The organization includes within the employment agreements provisions
and/or terms for adherence to established information governance and security
policies.
HRS-09Document and communicate roles and responsibilities of employees,
as they relate to information assets and security.
HRS-10Identify, document, and review, at planned intervals, requirements
for non-disclosure/confidentiality agreements reflecting the organization’s
needs for the protection of data and operational details.
HRS-11Establish, document, approve, communicate, apply, evaluate and maintain
a security awareness training program for all employees of the organization
and provide regular training updates.
HRS-12Provide all employees with access to sensitive organizational and
personal data with appropriate security awareness training and regular updates
in organizational procedures, processes, and policies relating to their professional
function relative to the organization.
HRS-13Make employees aware of their roles and responsibilities for maintaining
awareness and compliance with established policies and procedures and applicable
legal, statutory, or regulatory compliance obligations.
IAM-01Establish, document, approve, communicate, implement, apply, evaluate
and maintain policies and procedures for identity and access management. Review
and update the policies and procedures at least annually.
IAM-02Establish, document, approve, communicate, implement, apply, evaluate
and maintain strong password policies and procedures. Review and update the
policies and procedures at least annually.
IAM-03Manage, store, and review the information of system identities, and
level of access.
IAM-04Employ the separation of duties principle when implementing information
system access.
IAM-05Employ the least privilege principle when implementing information
system access.
IAM-06Define and implement a user access provisioning process which authorizes,
records, and communicates access changes to data and assets.
IAM-07De-provision or respectively modify access of movers / leavers or
system identity changes in a timely manner in order to effectively adopt and
communicate identity and access management policies.
IAM-08Review and revalidate user access for least privilege and separation
of duties with a frequency that is commensurate with organizational risk tolerance.
IAM-09Define, implement and evaluate processes, procedures and technical
measures for the segregation of privileged access roles such that administrative
access to data, encryption and key management capabilities and logging capabilities
are distinct and separated.
IAM-10Define and implement an access process to ensure privileged access
roles and rights are granted for a time limited period, and implement procedures
to prevent the culmination of segregated privileged access.
IAM-11Define, implement and evaluate processes and procedures for customers
to participate, where applicable, in the granting of access for agreed, high
risk (as defined by the organizational risk assessment) privileged access roles.
IAM-12Define, implement and evaluate processes, procedures and technical
measures to ensure the logging infrastructure is read-only for all with write
access, including privileged access roles, and that the ability to disable it
is controlled through a procedure that ensures the segregation of duties and
break glass procedures.
IAM-13Define, implement and evaluate processes, procedures and technical
measures that ensure users are identifiable through unique IDs or which can
associate individuals to the usage of user IDs.
IAM-14Define, implement and evaluate processes, procedures and technical
measures for authenticating access to systems, application and data assets,
including multifactor authentication for at least privileged user and sensitive
data access. Adopt digital certificates or alternatives which achieve an equivalent
level of security for system identities.
IAM-15Define, implement and evaluate processes, procedures and technical
measures for the secure management of passwords.
IAM-16Define, implement and evaluate processes, procedures and technical
measures to verify access to data and system functions is authorized.
IPY-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for interoperability and portability including
requirements for:
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.
IPY-02Provide application interface(s) to CSCs so that they programmatically
retrieve their data to enable interoperability and portability.
IPY-03Implement cryptographically secure and standardized network protocols
for the management, import and export of data.
IPY-04Agreements must include provisions specifying CSCs access to data
upon contract termination and will include:
a. Data format
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy
IVS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for infrastructure and virtualization security. Review
and update the policies and procedures at least annually.
IVS-02Plan and monitor the availability, quality, and adequate capacity
of resources in order to deliver the required system performance as determined
by the business.
IVS-03Monitor, encrypt and restrict communications between environments
to only authenticated and authorized connections, as justified by the business.
Review these configurations at least annually, and support them by a documented
justification of all allowed services, protocols, ports, and compensating controls.
IVS-04Harden host and guest OS, hypervisor or infrastructure control plane
according to their respective best practices, and supported by technical controls,
as part of a security baseline.
IVS-05Separate production and non-production environments.
IVS-06Design, develop, deploy and configure applications and infrastructures
such that CSP and CSC (tenant) user access and intra-tenant access is appropriately
segmented and segregated, monitored and restricted from other tenants.
IVS-07Use secure and encrypted communication channels when migrating servers,
services, applications, or data to cloud environments. Such channels must include
only up-to-date and approved protocols.
IVS-08Identify and document high-risk environments.
IVS-09Define, implement and evaluate processes, procedures and defense-in-depth
techniques for protection, detection, and timely response to network-based attacks.
LOG-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for logging and monitoring. Review and update the policies
and procedures at least annually.
LOG-02Define, implement and evaluate processes, procedures and technical
measures to ensure the security and retention of audit logs.
LOG-03Identify and monitor security-related events within applications
and the underlying infrastructure. Define and implement a system to generate
alerts to responsible stakeholders based on such events and corresponding metrics.
LOG-04Restrict audit logs access to authorized personnel and maintain records
that provide unique access accountability.
LOG-05Monitor security audit logs to detect activity outside of typical
or expected patterns. Establish and follow a defined process to review and take
appropriate and timely actions on detected anomalies.
LOG-06Use a reliable time source across all relevant information processing
systems.
LOG-07Establish, document and implement which information meta/data system
events should be logged. Review and update the scope at least annually or whenever
there is a change in the threat environment.
LOG-08Generate audit records containing relevant security information.
LOG-09The information system protects audit records from unauthorized access,
modification, and deletion.
LOG-10Establish and maintain a monitoring and internal reporting capability
over the operations of cryptographic, encryption and key management policies,
processes, procedures, and controls.
LOG-11Log and monitor key lifecycle management events to enable auditing
and reporting on usage of cryptographic keys.
LOG-12Monitor and log physical access using an auditable access control
system.
LOG-13Define, implement and evaluate processes, procedures and technical
measures for the reporting of anomalies and failures of the monitoring system
and provide immediate notification to the accountable party.
SEF-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Security Incident Management, E-Discovery, and Cloud
Forensics. Review and update the policies and procedures at least annually.
SEF-02Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the timely management of security incidents. Review
and update the policies and procedures at least annually.
SEF-03‘Establish, document, approve, communicate, apply, evaluate and maintain
a security incident response plan, which includes but is not limited to: relevant
internal departments, impacted CSCs, and other business critical relationships
(such as supply-chain) that may be impacted.’
SEF-04Test and update as necessary incident response plans at planned intervals
or upon significant organizational or environmental changes for effectiveness.
SEF-05Establish and monitor information security incident metrics.
SEF-06Define, implement and evaluate processes, procedures and technical
measures supporting business processes to triage security-related events.
SEF-07Define and implement, processes, procedures and technical measures
for security breach notifications. Report security breaches and assumed security
breaches including any relevant supply chain breaches, as per applicable SLAs,
laws and regulations.
SEF-08Maintain points of contact for applicable regulation authorities,
national and local law enforcement, and other legal jurisdictional authorities.
STA-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the application of the Shared Security Responsibility
Model (SSRM) within the organization. Review and update the policies and procedures
at least annually.
STA-02Apply, document, implement and manage the SSRM throughout the supply
chain for the cloud service offering.
STA-03Provide SSRM Guidance to the CSC detailing information about the
SSRM applicability throughout the supply chain.
STA-04Delineate the shared ownership and applicability of all CSA CCM controls
according to the SSRM for the cloud service offering.
STA-05Review and validate SSRM documentation for all cloud services offerings
the organization uses.
STA-06Implement, operate, and audit or assess the portions of the SSRM
which the organization is responsible for.
STA-07Develop and maintain an inventory of all supply chain relationships.
STA-08CSPs periodically review risk factors associated with all organizations
within their supply chain.
STA-09Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms:
• Scope, characteristics and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy
STA-10Review supply chain agreements between CSPs and CSCs at least annually.
STA-11Define and implement a process for conducting internal assessments
to confirm conformance and effectiveness of standards, policies, procedures,
and service level agreement activities at least annually.
STA-12Implement policies requiring all CSPs throughout the supply chain
to comply with information security, confidentiality, access control, privacy,
audit, personnel policy and service level requirements and standards.
STA-13Periodically review the organization’s supply chain partners’ IT
governance policies and procedures.
STA-14Define and implement a process for conducting security assessments
periodically for all organizations within the supply chain.
TVM-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to identify, report and prioritize the remediation of
vulnerabilities, in order to protect systems against vulnerability exploitation.
Review and update the policies and procedures at least annually.
TVM-02Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures to protect against malware on managed assets. Review
and update the policies and procedures at least annually.
TVM-03Define, implement and evaluate processes, procedures and technical
measures to enable both scheduled and emergency responses to vulnerability identifications,
based on the identified risk.
TVM-04Define, implement and evaluate processes, procedures and technical
measures to update detection tools, threat signatures, and indicators of compromise
on a weekly, or more frequent basis.
TVM-05Define, implement and evaluate processes, procedures and technical
measures to identify updates for applications which use third party or open
source libraries according to the organization’s vulnerability management policy.
TVM-06Define, implement and evaluate processes, procedures and technical
measures for the periodic performance of penetration testing by independent
third parties.
TVM-07Define, implement and evaluate processes, procedures and technical
measures for the detection of vulnerabilities on organizationally managed assets
at least monthly.
TVM-08Use a risk-based model for effective prioritization of vulnerability
remediation using an industry recognized framework.
TVM-09Define and implement a process for tracking and reporting vulnerability
identification and remediation activities that includes stakeholder notification.
TVM-10Establish, monitor and report metrics for vulnerability identification
and remediation at defined intervals.
UEM-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for all endpoints. Review and update the policies and
procedures at least annually.
UEM-02Define, document, apply and evaluate a list of approved services,
applications and sources of applications (stores) acceptable for use by endpoints
when accessing or storing organization-managed data.
UEM-03Define and implement a process for the validation of the endpoint
device’s compatibility with operating systems and applications.
UEM-04Maintain an inventory of all endpoints used to store and access company
data.
UEM-05Define, implement and evaluate processes, procedures and technical
measures to enforce policies and controls for all endpoints permitted to access
systems and/or store, transmit, or process organizational data.
UEM-06Configure all relevant interactive-use endpoints to require an automatic
lock screen.
UEM-07Manage changes to endpoint operating systems, patch levels, and/or
applications through the company’s change management processes.
UEM-08Protect information from unauthorized disclosure on managed endpoint
devices with storage encryption.
UEM-09Configure managed endpoints with anti-malware detection and prevention
technology and services.
UEM-10Configure managed endpoints with properly configured software firewalls.
UEM-11Configure managed endpoints with Data Loss Prevention (DLP) technologies
and rules in accordance with a risk assessment.
UEM-12Enable remote geo-location capabilities for all managed mobile endpoints.
UEM-13Define, implement and evaluate processes, procedures and technical
measures to enable the deletion of company data remotely on managed endpoint
devices.
UEM-14Define, implement and evaluate processes, procedures and technical
and/or contractual measures to maintain proper security of third-party endpoints
with access to organizational assets.
Scroll to Top