ANEXO 3 - Cybersecurity Analysis and Assessment Matrix

CYBERSECURITY ASSESSMENT MATRIX

GOAL: The goal of this matrix is to help the organization identify the requirements it has to meet to comply
with any of the indicated regulations.
This matrix provides a mapping between mandatory and voluntary regulations and the
requirements for the organization to comply with those regulations.

SCOPE: The scope used for the definition of this matrix is Information Security (InfoSec).

REGULATIONS:
The applicable regulation in this matrix is:

M GDPR
a
n
d
a NISD
t
o
r
y MIFID II

V ISO/IEC 27001:2013
o
l
u
n CIS SANS TOP 20
t
a
r
y NIST CSF

MATRIX:
The columns contains the regulations and the lines contains the requirements to comply with the
regulations. If the regulation complies with the requirement, the number of the article, recital or
control of that regulation is placed where that requirement is contemplated.

Included controls Excluded controls

 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Context of the organization 4
7, 10, 11,
12, 18, 20,
Understanding the organization and its context 4.1 ID.BE-2 NA 24º 74 to 77 5º 19 to 26 1º
39, 40, 41,
45
Understanding the needs and expectations of interested parties 4.2 - NA 24º 74 to 77 9º 53, 54
Determining the scope of the information security management system 4.3 - NA 24º 74 to 77 ISMS Scope
Information security management system 4.4 ID.BE-4 NA 24º 74 to 77
Leadership 5
5º 39 14º 44, 46, 47 9º 53, 54
Leadership and commitment 5.1 - NA
24º 74 to 77 63º 53, 54
5º 39 14º 44, 46, 47 9º 53, 54 Information Security Policy
Policy 5.2 - NA 24º 74 to 77 16º 57, 58
63º 53, 54
5º 39 14º 44, 46, 47 9º 53, 54
24º 74 to 77 16º 57, 58
26º 79 63º 53, 54
Organizational roles, responsibilities and authorities 5.3 - NA
37º 97
38º 97
39º 97
Planning 6
Actions to address risks and opportunities 6.1 - -
5º 39 14º 44, 46, 47 9º 53, 54 ISMS Policy
24º 74 to 77 16º 57, 58 Risk Management Plan
General 6.1.1 ID.GV-4 NA
25º 78 17º 59 to 69
47º -
Risk Assessment Process
Define a Risk
ID.GV-4 5º 39 14º 44, 46, 47 9º 53, 54 Assessment for Personal
Data Processing

Define a Risk
39 to 50, Assessment for
ID.RA-3 6º 171 16º 57, 58 Financial Instruments
Transactions
Information security risk assessment 6.1.2 NA
Design a DPIA (Data
ID.RA-4 24º 74 to 77 17º 59 to 69 Protection Impact
Assessment)
25º 78 47º -
32º 78, 83
ID.RA-5 75, 84, 90,
35º
91, 92
36º 94, 95, 96
Risk Treatment Process
Define a Risk Treatment
ID.GV-4 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Process for Personal
Data Processing

Define a Risk Treatment

Information security risk treatment 6.1.3 ID.RA-6 NA 25º 78 16º 57, 58 Process for Financial
Instruments
Transactions
ID.RM-1 32º 78, 83 17º 59 to 69

2
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Information security risk treatment 6.1.3 NA
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
75, 84, 90,
ID.RM-2 35º 47º -
91, 92
ID.RM-3 36º 94, 95, 96
5º 39 14º 44, 46, 47 9º 53, 54
24º 74 to 77 16º 57, 58
Information security objectives and planning to achieve them 6.2 ID.GV-4 NA
32º 78, 83 17º 59 to 69
47º -
Support 7
24º 74 to 77 14º 44, 46, 47 9º 53, 54
16º 57, 58
64º 116
Resources 7.1 ID.AM-5 NA
65º 117 to 119

66º -
Records of Training, Skills,
PR.AT-1 32º 78, 83 14º 44, 46, 47 9º 53, 54 experience and qualifications
PR.AT-2 39º 97 16º 57, 58
Competence 7.2 CIS 17
PR.AT-3
PR.AT-4
PR.AT-5
PR.AT-1 32º 78, 83 14º 44, 46, 47 9º 53, 54
PR.AT-2 39º 97 16º 57, 58
Awareness 7.3 PR.AT-3 CIS 17
PR.AT-4
PR.AT-5
Define a Data Publishing
RC.CO-1 32º 78, 83 14º 44, 46, 47 9º 53, 54
Policy
RC.CO-2 39º 97 16º 57, 58
RC.CO-3 27º 91 to 98
Communication 7.4 RS.CO-3 NA 32º 69
58º 129
64º 116
RS.CO-4
65º 117 to 119
66º -
Documented information 7.5 - -
24º 74 to 77 14º 44, 46, 47 9º 53, 54
28º 81 15º 44, 46 16º 57, 58
General 7.5.1 - NA
30º 13, 82 17º 59 to 69
32º 78, 83
24º 74 to 77 14º 44, 46, 47 9º 53, 54
28º 81 15º 44, 46 16º 57, 58
Creating and updating 7.5.2 - NA
30º 13, 82 17º 59 to 69
32º 78, 83
5º 39 14º 44, 46, 47 9º 53, 54
24º 74 to 77 15º 44, 46 16º 57, 58
Control of documented information 7.5.3 - NA 28º 81 17º 59 to 69
30º 13, 82
32º 78, 83
Operation 8
5º 39 14º 44, 46, 47 9º 53, 54
24º 74 to 77 16º 57, 58
25º 78 17º 59 to 69
Operational planning and control 8.1 ID.RM-1 NA
3
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Operational planning and control 8.1 ID.RM-1 NA
28º 81 47º -
30º 13, 82
32º 78, 83
PR.DS-1 5º 39 14º 44, 46, 47 9º 53, 54 Risk Assessment Report
39 to 50,
PR.DS-2 6º 16º 57, 58
171
PR.DS-3 24º 74 to 77 17º 59 to 69
PR.DS-4 25º 78 47º -
Information security risk assessment 8.2 PR.DS-5 NA 28º 81
PR.DS-6 30º 13, 82
PR.DS-7 32º 78, 83
35º 75, 84, 90,
PR.DS-8 91, 92
36º 94, 95, 96
ID.RM-1 24º 74 to 77 14º 44, 46, 47 9º 53, 54
ID.RM-2 25º 78 16º 57, 58
ID.RM-3 30º 13, 82 17º 59 to 69
Information security risk treatment 8.3 NA 32º 78, 83 47º -
75, 84, 90,
PR.IP-12 35º
91, 92
36º 94, 95, 96
Performance evaluation 9
Monitoring and Measurement
24º 74 to 77 14º 44, 46, 47 9º 53, 54 Results
Monitoring, measurement, analysis and evaluation 9.1 PR.IP-7 NA 26º 79 16º 57, 58
28º 81 17º 59 to 69
32º 78, 83
24º 74 to 77 14º 44, 46, 47 9º 53, 54 Internal Audit Program
32º 78, 83 16º 57, 58 Results of Internal Audits
Internal audit 9.2 PR.IP-7 NA
39º 97 17º 59 to 69
47º 97
ID.RM-1 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Management Review Results
Management review 9.3 NA 32º 78, 83 16º 57, 58
PR.IP-7
17º 59 to 69
Improvement 10
PR.IP-7 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Corrective Actions Results
RC.IM-1 16º 57, 58
RC.IM-2 17º 59 to 69
Nonconformity and corrective action 10.1 RS.IM-1 NA 64º 116
65º 117 to 119
RS.IM-2
66º -
PR.IP-7 24º 74 to 77 14º 44, 46, 47 9º 53, 54
RC.IM-1 16º 57, 58
Continual improvement 10.2 RC.IM-2 NA 17º 59 to 69
RS.IM-1
RS.IM-2
Information security policies A.5
Management direction for information security A.5.1
Define policies and Information Security Policy
24º 74 to 77 14º 44, 46, 47 9º 53, 54 procedures for Orders
Execution
4
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Information Security Policy
Define policies and publication location and
procedures for accessibility
32º 78, 83 15º 44, 46 16º 57, 58 identify, manage and
disclose conflicts of
interest
18º 70 to 72
23º 56, 77
Policies for information security A.5.1.1 ID.GV-1 NA
email or other announcement
27º 91 to 98 showing communication of
information security policy changes
to employees and relevant external
parties
28º -
47º -
54º -
64º 116
65º 117 to 119
66º -
Procedures for information security
policy reviews, including the
changes to the policy when
24º 74 to 77 14º 44, 46, 47 9º 53, 54 significant changes to the
information security management
program occur
Review of the policies for information security A.5.1.2 - NA
Screenshot, copy of signed
document evidencing management
review, or change control evidence
32º 78, 83 15º 44, 46 16º 57, 58 within the information security
policy

Organization of information security A.6

Internal Organization A.6.1
ISMS Policy
Include in the policy the
ID.AM-6 24º 74 to 77 14º 44, 46, 47 9º 53, 54 DPO's roles and
responsibilities
Documented roles and
ID.GV-2 26º 79 16º 57, 58 responsibilities for management of
information security
Information security roles and responsibilities A.6.1.1 NA
DE.DP-1 28º 81
PR.AT-2 32º 78, 83
PR.AT-3 37º 97
PR.AT-4 38º 97
PR.AT-5 39º 97
RS.CO-1
PR.AC-4 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Procedure regarding segregation of
duties
25º 78 16º 57, 58
Segregation of duties A.6.1.2 NA 32º 78, 83 64º 116
PR.DS-5
65º 117 to 119
66º -

5
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

Procedures specifying when and by

32º 78, 83 8º 30, 31 9º 53, 54 whom authorities should be
contacted
Contact with authorities A.6.1.3 RS.CO-2 CIS 19
33º 85, 87, 88 9º 32 16º 57, 58
36º 94 14º 44, 46, 47 17º 59 to 69
18º 13, 14

Procedures specifying when and by

ID.RA-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 whom special interest groups or
other specialist forums and
Contact with special interest groups A.6.1.4 NA professional associations should be
contacted
RC.CO-1 16º 57, 58
RS.CO-5
Risk assessment (but should not be
Include privacy issues limited to only projects)
5º 39 14º 44, 46, 47 16º 57, 58 into the design of new
projects - Security by
design
Program management
24º 74 to 77 17º 59 to 69 documentation outlining security
Information security in project management A.6.1.5 PR.IP-2 NA requirements
Documented policy that outline
how security assessments are
25º 78 performed for projects to identify
risks and mitigating controls

32º 78, 83
Mobile devices and teleworking A.6.2
24º 74 to 77 14º 44, 46, 47 9º 53, 54 Mobile Device and Remote
Connection Policy
25º 78 16º 57, 58 Bring Your Own Device Policy

Mobile device policy A.6.2.1 PR.AC-3 NA Procedures for managing risks

32º 78, 83 introduced by using mobile devices
and security requirements for
mobile devices
End user agreement for mobile
device policy
24º 74 to 77 14º 44, 46, 47 9º 53, 54 Teleworking Policy

Security measures implemented to

Teleworking A.6.2.2 PR.AC-3 NA 25º 78 16º 57, 58 protect information accessed,
processed, or stored at teleworking
sites
32º 78, 83
Human Resources Security A.7
Prior to employment A.7.1
PR.AC-3 32º 78, 83 14º 44, 46, 47 9º 53, 54 Human Resources Policy
PR.AC-6 88º 155 16º 57, 58 Contractors Policy
Screening A.7.1.1 NA Background checks performed for
PR.DS-5
employees and contractors
PR.IP-11
Definition of security roles and
PR.DS-5 32º 78, 83 14º 44, 46, 47 9º 53, 54 responsibilities
Terms and conditions of employment A.7.1.2 NA

6
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Terms and conditions of employment A.7.1.2 NA
Cybersecurity clauses included in
PR.IP-11 88º 155 16º 57, 58 contracts with employees and
contractors
During employment A.7.2
ID.GV-2 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Information Security Users Policy
PR.AT-3 28º 81 16º 57, 58 Information Security Organization
Management responsibilities A.7.2.1 CIS 19 Chart
32º 78, 83
PR.IP-11
39º 97
Information security awareness
DE.DP-1 24º 74 to 77 14º 44, 46, 47 9º 53, 54 program
Formal records regarding
employees and contractors that
PR.AT-1 32º 78, 83 16º 57, 58 have been through information
security awareness training

71, 79, 80, Periodic tests of security awareness

Information security awareness, education and training A.7.2.2 PR.AT-2 CIS 17 39º 97 25º
85
Publish awareness information over
PR.AT-3 intranet
PR.AT-4
PR.AT-5
PR.IP-11
RS.CO-1

Documented disciplinary process

32º 78, 83 14º 44, 46, 47 9º 53, 54 for non-compliance with
Disciplinary process A.7.2.3 PR.IP-11 NA organizational privacy and security
standards
16º 57, 58
Termination and change of employment A.7.3
PR.DS-5 32º 78, 83 14º 44, 46, 47 9º 53, 54
Termination or change of employment responsibilities A.7.3.1 NA
PR.IP-11 16º 57, 58
Asset Management A.8
Responsibility for assets A.8.1
ID.AM-1 CIS 1 5º 39 14º 44, 46, 47 9º 53, 54 Information Security Asset
Management Policy
Inventory of assets A.8.1.1
24º 74 to 77 16º 57, 58 Inventory of Assets
ID.AM-2 CIS 2
32º 78, 83
ID.AM-1 32º 78, 83 14º 44, 46, 47 9º 53, 54 Assignment of assets owners
Ownership of assets A.8.1.2 CIS 1 Periodic review of assets by their
ID.AM-2 16º 57, 58
owners
5º 39 14º 44, 46, 47 9º 53, 54 Acceptable Use Policy
24º 74 to 77 16º 57, 58
Acceptable use of assets A.8.1.3 - NA
28º 81
32º 78, 83
32º 78, 83 14º 44, 46, 47 9º 53, 54 Termination or change of
Return of assets A.8.1.4 PR.IP-11 NA employment procedures
16º 57, 58
Information classification A.8.2
Information Classification Policy
Include sensitive data in
ID.AM-5 5º 39 2º - 9º 53, 54 classification (public,
confidential, secret and
Classification of information A.8.2.1 CIS 13 sensitive)

7
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Classification of information A.8.2.1 CIS 13
9º 46, 51 14º 44, 46, 47 16º 57, 58
PR.PT-2 24º 74 to 77
32º 78, 83
PR.DS-5 5º 39 2º - 9º 53, 54
Procedures for information labeling
Labelling of information A.8.2.2 NA
9º 46, 51 14º 44, 46, 47 16º 57, 58
PR.PT-2
32º 78, 83
PR.DS-1 5º 39 2º - 9º 53, 54 Data handling procedures
7º 32, 33, 42, 14º 44, 46, 47 16º 57, 58
PR.DS-2 43
PR.DS-3 9º 46, 51
PR.DS-5 10º 50
PR.IP-6 11º 57
58, 59, 60,
12º
73
13º 60, 61, 62
Handling of assets A.8.2.3 NA
14º 60, 61, 62
15º 63, 64
16º 65
17º 65, 66
PR.PT-2
18º 67
20º 68
25º 78
24º 74 to 77
32º 78, 83
Media handling A.8.3

PR.DS-3 CIS 8 5º 39 14º 44, 46, 47 9º 53, 54 Secure Disposal or Re-use of

Management of removeable media A.8.3.1 Equipment / Media and Data Policy
PR.IP-6 CIS 13 32º 78, 83 16º 57, 58
PR.PT-2 CIS 14
PR.DS-3 5º 39 14º 44, 46, 47 9º 53, 54 Procedures for secure disposal of
Disposal of media A.8.3.2 NA media
PR.IP-6 32º 78, 83 16º 57, 58 Records of erased media
PR.DS-3 5º 39 14º 44, 46, 47 9º 53, 54 List of authorized courier service
providers to transport media

Physical media transfer A.8.3.3 NA

Records detailing the content of
PR.PT-2 32º 78, 83 16º 57, 58 media, protection controls applied,
date/time of the transfer and
receipt, identification of custodians
during the transportation
Access Control A.9
Business requirements of access control A.9.1
CIS 4 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Identity and Access Management
Policy
CIS 14 32º 78, 83 16º 57, 58 Logical Access Controls Policy
17º 59 to 69 User access profiles
Access control policy A.9.1.1 PR.DS-5
64º 116
CIS 16
65º 117 to 119
66º -

8
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

PR.AC-4 CIS 1 24º 74 to 77 14º 44, 46, 47 9º 53, 54 Networks and Network Services
Policy
PR.DS-5 CIS 9 32º 78, 83 16º 57, 58
CIS 11 17º 59 to 69
Access to networks and network services A.9.1.2
64º 116
PR.PT-3
CIS 12 65º 117 to 119
66º -
User access management A.9.2
PR.AC-1 25º 78 14º 44, 46, 47 9º 53, 54 Password Policy

Procedures for provisioning and de-

PR.AC-6 32º 78, 83 16º 57, 58 provisioning access to network
resources, systems, and
applications
User registration and de-registration A.9.2.1 CIS 16
17º 59 to 69
64º 116
PR.AC-7
65º 117 to 119
66º -
CIS 4 25º 78 14º 44, 46, 47 9º 53, 54
32º 78, 83 16º 57, 58
17º 59 to 69
User access provisioning A.9.2.2 PR.AC-1 64º 116
CIS 16
65º 117 to 119
66º -
PR.AC-1 CIS 4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Formal authorization process for
privileged access rights
PR.AC-4 16º 57, 58
17º 59 to 69
Management of privileged access rights A.9.2.3
64º 116
CIS 16
PR.DS-5
65º 117 to 119
66º -
PR.AC-1 CIS 4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for password
management
16º 57, 58
17º 59 to 69
Management of secret authentication information of users A.9.2.4
64º 116
PR.AC-7 CIS 16
65º 117 to 119
66º -
Periodical review of access rights
CIS 4 25º 78 14º 44, 46, 47 9º 53, 54 for both general and privileged
accounts
32º 78, 83 16º 57, 58
Review of user access rights A.9.2.5 - 17º 59 to 69
64º 116
CIS 16
65º 117 to 119
66º -
CIS 4 25º 78 14º 44, 46, 47 9º 53, 54 Procedures for employee
termination-transfer
9
Removal or adjustment of access rights A.9.2.6 PR.AC-1
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
32º 78, 83 16º 57, 58
17º 59 to 69
Removal or adjustment of access rights A.9.2.6 PR.AC-1
64º 116
CIS 16
65º 117 to 119
66º -
User responsibilities A.9.3
PR.AC-1 CIS 4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Clear Desk & Clear Screen Policy
16º 57, 58
64º 116
Use of secret authentication information A.9.3.1
PR.AC-7 CIS 16
65º 117 to 119
66º -
System and application access control A.9.4

PR.AC-4 CIS 4 5º 39 14º 44, 46, 47 9º 53, 54 Logical access controls at the
application, system and menu level
24º 74 to 77 16º 57, 58
Information access restriction A.9.4.1
25º 78 64º 116
PR.DS-5 CIS 16
32º 78, 83 65º 117 to 119
66º -

PR.AC-1 CIS 4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Secure log-on procedures for access
to systems and applications
Controls to hide identities, user IDs,
16º 57, 58 errors and help messages until
Secure log-on procedures A.9.4.2 successful authentication
PR.AC-7 CIS 16 64º 116 Controls to log authentication
(successful and failed) attempts
65º 117 to 119
66º -
PR.AC-1 CIS 4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Password settings for all systems
16º 57, 58
64º 116
Password management system A.9.4.3
PR.AC-7 CIS 16
65º 117 to 119
66º -

Process for the management of

PR.AC-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 utility programs including access
controls, segregation from
applications, and logging of all use
of utility programs
Use of privileged utility programs A.9.4.4 CIS 4
16º 57, 58
64º 116
PR.DS-5
65º 117 to 119
66º -
Restrict program source code with
PR.AC-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 read, write, and delete
authorizations

Access control to program source code A.9.4.5 CIS

10 18
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

16º 57, 58 Audit logs for all access to program

Access control to program source code A.9.4.5 CIS 18 source libraries
64º 116
PR.DS-5
65º 117 to 119
66º -
Cryptography A.10
Cryptographic controls A.10.1
Cryptography Policy
CIS 10 5º 39 14º 44, 46, 47 9º 53, 54 Implement a
Pseudonimization Policy
39, 40, 42,
CIS 13 6º 16º 57, 58
43, 44
Policy on the use of cryptographic controls A.10.1.1 PR.DS-5 CIS 14 20º 68
24º 74 to 77
25º 78
CIS 15 32º 78, 83
35º 75, 84, 90,
91, 92
32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for key management
Key management A.10.1.2 - CIS 13
16º 57, 58
Physical and Environmental Security A.11
Secure Areas A.11.1
Physical and Environmental
DE.CM-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 Security Policy
16º 57, 58
Physical security perimeter A.11.1.1 NA 64º 116
PR.AC-2
65º 117 to 119
66º -
DE.CM-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 Visitors Policy
Procedures detailing physical
PR.AC-2 16º 57, 58 security controls
Physical entry controls A.11.1.2 NA 64º 116
PR.MA-1 65º 117 to 119
66º -
Procedures for securing work
32º 78, 83 14º 44, 46, 47 9º 53, 54 spaces
16º 57, 58
Securing offices, rooms and facilities A.11.1.3 PR.AC-2 NA 64º 116
65º 117 to 119
66º -
Controls for physical protection
ID.BE-5 32º 78, 83 14º 44, 46, 47 9º 53, 54 against natural disasters, malicious
attack or accidents
PR.AC-2 16º 57, 58
Protecting against external and environmental attacks A.11.1.4 NA
PR.DS-5 64º 116
65º 117 to 119
PR.IP-5
66º -

11
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Procedures for working in secure
PR.AC-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 areas
16º 57, 58
Working in secure areas A.11.1.5 NA 64º 116
PR.DS-5
65º 117 to 119
66º -
Procedures to control access points
32º 78, 83 14º 44, 46, 47 9º 53, 54
16º 57, 58
Delivery and loading areas A.11.1.6 PR.AC-2 NA 64º 116
65º 117 to 119
66º -
Equipment A.11.2
PR.AC-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for the protection of
equipment
PR.DS-5 16º 57, 58
Equipment siting and protection A.11.2.1 NA 64º 116
PR.IP-5 65º 117 to 119
66º -
ID.BE-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Plan to protect equipments from
power failures
16º 57, 58
Supporting utilities A.11.2.2 NA 64º 116
PR.IP-5
65º 117 to 119
66º -
ID.BE-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures to protect Power and
telecommunications cabling
PR.AC-2 16º 57, 58
Cabling security A.11.2.3 NA 64º 116
PR.IP-5 65º 117 to 119
66º -
PR.DS-8 32º 78, 83 14º 44, 46, 47 9º 53, 54 Plan for equipment maintenance
PR.MA-1 16º 57, 58
64º 116
Equipment maintenance A.11.2.4 NA
PR.MA-2 65º 117 to 119
66º -
PR.AC-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for removal of assets
PR.DS-3 16º 57, 58 Records of removal of assets
64º 116
Removal of assets A.11.2.5 NA
PR.MA-1 65º 117 to 119
66º -
ID.AM-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for the protection of
equipment taken offsite
PR.AC-2 16º 57, 58
Security of equipment and assets off-premises A.11.2.6 PR.AC-3 NA 64º 116

12
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Security of equipment and assets off-premises A.11.2.6 NA
65º 117 to 119
PR.MA-1
66º -
Procedures for the retirement of
PR.AC-2 32º 78, 83 14º 44, 46, 47 9º 53, 54 assets and secure disposal
requirements
PR.DS-3 16º 57, 58
Secure disposal or re-use of equipment A.11.2.7 NA
64º 116
PR.IP-6 65º 117 to 119
66º -
32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures to protect unattended
equipment
16º 57, 58
Unattended user equipment A.11.2.8 PR.AC-2 CIS 16 64º 116
65º 117 to 119
66º -
32º 78, 83 14º 44, 46, 47 9º 53, 54 Clear Desk & Clear Screen Policy
16º 57, 58
64º 116
Clear desk and clear screen policy A.11.2.9 PR.PT-2 NA
65º 117 to 119
66º -
Operations security A.12
Operational procedures and responsibilities A.12.1
7º 32, 42, 43 14º 44, 46, 47 9º 53, 54 Operations Security Policy
8º 38 16º 57, 58 Operational Readiness Policy
58, 59, 60, Operating Procedures for IT
12º 17º 59 to 69 management
73
13º 60, 61, 62 48º 62 to 68
14º 60, 61, 62 64º 116
15º 63, 64 65º 117 to 119
16º 65 66º -
Documented operating procedures A.12.1.1 DE.AE-1 NA 17º 65, 66
18º 67
19º 66
20º 68
21º 69, 70
22º 71, 72, 91
24º 74 to 77
25º 78
30º 13, 82
32º 78, 83
DE.AE-1 19º 66 14º 44, 46, 47 9º 53, 54 Information Security Change
Management Policy
PR.IP-1 32º 78, 83 16º 57, 58 Information Security Release
Management Policy
17º 59 to 69 Change management procedures
Change management A.12.1.2 NA
48º 62 to 68
64º 116
PR.IP-3
13
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Change management Regulation A.12.1.2 NIST CSF NA20
CIS GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
PR.IP-3
65º 117 to 119
66º -
ID.BE-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Capacity management program
16º 57, 58
17º 59 to 69
48º 62 to 68
Capacity management A.12.1.3 NA
PR.DS-4 64º 116
65º 117 to 119
66º -
Separate environments for
32º 78, 83 14º 44, 46, 47 9º 53, 54 development, testing and
operational activities

Procedures to provide guidance on

16º 57, 58 usage of critical/ sensitive
production data in testing
Separation of development, testing and operational environments A.12.1.4 PR.DS-7 CIS 18 environments
17º 59 to 69
48º 62 to 68
64º 116
65º 117 to 119
66º -
Protection from malware A.12.2
DE.CM-4 32º 78, 83 14º 44, 46, 47 9º 53, 54 Malware Policy
PR.AT-1 16º 57, 58
PR.DS-6 17º 59 to 69
48º 62 to 68
Controls against malware A.12.2.1 CIS 8
RS.MI-1 64º 116
65º 117 to 119
RS.MI-2
66º -
Backup A.12.3
PR.DS-4 5º 39 14º 44, 46, 47 9º 53, 54 Backup Policy

7º 32, 42, 43 16º 57, 58 Backup plan to restore information

and software in case of a disaster
12º 58, 59, 60, 17º 59 to 69
73
Information backup A.12.3.1 CIS 10 16º 65 48º 62 to 68
PR.IP-4
17º 65, 66 64º 116
18º 67 65º 117 to 119
21º 69, 70 66º -
30º 13, 82
32º 78, 83
Logging and monitoring A.12.4
DE.AE-2 CIS 6 30º 13, 82 14º 44, 46, 47 9º 53, 54 Audit and Log Policy
DE.AE-3 CIS 12 32º 78, 83 16º 57, 58 Logs of user activities, exceptions,
and security events
DE.CM-3 17º 59 to 69
Event logging A.12.4.1
14
CIS 15
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Event logging A.12.4.1 DE.CM-7 48º 62 to 68
PR.PT-1 64º 116
CIS 15
65º 117 to 119
RS.AN-1
66º -

32º 78, 83 14º 44, 46, 47 9º 53, 54 Controls to protect logging facilities
and log information against
tampering and unauthorized access
16º 57, 58
Protection of log information A.12.4.2 PR.PT-1 CIS 6 17º 59 to 69
48º 62 to 68
64º 116
65º 117 to 119
66º -
DE.CM-3 30º 13, 82 14º 44, 46, 47 9º 53, 54 Controls to prevent unauthorized
access to log repositories
PR.PT-1 32º 78, 83 16º 57, 58
17º 59 to 69
Administrator and operator logs A.12.4.3 CIS 6 48º 62 to 68
64º 116
RS.AN-1
65º 117 to 119
66º -
32º 78, 83 14º 44, 46, 47 9º 53, 54
16º 57, 58
17º 59 to 69
48º 62 to 68
Clock synchronisation A.12.4.4 PR.PT-1 CIS 6
64º 116
65º 117 to 119
66º -
Control of operational software A.12.5
DE.CM-5 32º 78, 83 14º 44, 46, 47 9º 53, 54 Bring Your Own Device Policy
ID.AM-2 16º 57, 58 Installation of software Policy
Controls to ensure that only
PR.DS-6 17º 59 to 69 administrators can make software
installations
Installation of software on operational systems A.12.5.1 CIS 2 Audit log for all updates to
PR.IP-1 48º 62 to 68
operation program libraries
64º 116
PR.IP-3 65º 117 to 119
66º -
Technical Vulnerability Management A.12.6
DE.CM-8 32º 78, 83 14º 44, 46, 47 9º 53, 54 Vulnerabilities Management
Process
ID.RA-1 16º 57, 58
ID.RA-5 17º 59 to 69
Control of technical vulnerabilities A.12.6.1 PR.IP-12 CIS 3 48º 62 to 68
64º 116
RS.MI-3
15
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS GDPR NISD MIFID II
Control of technical vulnerabilities A.12.6.1
ISO/IEC 27001:2013 CIS20
3 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

RS.MI-3 65º 117 to 119

66º -
DE.CM-5 32º 78, 83 14º 44, 46, 47 9º 53, 54 Procedures for the installation of
software on user workstations
PR.IP-1 16º 57, 58
17º 59 to 69
Restrictions on software installation A.12.6.2 CIS 2 48º 62 to 68
64º 116
PR.IP-3
65º 117 to 119
66º -
Information systems audit controls A.12.7
CIS 6 32º 78, 83 14º 44, 46, 47 9º 53, 54 Plans for the verification of
operational systems
CIS 12 16º 57, 58
17º 59 to 69
Information systems audit controls A.12.7.1 PR.PT-1 48º 62 to 68
64º 116
CIS 15
65º 117 to 119
66º -
Communications security A.13
Network security management A.13.1
DE.AE-1 CIS 1 32º 78, 83 14º 44, 46, 47 9º 53, 54 Information Security
Communication Policy
PR.AC-3 CIS 9 16º 57, 58 Information Security Cloud Policy
PR.AC-5 CIS 11 64º 116 Controls to protect networks and
Network controls A.13.1.1 connected services
PR.DS-2 65º 117 to 119
CIS 12
PR.DS-5 66º -
PR.PT-4

Network service agreements

32º 78, 83 14º 44, 46, 47 9º 53, 54 include security mechanisms,
service levels, and management
requirements of all network
services
Security of network services A.13.1.2 DE.AE-1 CIS 9
16º 57, 58
64º 116
65º 117 to 119
66º -
PR.AC-5 CIS 11 32º 78, 83 14º 44, 46, 47 9º 53, 54
16º 57, 58
64º 116
Segregation in networks A.13.1.3
PR.DS-5 CIS 12
65º 117 to 119
66º -
Information transfer A.13.2
ID.AM-3 5º 39 14º 44, 46, 47 9º 53, 54 Information Transfer Policy

16
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

Procedures to protect the

PR.AC-3 7º 32, 42, 43 16º 57, 58 information transfered through or
exchanged with external entities
PR.AC-5 15º 63, 64 64º 116
PR.DS-2 20º 68 65º 117 to 119
Information transfer policies and procedures A.13.2.1 NA
PR.DS-5 24º 74 to 77 66º -
26º 79
32º 78, 83
44º 101, 102
PR.PT-4
46º 108, 109
49º 111 to
115

Agreements with third parties

26º 79 14º 44, 46, 47 9º 53, 54 include security requirements for
the exchange of information
32º 78, 83 16º 57, 58
Agreements on information transfer A.13.2.2 ID.AM-3 NA
64º 116
65º 117 to 119
66º -
PR.DS-2 CIS 8 5º 39 14º 44, 46, 47 9º 53, 54 Controls to reduce the risks of
electronic messaging
CIS 12 15º 63, 64 16º 57, 58
Electronic messaging A.13.2.3 20º 68 64º 116
PR.DS-5
CIS 13 32º 78, 83 65º 117 to 119
66º -
Have confidentiality and/or non-
5º 39 14º 44, 46, 47 9º 53, 54 disclosure agreements with third
parties
7º 32, 42, 43 16º 57, 58
Confidentiality or non-disclosure agreements A.13.2.4 PR.DS-5 NA
20º 68 64º 116
26º 79 65º 117 to 119
32º 78, 83 66º -
System acquisition, development and maintenance A.14
Security requirements of information systems A.14.1
Information Security Systems
5º 39 14º 44, 46, 47 9º 53, 54 Acquisition, Development and
Maintenance Policy
6º 39, 40, 42, 16º 57, 58
43, 44
7º 32, 42, 43 17º 59 to 69
8º 38 64º 116
9º 46, 51, 52 65º 117 to 119
10º 50 66º -
11º 57
58, 59, 60,
12º
73
13º 60, 61, 62
Information security requirements analysis and specification A.14.1.1 PR.IP-2 NA
17
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Information security requirements analysis and specification A.14.1.1 PR.IP-2 NA 14º 60, 61, 62
15º 63, 64
16º 65
17º 65, 66
18º 67
19º 66
20º 68
21º 69, 70
22º 71, 72, 91
24º 74 to 77
25º 78
30º 13, 82
32º 78, 83
75, 84, 90,
35º
91, 92

PR.AC-5 14º 60, 61, 62 14º 44, 46, 47 9º 53, 54 Controls to protect information
passed over public networks
PR.DS-2 32º 78, 83 16º 57, 58
PR.DS-5 17º 59 to 69
Securing application services on public networks A.14.1.2 CIS 9
64º 116
PR.DS-6 65º 117 to 119
66º -

Controls to prevent incomplete

transmission, mis-routing,
PR.AC-5 14º 60, 61, 62 14º 44, 46, 47 9º 53, 54 unauthorized message alteration,
unauthorized disclosure,
unauthorized message duplication
or replay
Protecting application services transactions A.14.1.3 NA
PR.DS-2 20º 68 16º 57, 58
PR.DS-5 32º 78, 83 17º 59 to 69
PR.DS-6 44º 101, 102 64º 116
46º 108, 109 65º 117 to 119
PR.PT-4
66º -
Security in development and support processes A.14.2
25º 78 14º 44, 46, 47 9º 53, 54
Secure development policy A.14.2.1 PR.IP-2 CIS 18 32º 78, 83 16º 57, 58
17º 59 to 69
PR.IP-1 32º 78, 83 14º 44, 46, 47 9º 53, 54 Change control procedures
System change control procedures A.14.2.2 NA 16º 57, 58
PR.IP-3
17º 59 to 69
PR.IP-1 32º 78, 83 14º 44, 46, 47 9º 53, 54 Process for reviewing operating
system changes
Technical review of applications after operating platform changes A.14.2.3 NA
PR.IP-3 16º 57, 58
PR.IP-12 17º 59 to 69
PR.DS-6 CIS 5 32º 78, 83 14º 44, 46, 47 9º 53, 54
Restrictions on changes to software packages A.14.2.4 PR.IP-1 16º 57, 58
CIS 7
PR.IP-3 17º 59 to 69
25º 78 14º 44, 46, 47 9º 53, 54 Secure coding guidelines
Secure system engineering principles A.14.2.5 PR.IP-2 NA 32º 78, 83 16º 57, 58
17º 59 to 69

18
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

List of all secure development

32º 78, 83 14º 44, 46, 47 9º 53, 54 environments, including security
controls, definition of environment
Secure development environment A.14.2.6 - CIS 18 purpose, and associated
development efforts
16º 57, 58
17º 59 to 69

DE.CM-6 32º 78, 83 14º 34 9º 53, 54 Supervise and monitor the activity
Outsourced software development A.14.2.7 CIS 18 of outsourced system development
16º 57, 58
DE.CM-7
17º 59 to 69
Test security functionality during
CIS 3 32º 78, 83 14º 44, 46, 47 9º 53, 54 the development of software and
systems
System security testing A.14.2.8 DE.DP-3 CIS 5 16º 57, 58
CIS 7 17º 59 to 69
CIS 18
CIS 20
Acceptance testing program that
32º 78, 83 14º 44, 46, 47 9º 53, 54 cover information security
System acceptance testing A.14.2.9 - NA requirements
16º 57, 58
17º 59 to 69
Test data A.14.3
32º 78, 83 14º 44, 46, 47 9º 53, 54 Controls to protect data used in
Protection of system test data A.14.3.1 - NA test environments
16º 57, 58
Supplier relationships A.15
Information security in supplier relationships A.15.1
ID.BE-1 5º 39 14º 44, 46, 47 9º 53, 54 Information Security Supplier
Relationships Policy
ID.GV-2 26º 79 16º 57, 58
Information security in supplier relationships A.15.1.1 ID.SC-1 NA 28º 81
ID.SC-3 32º 78, 83
44º 101, 102
PR.MA-2
46º 108, 109
ID.BE-1 5º 39 14º 44, 46, 47 9º 53, 54 Agreements with suppliers include
information security requirements
ID.SC-1 26º 79 16º 57, 58
Addressing security within supplier agreements A.15.1.2 NA 28º 81
32º 78, 83
ID.SC-3
44º 101, 102
46º 108, 109
ID.BE-1 5º 39 14º 44, 46, 47 9º 53, 54
ID.SC-1 26º 79 16º 57, 58
28º 81
Information and communication technology supply chain A.15.1.3 NA
32º 78, 83
ID.SC-3
44º 101, 102
46º 108, 109
Supplier service delivery management A.15.2

19
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

DE.CM-6 5º 39 14º 44, 46, 47 9º 53, 54 Monitor, review and audit supplier
services
DE.CM-7 26º 79 16º 57, 58
ID.BE-1 28º 81
Monitoring and review of supplier services A.15.2.1 NA
ID.SC-1 32º 78, 83
ID.SC-2 44º 101, 102
ID.SC-4 46º 108, 109
PR.MA-2

ID.BE-1 5º 39 14º 44, 46, 47 9º 53, 54 Review the changes to services

provided by suppliers to determine
continued adherence to
information security requirements
Managing changes to supplier services A.15.2.2 NA
ID.SC-1 26º 79 16º 57, 58
ID.SC-2 28º 81
32º 78, 83
ID.SC-4 44º 101, 102
46º 108, 109
Information security incident management A.16
Management of information security incidents and improvements A.16.1
58, 59, 60, Information Security Incidents
DE.AE-2 12º 14º 44, 46, 47 9º 53, 54
73 Management Policy
PR.IP-9 13º 60, 61, 62 16º 57, 58
14º 60, 61, 62 17º 59 to 69
24º 74 to 77 64º 116
Responsibilities and procedures A.16.1.1 CIS 19
26º 79 65º 117 to 119
RS.CO-1
32º 78, 83 66º -
33º 85, 87, 88
34º 86, 87, 88

Communicate to employees and

DE.DP-4 26º 79 14º 44, 46, 47 9º 53, 54 contractors for expectations to
report incident security events and
possible security weaknesses
Reporting information security events A.16.1.2 RS.CO-2 CIS 19 32º 78, 83 16º 57, 58
33º 85, 87, 88 17º 59 to 69
34º 86, 87, 88 64º 116
RS.CO-3
65º 117 to 119
66º -
DE.DP-4 26º 79 14º 44, 46, 47 9º 53, 54
32º 78, 83 16º 57, 58
33º 85, 87, 88 17º 59 to 69
Reporting information security weaknesses A.16.1.3 CIS 19 34º 86, 87, 88 64º 116
PR.IP-12
65º 117 to 119
66º -

Review security events by

DE.AE-2 26º 79 14º 44, 46, 47 9º 53, 54 designated personnel to determine
if events should be classified as
security incidents
DE.AE-4 32º 78, 83 16º 57, 58
Assessment of and decision on information security events A.16.1.4 CIS 19
20
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
Assessment of and decision on information security events A.16.1.4 CIS 19
DE.AE-5 33º 85, 87, 88 17º 59 to 69
RS.AN-2 34º 86, 87, 88 64º 116
65º 117 to 119
RS.AN-4
66º -
RC.RP-1 26º 79 14º 44, 46, 47 9º 53, 54
Incident Management Procedures
RS.AN-1 32º 78, 83 16º 57, 58
RS.MI-1 33º 85, 87, 88 17º 59 to 69
Response to information security incidents A.16.1.5 CIS 19
RS.MI-2 34º 86, 87, 88 64º 116
65º 117 to 119
RS.RP-1
66º -
Update incident knowledgebase
DE.DP-5 26º 79 14º 44, 46, 47 9º 53, 54 after analyzing and resolving
information security incidents
ID.RA-4 32º 78, 83 16º 57, 58
PR.IP-7 33º 85, 87, 88 17º 59 to 69
PR.IP-8 34º 86, 87, 88 64º 116
Learning from information security incidents A.16.1.6 CIS 19
RC.IM-1 65º 117 to 119
RC.IM-2 66º -
RS.AN-2
RS.IM-1
RS.IM-2

Procedures for the identification,

DE.AE-3 26º 79 14º 44, 46, 47 9º 53, 54 collection, acquisition and
preservation of information which
can serve as evidence
32º 78, 83 16º 57, 58
Collection of evidence A.16.1.7 CIS 19
33º 85, 87, 88 17º 59 to 69
34º 86, 87, 88 64º 116
RS.AN-3
65º 117 to 119
66º -
Information security aspects of business continuity management A.17
Information security continuity A.17.1
ID.BE-5 5º 39 14º 44, 46, 47 9º 53, 54 Business Continuity and Disaster
Recovery Policy
24º 74 to 77 16º 57, 58 Business Continuity Plan
32º 78, 83 17º 59 to 69 Business Impact Analysis
Planning information security continuity A.17.1.1 NA
64º 116
PR.IP-9
65º 117 to 119
66º -
ID.BE-5 5º 39 14º 44, 46, 47 9º 53, 54 Business Continuity Procedures
PR.IP-4 32º 78, 83 16º 57, 58
PR.IP-9 17º 59 to 69
Implementing information security continuity A.17.1.2 NA 64º 116
PR.PT-5 65º 117 to 119
66º -

21
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

ID.SC-5 5º 39 14º 44, 46, 47 9º 53, 54 Test and review security continuity
controls
PR.IP-4 32º 78, 83 16º 57, 58
PR.IP-9 17º 59 to 69
Verify, review and evaluate information security continuity A.17.1.3 NA
64º 116
PR.IP-10 65º 117 to 119
66º -
Redundancies A.17.2
ID.BE-5 32º 78, 83 14º 44, 46, 47 9º 53, 54 Failover tests
PR.DS-4 16º 57, 58
17º 59 to 69
Availability of information processing facilities A.17.2.1 NA 64º 116
PR.PT-5
65º 117 to 119
66º -
Compliance A.18
Compliance with legal and contractual requirements A.18.1
13 to 21, 2º Information Security Compliance
2º - 9º 53, 54 Policy
27
Data Policy for Privacy and
5º 39 3º 6, 8 16º 57, 58 Protection of Personally Identifiable
Information
Process to track relevant statutory,
39 to 50 e 72 to 78, regulatory, and contractual
6º 4º 9, 12, 13 24º
171 81 to 84 requirements

32, 33, 42, 71, 79, 80,

7º 14º 44, 46, 47 25º
43 85
8º 38 27º 91 to 98
9º 46, 51, 52 28º -
10º 50 30º 103 to 105
18º 67
23º 73
24º 74 to 77
26º 79
Identification of applicable legislation and contractual requirements A.18.1.1 ID.GV-3 NA 28º 81
29º -
32º 78, 83
38º 97
39º 97
40º 98, 99
45º 103 to
107
46º 108, 109
47º 110
48º 115
111 to
49º
115
85º 153
86º 154
87º -

22
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
88º 155
90º 164
96º -

Procedures to ensure compliance

32º 78, 83 14º 44, 46, 47 9º 53, 54 with requirements related to
Intellectual property rights A.18.1.2 ID.GV-3 NA
intellectual property rights and use
of proprietary software products
16º 57, 58
ID.GV-3 5º 39 14º 44, 46, 47 9º 53, 54 Controls to protect important
records
6º 39 to 50, 16º 57, 58
171

7º 32, 33, 42, 17º 59 to 69

43
8º 38
9º 46, 51, 52
10º 50
58, 59, 60,
12º
73
15º 63, 64
Protection of records A.18.1.3 NA 16º 65
PR.IP-4 17º 65, 66
18º 67
20º 68
28º 81
30º 13, 82
31º 82
32º 78, 83
33º 85, 87, 88
34º 86, 87, 88
75, 84, 89
35º
to 93
44º 101, 102
Procedures detailing user
DE.DP-2 1º 1 to 12 2º - 9º 53, 54 expectations to protect personally
identifiable information
ID.GV-3 3º 22 to 25 14º 44, 46, 47 16º 57, 58
5º 39
6º 39 to 50,
171
32, 33, 42,
7º
43
8º 38
9º 46, 51, 52
10º 50
11º 57
58, 59, 60,
12º
73
13º 60, 61, 62
14º 60, 61, 62
15º 63, 64
16º 65

23
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital
17º 65, 66
18º 67
19º 66
20º 68
21º 69, 70
22º 71, 72, 91
24º 74 to 77
25º 78
26º 79
Privacy and protection of personally identifiable information A.18.1.4 NA 27º 80
28º 81
PR.AC-7 29º -
30º 13, 82
31º 82
32º 78, 83
33º 85, 87, 88
34º 86, 87, 88
75, 84, 89
35º
to 92
36º 94, 95, 96
37º 97
38º 97
39º 97
44º 101, 102
45º 103 to
107
46º 108, 109
47º 110
48º 115
111 to
49º
115
85º 153
86º 154
87º -
88º 155
89º 156 to
163
90º 164
5º 39 14º 44, 46, 47 9º 53, 54 List of cryptographic controls
6º 39, 49, 50 16º 57, 58
Regulation of cryptographic controls A.18.1.5 ID.GV-3 CIS 13 20º 68
25º 78
32º 78, 83
Information security reviews A.18.2
32º 78, 83 14º 44, 46, 47 9º 53, 54 Consult internal and external
information security advisers
- CIS 20
39º 97 16º 57, 58
Independent review of information security A.18.2.1 47º 110 64º 116
65º 117 to 119
66º -

24
 ANEXO 3 - Cybersecurity Analysis and Assessment Matrix
Regulation NIST CSF CIS 20 GDPR NISD MIFID II
ISO/IEC 27001:2013 GUIDANCE Sufficient Evidence
Requirement v1.1 Controls v7.0 Article Recital Article Recital Article Recital

Records of the reviews of

DE.DP-2 24º 74 to 77 14º 44, 46, 47 9º 53, 54 information security requirements
compliance
32º 78, 83 15º 44, 46 16º 57, 58
Compliance with security policies and standards A.18.2.2 NA
39º 97 64º 116
PR.IP-12
65º 117 to 119
66º -

Periodically check Information

DE.DP-2 CIS 5 24º 74 to 77 14º 44, 46, 47 9º 53, 54 systems for technical compliance
with security implementation
standards
Technical compliance review A.18.2.3 ID.RA-1 CIS 7 32º 78, 83 15º 44, 46 16º 57, 58
64º 116
PR.IP-12 CIS 20 65º 117 to 119
66º -

25
 ISO 27001 Controls

ISO/IEC
27001:2013 Control Description
4 Context of the organization
The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the
4.1 Understanding the organization and its context intended outcome(s) of its information security management system.
The organization shall determine:
4.2 Understanding the needs and expectations of interested parties a) interested parties that are relevant to the information security management system; and
b) the requirements of these interested parties relevant to information security.

The organization shall determine the boundaries and applicability of the information security management system to establish its
scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
4.3 Determining the scope of the information security management system b) the requirements referred to in 4.2; and
c) interfaces and dependencies between activities performed by the organization, and those that are performed by other
organizations.
The scope shall be available as documented information.

The organization shall establish, implement, maintain and continually improve an information security management system, in
4.4 Information security management system accordance with the requirements of this International Standard.
5 Leadership

Top management shall demonstrate leadership and commitment with respect to the information security management system by:
a) ensuring the information security policy and the information security objectives are established and are compatible with the
strategic direction of the organization;
b) ensuring the integration of the information security management system requirements into the organization’s processes;
c) ensuring that the resources needed for the information security management system are available;
5.1 Leadership and commitment d) communicating the importance of effective information security management and of conforming to the information security
management system requirements;
e) ensuring that the information security management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the information security management system;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

Top management shall establish an information security policy that:

a) is appropriate to the purpose of the organization;
b) includes information security objectives (see 6.2) or provides the framework for setting information security objectives;
c) includes a commitment to satisfy applicable requirements related to information security; and
5.2 Policy d) includes a commitment to continual improvement of the information security management system.
The information security policy shall:
e) be available as documented information;
f) be communicated within the organization; and
g) be available to interested parties, as appropriate.

Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and
communicated. Top management shall assign the responsibility and authority for:
5.3 Organizational roles, responsibilities and authorities a) ensuring that the information security management system conforms to the requirements of this International Standard; and
b) reporting on the performance of the information security management system to top management.
6 Planning
6.1 Actions to address risks and opportunities

When planning for the information security management system, the organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) ensure the information security management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and
6.1.1 General c) achieve continual improvement.
The organization shall plan:
d) actions to address these risks and opportunities; and
e) how to
1) integrate and implement the actions into its information security management system processes; and
2) evaluate the effectiveness of these actions.

The organization shall define and apply an information security risk assessment process that:
a) establishes and maintains information security risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing information security risk assessments;
b) ensures that repeated information security risk assessments produce consistent, valid and comparable results;
c) identifies the information security risks:
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and
availability for information within the scope of the information security management system; and
6.1.2 Information security risk assessment 2) identify the risk owners;
d) analyses the information security risks:
1) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
3) determine the levels of risk;
e) evaluates the information security risks:
1) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the information security risk assessment process.

The organization shall define and apply an information security risk treatment process to:
a) select appropriate information security risk treatment options, taking account of the risk
assessment results;
b) determine all controls that are necessary to implement the information security risk treatment
option(s) chosen;
NOTE Organizations can design controls as required, or identify them from any source.
c) compare the controls determined in 6.1.3 b) above with those in AnnexA and verify that no necessary controls have been omitted;
NOTE 1 AnnexA contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to
6.1.3 Information security risk treatment Annex A to ensure that no necessary controls are overlooked.
NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and
controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed.
d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions,
whether they are implemented or not, and the justification for exclusions of controls from Annex A;
e) formulate an information security risk treatment plan; and
f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security
risks.
The organization shall retain documented information about the information security risk treatment process.

The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and results from risk assessment and risk treatment;
d) be communicated; and
e) be updated as appropriate.
6.2 Information security objectives and planning to achieve them The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
f) what will be done;
g) what resources will be required;
h) who will be responsible;
i) when it will be completed; and
j) how the results will be evaluated.

7 Support
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and
7.1 Resources continual improvement of the information security management system.

The organization shall:

a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
7.2 Competence b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.

Persons doing work under the organization’s control shall be aware of:
a) the information security policy;
7.3 Awareness b) their contribution to the effectiveness of the information security management system, including the benefits of improved
information security performance; and
c) the implications of not conforming with the information security management system requirements.

504821791.xlsx 2653
 ISO 27001 Controls

The organization shall determine the need for internal and external communications relevant to the information security
management system including:
a) on what to communicate;
7.4 Communication b) when to communicate;
c) with whom to communicate;
d) who shall communicate; and
e) the processes by which communication shall be effected.

7.5 Documented information

The organization’s information security management system shall include:

a) documented information required by this International Standard; and
b) documented information determined by the organization as being necessary for the effectiveness of the information security
management system.
7.5.1 General NOTE The extent of documented information for an information security management system can differ from one organization to
another due to:
1) the size of organization and its type of activities, processes, products and services;
2) the complexity of processes and their interactions; and
3) the competence of persons.

When creating and updating documented information the organization shall ensure appropriate:
7.5.2 Creating and updating a) identification and description (e.g. a title, date, author, or reference number);
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy

Documented information required by the information security management system and by this International Standard shall be
controlled to ensure:
a) it is available and suitable for use, where and when it is needed; and
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
7.5.3 Control of documented information c) distribution, access, retrieval and use;
d) storage and preservation, including the preservation of legibility;
e) control of changes (e.g. version control); and
f) retention and disposition.
Documented information of external origin, determined by the organization to be necessary for the planning and operation of the
information security management system, shall be identified as appropriate, and controlled.

8 Operation
The organization shall plan, implement and control the processes needed to meet information security requirements, and to
implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives
determined in 6.2.
The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried
8.1 Operational planning and control out as planned.
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any
adverse effects, as necessary.
The organization shall ensure that outsourced processes are determined and controlled.

The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or
8.2 Information security risk assessment occur, taking account of the criteria established in 6.1.2 a).
The organization shall retain documented information of the results of the information security risk assessments.
The organization shall implement the information security risk treatment plan.
8.3 Information security risk treatment The organization shall retain documented information of the results of the information security risk treatment.
9 Performance evaluation

The organization shall evaluate the information security performance and the effectiveness of the information security management
system.
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
9.1 Monitoring, measurement, analysis and evaluation c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results.

The organization shall conduct internal audits at planned intervals to provide information on whether the information security
management system:
a) conforms to
1) the organization’s own requirements for its information security management system; and
2) the requirements of this International Standard;
b) is effectively implemented and maintained.
The organization shall:
9.2 Internal audit c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning
requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the
results of previous audits;
d) define the audit criteria and scope for each audit;
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;
f) ensure that the results of the audits are reported to relevant management; and
g) retain documented information as evidence of the audit programme(s) and the audit results.

Top management shall review the organization’s information security management system at planned intervals to ensure its
continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
9.3 Management review 3) audit results; and
4) fulfilment of information security objectives;
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for
changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews.

10 Improvement

When a nonconformity occurs, the organization shall:

a) react to the nonconformity, and as applicable:
1) take action to control and correct it; and
2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere, by:
1) reviewing the nonconformity;
2) determining the causes of the nonconformity; and
10.1 Nonconformity and corrective action 3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of:
f) the nature of the nonconformities and any subsequent actions taken, and
g) the results of any corrective action.

10.2 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.

A.5 Information security policies

A.5.1 Management direction for information security
A.5.1.1 Policies for information security A set of policies for information security shall be defined, approved by management, published and communicated to employees
and relevant external parties
A.5.1.2 Review of the policies for information security The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing
suitability, adequacy and effectiveness.
A.6 Organization of information security
A.6.1 Internal Organization
A.6.1.1 Information security roles and responsibilities All information security responsibilities shall be defined and allocated.

A.6.1.2 Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional
modification or misuse of the organization’s assets.
A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained.

A.6.1.4 Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be
maintained.

504821791.xlsx 2753
 ISO 27001 Controls

A.6.1.5 Information security in project management Information security shall be addressed in project management, regardless of the type of the project.
A.6.2 Mobile devices and teleworking
A.6.2.1 Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

A.6.2.2 Teleworking A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at
teleworking sites.
A.7 Human Resources Security
A.7.1 Prior to employment
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations
A.7.1.1 Screening and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the
perceived risks.
A.7.1.2 Terms and conditions of employment The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information
security.
A.7.2 During employment
A.7.2.1 Management responsibilities Management shall require all employees and contractors to apply information security in accordance with the established policies
and procedures of the organization.
A.7.2.2 Information security awareness, education and training All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and
regular updates in organizational policies and procedures, as relevant for their job function.
A.7.2.3 Disciplinary process There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an
information security breach.
A.7.3 Termination and change of employment
A.7.3.1 Termination or change of employment responsibilities Information security responsibilities and duties that remain valid after termination or change of employment shall be defined,
communicated to the employee or contractor and enforced.
A.8 Asset Management
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be
drawn up and maintained.
A.8.1.2 Ownership of assets Assets maintained in the inventory shall be owned.

A.8.1.3 Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be
identified, documented and implemented.
A.8.1.4 Return of assets All employees and external party users shall return all of the organizational assets in their possession upon termination of their
employment, contract or agreement.
A.8.2 Information classification
A.8.2.1 Classification of information Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or
modification.
A.8.2.2 Labelling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information
classification scheme adopted by the organization.
A.8.2.3 Handling of assets Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme
adopted by the organization.
A.8.3 Media handling
A.8.3.1 Management of removeable media Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by
the organization.
A.8.3.2 Disposal of media Media shall be disposed of securely when no longer required, using formal procedures.
A.8.3.3 Physical media transfer Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.
A.9 Access Control
A.9.1 Business requirements of access control
A.9.1.1 Access control policy An access control policy shall be established, documented and reviewed based on business and information security requirements.

A.9.1.2 Access to networks and network services Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

A.9.2 User access management

A.9.2.1 User registration and de-registration A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

A.9.2.2 User access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems
and services.
A.9.2.3 Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled.
A.9.2.4 Management of secret authentication information of users The allocation of secret authentication information shall be controlled through a formal management process.
A.9.2.5 Review of user access rights Asset owners shall review users’ access rights at regular intervals.

A.9.2.6 Removal or adjustment of access rights The access rights of all employees and external party users to information and information processing facilities shall be removed
upon termination of their employment, contract or agreement, or adjusted upon change.
A.9.3 User responsibilities
A.9.3.1 Use of secret authentication information Users shall be required to follow the organization’s practices in the use of secret authentication information.
A.9.4 System and application access control
A.9.4.1 Information access restriction Access to information and application system functions shall be restricted in accordance with the access control policy.

A.9.4.2 Secure log-on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

A.9.4.3 Password management system Password management systems shall be interactive and shall ensure quality passwords.

A.9.4.4 Use of privileged utility programs The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly
controlled.
A.9.4.5 Access control to program source code Access to program source code shall be restricted.
A.10 Cryptography
A.10.1 Cryptographic controls
A.10.1.1 Policy on the use of cryptographic controls A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

A.10.1.2 Key management A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole
lifecycle.
A.11 Physical and Environmental Security
A.11.1 Secure Areas
A.11.1.1 Physical security perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information
processing facilities.
A.11.1.2 Physical entry controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
A.11.1.3 Securing offices, rooms and facilities Physical security for offices, rooms and facilities shall be designed and applied.
A.11.1.4 Protecting against external and environmental attacks Physical protection against natural disasters, malicious attack or accidents shall be designed and applied.
A.11.1.5 Working in secure areas Procedures for working in secure areas shall be designed and applied.

A.11.1.6 Delivery and loading areas Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be
controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
A.11.2 Equipment
A.11.2.1 Equipment siting and protection Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for
unauthorized access.
A.11.2.2 Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

A.11.2.3 Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception,
interference or damage.
A.11.2.4 Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity.
A.11.2.5 Removal of assets Equipment, information or software shall not be taken off-site without prior authorization.

A.11.2.6 Security of equipment and assets off-premises Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

A.11.2.7 Secure disposal or re-use of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been
removed or securely overwritten prior to disposal or re-use.
A.11.2.8 Unattended user equipment Users shall ensure that unattended equipment has appropriate protection.

A.11.2.9 Clear desk and clear screen policy A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be
adopted.
A.12 Operations security
A.12.1 Operational procedures and responsibilities
A.12.1.1 Documented operating procedures Operating procedures shall be documented and made available to all users who need them.

A.12.1.2 Change management Changes to the organization, business processes, information processing facilities and systems that affect information security shall
be controlled.
A.12.1.3 Capacity management The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required
system performance.
A.12.1.4 Separation of development, testing and operational environments Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to
the operational environment.
A.12.2 Protection from malware
A.12.2.1 Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user
awareness.
A.12.3 Backup
A.12.3.1 Information backup Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup
policy.
A.12.4 Logging and monitoring
A.12.4.1 Event logging Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly
reviewed.
A.12.4.2 Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access.
A.12.4.3 Administrator and operator logs System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.

A.12.4.4 Clock synchronisation The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a
single reference time source.
A.12.5 Control of operational software
A.12.5.1 Installation of software on operational systems Procedures shall be implemented to control the installation of software on operational systems.
A.12.6 Technical Vulnerability Management
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the
A.12.6.1 Control of technical vulnerabilities organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

A.12.6.2 Restrictions on software installation Rules governing the installation of software by users shall be established and implemented.
A.12.7 Information systems audit controls
A.12.7.1 Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise
disruptions to business processes.
A.13 Communications security
A.13.1 Network security management
A.13.1.1 Network controls Networks shall be managed and controlled to protect information in systems and applications.

504821791.xlsx 2853
 ISO 27001 Controls

A.13.1.2 Security of network services Security mechanisms, service levels and management requirements of all network services shall be identified and included in
network services agreements, whether these services are provided in-house or outsourced.
A.13.1.3 Segregation in networks Groups of information services, users and information systems shall be segregated on networks.
A.13.2 Information transfer
A.13.2.1 Information transfer policies and procedures Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types
of communication facilities.
A.13.2.2 Agreements on information transfer Agreements shall address the secure transfer of business information between the organization and external parties.
A.13.2.3 Electronic messaging Information involved in electronic messaging shall be appropriately protected.

A.13.2.4 Confidentiality or non-disclosure agreements Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information
shall be identified, regularly reviewed and documented.
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
A.14.1.1 Information security requirements analysis and specification The information security related requirements shall be included in the requirements for new information systems or enhancements
to existing information systems.
A.14.1.2 Securing application services on public networks Information involved in application services passing over public networks shall be protected from fraudulent activity, contract
dispute and unauthorized disclosure and modification.
A.14.1.3 Protecting application services transactions Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
A.14.2 Security in development and support processes
A.14.2.1 Secure development policy Rules for the development of software and systems shall be established and applied to developments within the organization.
A.14.2.2 System change control procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

A.14.2.3 Technical review of applications after operating platform changes When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse
impact on organizational operations or security.
A.14.2.4 Restrictions on changes to software packages Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

A.14.2.5 Secure system engineering principles Principles for engineering secure systems shall be established, documented, maintained and applied to any information system
implementation efforts.
A.14.2.6 Secure development environment Organizations shall establish and appropriately protect secure development environments for system development and integration
efforts that cover the entire system development lifecycle.
A.14.2.7 Outsourced software development The organization shall supervise and monitor the activity of outsourced system development.
A.14.2.8 System security testing Testing of security functionality shall be carried out during development.
A.14.2.9 System acceptance testing Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.
A.14.3 Test data
A.14.3.1 Protection of system test data Test data shall be selected carefully, protected and controlled.
A.15 Supplier relationships
A.15.1 Information security in supplier relationships
A.15.1.1 Information security in supplier relationships Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be
agreed with the supplier and documented.
A.15.1.2 Addressing security within supplier agreements All relevant information security requirements shall be established and agreed with each supplier that may access, process, store,
communicate, or provide IT infrastructure components for, the organization’s information.
A.15.1.3 Information and communication technology supply chain Agreements with suppliers shall include requirements to address the information security risks associated with information and
communications technology services and product supply chain.
A.15.2 Supplier service delivery management
A.15.2.1 Monitoring and review of supplier services Organizations shall regularly monitor, review and audit supplier service delivery.
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies,
A.15.2.2 Managing changes to supplier services procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes
involved and re-assessment of risks.
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
A.16.1.1 Responsibilities and procedures Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information
security incidents.
A.16.1.2 Reporting information security events Information security events shall be reported through appropriate management channels as quickly as possible.

A.16.1.3 Reporting information security weaknesses Employees and contractors using the organization’s information systems and services shall be required to note and report any
observed or suspected information security weaknesses in systems or services.
A.16.1.4 Assessment of and decision on information security events Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents.

A.16.1.5 Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.

A.16.1.6 Learning from information security incidents Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of
future incidents.
A.16.1.7 Collection of evidence The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information,
which can serve as evidence.
A.17 Information security aspects of business continuity management
A.17.1 Information security continuity
A.17.1.1 Planning information security continuity The organization shall determine its requirements for information security and the continuity of information security management
in adverse situations, e.g. during a crisis or disaster.
A.17.1.2 Implementing information security continuity The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required
level of continuity for information security during an adverse situation.
The organization shall verify the established and implemented information security continuity controls at regular intervals in order
A.17.1.3 Verify, review and evaluate information security continuity to ensure that they are valid and effective during adverse situations.

A.17.2 Redundancies
A.17.2.1 Availability of information processing facilities Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
A.18.1.1 Identification of applicable legislation and contractual requirements All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements
shall be explicitly identified, documented and kept up to date for each information system and the organization.
A.18.1.2 Intellectual property rights Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements
related to intellectual property rights and use of proprietary software products.
A.18.1.3 Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with
legislatory, regulatory, contractual and business requirements.
A.18.1.4 Privacy and protection of personally identifiable information Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation
where applicable.
A.18.1.5 Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
A.18.2 Information security reviews
The organization’s approach to managing information security and its implementation (i.e. Control objectives, controls, policies,
A.18.2.1 Independent review of information security processes and procedures for information security) shall be reviewed independently at planned intervals or when significant
changes occur.
A.18.2.2 Compliance with security policies and standards Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the
appropriate security policies, standards and any other security requirements.
A.18.2.3 Technical compliance review Information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

504821791.xlsx 2953
 Function Category

Asset Management (ID.AM): The data, personnel,

devices, systems, and facilities that enable the
organization to achieve business purposes are
identified and managed consistent with their relative
importance to business objectives and the
organization’s risk strategy.

Business Environment (ID.BE): The organization’s

mission, objectives, stakeholders, and activities are
understood and prioritized; this information is used to
inform cybersecurity roles, responsibilities, and risk
management decisions.

Governance (ID.GV): The policies, procedures, and

processes to manage and monitor the organization’s
regulatory, legal, risk, environmental, and operational
requirements are understood and inform the
management of cybersecurity risk.

IDENTIFY (ID)

Risk Assessment (ID.RA): The organization

understands the cybersecurity risk to organizational
operations (including mission, functions, image, or
reputation), organizational assets, and individuals.
 Risk Management Strategy (ID.RM): The
organization’s priorities, constraints, risk tolerances,
and assumptions are established and used to support
operational risk decisions.

Supply Chain Risk Management (ID.SC):

The organization’s priorities, constraints, risk
tolerances, and assumptions are established and used to
support risk decisions associated with managing
supply chain risk. The organization has established and
implemented the processes to identify, assess and
manage supply chain risks.

Access Control (PR.AC): Access to assets and

associated facilities is limited to authorized users,
processes, or devices, and to authorized activities and
transactions.

Awareness and Training (PR.AT): The

organization’s personnel and partners are provided
cybersecurity awareness education and are adequately
trained to perform their information security-related
duties and responsibilities consistent with related
policies, procedures, and agreements.
 Awareness and Training (PR.AT): The
organization’s personnel and partners are provided
cybersecurity awareness education and are adequately
trained to perform their information security-related
duties and responsibilities consistent with related
policies, procedures, and agreements.

Data Security (PR.DS): Information and records

(data) are managed consistent with the organization’s
risk strategy to protect the confidentiality, integrity,
and availability of information.

PROTECT (PR)

Information Protection Processes and Procedures

(PR.IP): Security policies (that address purpose,
scope, roles, responsibilities, management
commitment, and coordination among organizational
entities), processes, and procedures are maintained and
used to manage protection of information systems and
assets.
 Maintenance (PR.MA): Maintenance and repairs of
industrial control and information system components
is performed consistent with policies and procedures.

Protective Technology (PR.PT): Technical security

solutions are managed to ensure the security and
resilience of systems and assets, consistent with related
policies, procedures, and agreements.

Anomalies and Events (DE.AE): Anomalous activity

is detected in a timely manner and the potential impact
of events is understood.

Security Continuous Monitoring (DE.CM): The

DETECT (DE) information system and assets are monitored at
discrete intervals to identify cybersecurity events and
verify the effectiveness of protective measures.

Detection Processes (DE.DP): Detection processes

and procedures are maintained and tested to ensure
timely and adequate awareness of anomalous events.
 Detection Processes (DE.DP): Detection processes
and procedures are maintained and tested to ensure
timely and adequate awareness of anomalous events.

Response Planning (RS.RP): Response processes and

procedures are executed and maintained, to ensure
timely response to detected cybersecurity events.

Communications (RS.CO): Response activities are

coordinated with internal and external stakeholders, as
appropriate, to include external support from law
enforcement agencies.

RESPOND (RS)

Analysis (RS.AN): Analysis is conducted to ensure

adequate response and support recovery activities.

Mitigation (RS.MI): Activities are performed to

prevent expansion of an event, mitigate its effects, and
eradicate the incident.

Improvements (RS.IM): Organizational response

activities are improved by incorporating lessons
learned from current and previous detection/response
activities.
Recovery Planning (RC.RP): Recovery processes
and procedures are executed and maintained to ensure
timely restoration of systems or assets affected by
cybersecurity events.

Improvements (RC.IM): Recovery planning and

processes are improved by incorporating lessons
RECOVER (RC) learned into future activities.

Communications (RC.CO): Restoration activities are

coordinated with internal and external parties, such as
coordinating centers, Internet Service Providers,
owners of attacking systems, victims, other CSIRTs,
and vendors.
 Subcategory
ID.AM-1: Physical devices and systems within the
organization are inventoried
ID.AM-2: Software platforms and applications within
the organization are inventoried
ID.AM-3: Organizational communication and data
flows are mapped

ID.AM-4: External information systems are catalogued

ID.AM-5: Resources (e.g., hardware, devices, data, and

software) are prioritized based on their classification,
criticality, and business value

ID.AM-6: Cybersecurity roles and responsibilities for

the entire workforce and third-party stakeholders (e.g.,
suppliers, customers, partners) are established

ID.BE-1: The organization’s role in the supply chain is

identified and communicated
ID.BE-2: The organization’s place in critical
infrastructure and its industry sector is identified and
communicated
ID.BE-3: Priorities for organizational mission,
objectives, and activities are established and
communicated
ID.BE-4: Dependencies and critical functions for
delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery
of critical services are established
ID.GV-1: Organizational information security policy is
established
ID.GV-2: Information security roles & responsibilities
are coordinated and aligned with internal roles and
external partners
ID.GV-3: Legal and regulatory requirements regarding
cybersecurity, including privacy and civil liberties
obligations, are understood and managed
ID.GV-4: Governance and risk management processes
address cybersecurity risks
ID.RA-1: Asset vulnerabilities are identified and
documented

ID.RA-2: Threat and vulnerability information is

received from information sharing forums and sources

ID.RA-3: Threats, both internal and external, are

identified and documented
ID.RA-4: Potential business impacts and likelihoods
are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and
impacts are used to determine risk

ID.RA-6: Risk responses are identified and prioritized

ID.RM-1: Risk management processes are established,
managed, and agreed to by organizational stakeholders

ID.RM-2: Organizational risk tolerance is determined

and clearly expressed
ID.RM-3: The organization’s determination of risk
tolerance is informed by its role in critical infrastructure
and sector specific risk analysis

ID.SC-1: Cyber supply chain risk management

processes are identified, established, assessed,
managed, and agreed to by organizational stakeholders

ID.SC-2: Suppliers and third party partners of

information systems, components, and services are
identified, prioritized, and assessed using a cyber
supply chain risk assessment process

ID.SC-3: Contracts with suppliers and third-party

partners are used to implement appropriate measures
designed to meet the objectives of an organization’s
cybersecurity program and Cyber Supply Chain Risk
Management Plan

ID.SC-4: Suppliers and third-party partners are

routinely assessed using audits, test results, or other
forms of evaluations to confirm they are meeting their
contractual obligations

ID.SC-5: Response and recovery planning and testing

are conducted with suppliers and third-party providers

PR.AC-1: Identities and credentials are managed for

authorized devices and users
PR.AC-2: Physical access to assets is managed and
protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions are managed,
incorporating the principles of least privilege and
separation of duties

PR.AC-5: Network integrity is protected, incorporating

network segregation where appropriate

PR.AC-6: Identities are proofed and bound to

credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are
authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction (e.g.,
individuals’ security and privacy risks and other
organizational risks)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles &
responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers,
customers, partners) understand roles & responsibilities

PR.AT-4: Senior executives understand roles &

responsibilities
PR.AT-5: Physical and information security personnel
understand roles & responsibilities
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout
removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is
maintained
PR.DS-5: Protections against data leaks are
implemented

PR.DS-6: Integrity checking mechanisms are used to

verify software, firmware, and information integrity

PR.DS-7: The development and testing environment(s)

are separate from the production environment

PR.DS-8: Integrity checking mechanisms are used to

verify hardware integrity
PR.IP-1: A baseline configuration of information
technology/industrial control systems is created and
maintained
PR.IP-2: A System Development Life Cycle to manage
systems is implemented
PR.IP-3: Configuration change control processes are in
place
PR.IP-4: Backups of information are conducted,
maintained, and tested periodically

PR.IP-5: Policy and regulations regarding the physical

operating environment for organizational assets are met

PR.IP-6: Data is destroyed according to policy

PR.IP-7: Protection processes are continuously
improved
PR.IP-8: Effectiveness of protection technologies is
shared with appropriate parties
PR.IP-9: Response plans (Incident Response and
Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and
managed
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human
resources practices (e.g., deprovisioning, personnel
screening)
PR.IP-12: A vulnerability management plan is
developed and implemented
PR.MA-1: Maintenance and repair of organizational
assets is performed and logged in a timely manner, with
approved and controlled tools
PR.MA-2: Remote maintenance of organizational
assets is approved, logged, and performed in a manner
that prevents unauthorized access
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in accordance
with policy
PR.PT-2: Removable media is protected and its use
restricted according to policy

PR.PT-3: Access to systems and assets is controlled,

incorporating the principle of least functionality

PR.PT-4: Communications and control networks are

protected

PR.PT-5: Mechanisms (e.g., failsafe, load balancing,

hot swap) are implemented to achieve resilience
requirements in normal and adverse situations

DE.AE-1: A baseline of network operations and

expected data flows for users and systems is established
and managed
DE.AE-2: Detected events are analyzed to understand
attack targets and methods
DE.AE-3: Event data are aggregated and correlated
from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-5: Incident alert thresholds are established
DE.CM-1: The network is monitored to detect potential
cybersecurity events
DE.CM-2: The physical environment is monitored to
detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect
potential cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is
monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel,
connections, devices, and software is performed
DE.CM-8: Vulnerability scans are performed
DE.DP-1: Roles and responsibilities for detection are
well defined to ensure accountability
DE.DP-2: Detection activities comply with all
applicable requirements
DE.DP-3: Detection processes are tested
DE.DP-4: Event detection information is
communicated to appropriate parties
DE.DP-5: Detection processes are continuously
improved

RS.RP-1: Response plan is executed during or after an

event

RS.CO-1: Personnel know their roles and order of

operations when a response is needed
RS.CO-2: Events are reported consistent with
established criteria
RS.CO-3: Information is shared consistent with
response plans
RS.CO-4: Coordination with stakeholders occurs
consistent with response plans
RS.CO-5: Voluntary information sharing occurs with
external stakeholders to achieve broader cybersecurity
situational awareness
RS.AN-1: Notifications from detection systems are
investigated 
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with
response plans
RS.AN-5: Processes are established to receive, analyze
and respond to vulnerabilities disclosed to the
organization from internal and external sources (e.g.
internal testing, security bulletins, or security
researchers)
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated
or documented as accepted risks

RS.IM-1: Response plans incorporate lessons learned

RS.IM-2: Response strategies are updated

RC.RP-1: Recovery plan is executed during or after an

event

RC.IM-1: Recovery plans incorporate lessons learned

RC.IM-2: Recovery strategies are updated

RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to
internal stakeholders and executive and management
teams
 CIS CIS Sub- Security
Asset Type Title
Control Control Function
1 Inventory and Control of Hardware Assets
1.1 Devices Identify Utilize an Active Discovery Tool
1.2 Devices Identify Use a Passive Asset Discovery Tool
Use DHCP Logging to Update Asset
1.3 Devices Identify
Inventory
1.4 Devices Identify Maintain Detailed Asset Inventory

1.5 Devices Identify Maintain Asset Inventory Information

1.6 Devices Respond Address Unauthorized Assets
1.7 Devices Protect Deploy Port Level Access Control
Utilize Client Certificates to Authenticate
1.8 Devices Protect
Hardware Assets
2 Inventory and Control of Software Assets
Maintain Inventory of Authorized
2.1 Applications Identify
Software
2.2 Applications Identify Ensure Software is Supported by Vendor
2.3 Applications Identify Utilize Software Inventory Tools
2.4 Applications Identify Track Software Inventory Information
Integrate Software and Hardware Asset
2.5 Applications Identify
Inventories
2.6 Applications Respond Address unapproved software
2.7 Applications Protect Utilize Application Whitelisting
Implement Application Whitelisting of
2.8 Applications Protect
Libraries
Implement Application Whitelisting of
2.9 Applications Protect
Scripts
Physically or Logically Segregate High
2.10 Applications Protect
Risk Applications
3 Continuous Vulnerability Management
Run Automated Vulnerability Scanning
3.1 Applications Detect
Tools
Perform Authenticated Vulnerability
3.2 Applications Detect
Scanning
3.3 Users Protect Protect Dedicated Assessment Accounts
Deploy Automated Operating System
3.4 Applications Protect
Patch Management Tools
Deploy Automated Software Patch
3.5 Applications Protect
Management Tools
Compare Back-to-back Vulnerability
3.6 Applications Respond
Scans
3.7 Applications Respond Utilize a Risk-rating Process
4 Controlled Use of Administrative Privileges
 Maintain Inventory of Administrative
4.1 Users Detect
Accounts
4.2 Users Protect Change Default Passwords
Ensure the Use of Dedicated
4.3 Users Protect
Administrative Accounts
4.4 Users Protect Use Unique Passwords
Use Multifactor Authentication For All
4.5 Users Protect
Administrative Access

Use of Dedicated Machines For All

4.6 Users Protect
Administrative Tasks

4.7 Users Protect Limit Access to Script Tools

Log and Alert on Changes to
4.8 Users Detect
Administrative Group Membership
Log and Alert on Unsuccessful
4.9 Users Detect
Administrative Account Login
5 Secure Configuration for Hardware and Software on Mobile
5.1 Applications Protect Establish Secure Configurations
5.2 Applications Protect Maintain Secure Images

5.3 Applications Protect Securely Store Master Images

Deploy System Configuration
5.4 Applications Protect
Management Tools
Implement Automated Configuration
5.5 Applications Detect
Monitoring Systems
6 Maintenance, Monitoring and Analysis of Audit Logs
6.1 Network Detect Utilize Three Synchronized Time Sources
6.2 Network Detect Activate audit logging
6.3 Network Detect Enable Detailed Logging
6.4 Network Detect Ensure adequate storage for logs
6.5 Network Detect Central Log Management
6.6 Network Detect Deploy SIEM or Log Analytic tool
6.7 Network Detect Regularly Review Logs
6.8 Network Detect Regularly Tune SIEM
7 Email and Web Browser Protections
Ensure Use of Only Fully Supported
7.1 Applications Protect
Browsers and Email Clients
Disable Unnecessary or Unauthorized
7.2 Applications Protect
Browser or Email Client Plugins
Limit Use of Scripting Languages in Web
7.3 Applications Protect
Browsers and Email Clients
Maintain and Enforce Network-Based
7.4 Network Protect
URL Filters
7.5 Network Protect Subscribe to URL-Categorization service

7.6 Network Detect Log all URL requests

 7.7 Network Protect Use of DNS Filtering Services
Implement DMARC and Enable
7.8 Network Protect
Receiver-Side Verification
7.9 Network Protect Block Unnecessary File Types
7.10 Network Protect Sandbox All Email Attachments
8 Malware Defenses
Utilize Centrally Managed Anti-malware
8.1 Devices Protect
Software
Ensure Anti-Malware Software and
8.2 Devices Protect
Signatures are Updated
Enable Operating System Anti-
8.3 Devices Protect Exploitation Features/ Deploy Anti-Exploit
Technologies
Configure Anti-Malware Scanning of
8.4 Devices Detect
Removable Devices
Configure Devices Not To Auto-run
8.5 Devices Protect
Content
8.6 Devices Detect Centralize Anti-malware Logging
8.7 Network Detect Enable DNS Query Logging
8.8 Devices Detect Enable Command-line Audit Logging
9 Limitation and Control of Network Ports, Protocols, and Ser
Associate Active Ports, Services and
9.1 Devices Identify
Protocols to Asset Inventory
Ensure Only Approved Ports, Protocols
9.2 Devices Protect
and Services Are Running
9.3 Devices Detect Perform Regular Automated Port Scans
Apply Host-based Firewalls or Port
9.4 Devices Protect
Filtering
9.5 Devices Protect Implement Application Firewalls
10 Data Recovery Capabilities
10.1 Data Protect Ensure Regular Automated Back Ups
10.2 Data Protect Perform Complete System Backups

10.3 Data Protect Test Data on Backup Media

10.4 Data Protect Ensure Protection of Backups

Ensure Backups Have At least One Non-

10.5 Data Protect
Continuously Addressable Destination

11 Secure Configuration for Network Devices, such as Firewal

Maintain Standard Security
11.1 Network Identify
Configurations for Network Devices

11.2 Network Identify Document Traffic Configuration Rules

Use Automated Tools to Verify Standard

11.3 Network Detect Device Configurations and Detect
Changes
 Install the Latest Stable Version of Any
11.4 Network Protect Security-related Updates on All Network
Devices
Manage Network Devices Using Multi-
11.5 Network Protect Factor Authentication and Encrypted
Sessions

Use Dedicated Machines For All Network

11.6 Network Protect
Administrative Tasks

Manage Network Infrastructure Through

11.7 Network Protect
a Dedicated Network
12 Boundary Defense
Maintain an Inventory of Network
12.1 Network Identify
Boundaries
Scan for Unauthorized Connections
12.2 Network Detect
across Trusted Network Boundaries
Deny Communications with Known
12.3 Network Protect
Malicious IP Addresses
Deny Communication over Unauthorized
12.4 Network Protect
Ports
Configure Monitoring Systems to Record
12.5 Network Detect
Network Packets
12.6 Network Detect Deploy Network-based IDS Sensor
Deploy Network-Based Intrusion
12.7 Network Protect
Prevention Systems
Deploy NetFlow Collection on Networking
12.8 Network Detect
Boundary Devices
Deploy Application Layer Filtering Proxy
12.9 Network Detect
Server
12.10 Network Detect Decrypt Network Traffic at Proxy
Require All Remote Login to Use Multi-
12.11 Users Protect
factor Authentication
Manage All Devices Remotely Logging
12.12 Devices Protect
into Internal Network
13 Data Protection
Maintain an Inventory Sensitive
13.1 Data Identify
Information

Remove Sensitive Data or Systems Not

13.2 Data Protect
Regularly Accessed by Organization

Monitor and Block Unauthorized Network

13.3 Data Detect
Traffic
Only Allow Access to Authorized Cloud
13.4 Data Protect
Storage or Email Providers
Monitor and Detect Any Unauthorized
13.5 Data Detect
Use of Encryption
Encrypt the Hard Drive of All Mobile
13.6 Data Protect
Devices.
13.7 Data Protect Manage USB Devices
 Manage System's External Removable
13.8 Data Protect
Media's Read/write Configurations
13.9 Data Protect Encrypt Data on USB Storage Devices
14 Controlled Access Based on the Need to Know
Segment the Network Based on
14.1 Network Protect
Sensitivity
14.2 Network Protect Enable Firewall Filtering Between VLANs
Disable Workstation to Workstation
14.3 Network Protect
Communication
Encrypt All Sensitive Information in
14.4 Data Protect
Transit
Utilize an Active Discovery Tool to
14.5 Data Detect
Identify Sensitive Data

Protect Information through Access

14.6 Data Protect
Control Lists

Enforce Access Control to Data through

14.7 Data Protect
Automated Tools
14.8 Data Protect Encrypt Sensitive Information at Rest
Enforce Detail Logging for Access or
14.9 Data Detect
Changes to Sensitive Data
15 Wireless Access Control
Maintain an Inventory of Authorized
15.1 Network Identify
Wireless Access Points
Detect Wireless Access Points
15.2 Network Detect
Connected to the Wired Network
Use a Wireless Intrusion Detection
15.3 Network Detect
System
Disable Wireless Access on Devices if
15.4 Devices Protect
Not Required
15.5 Devices Protect Limit Wireless Access on Client Devices
Disable Peer-to-peer Wireless Network
15.6 Devices Protect
Capabilities on Wireless Clients

Leverage the Advanced Encryption

15.7 Network Protect
Standard (AES) to Encrypt Wireless Data

Use Wireless Authentication Protocols

15.8 Network Protect that Require Mutual, Multi-Factor
Authentication
Disable Wireless Peripheral Access of
15.9 Devices Protect
Devices
Create Separate Wireless Network for
15.10 Network Protect
Personal and Untrusted Devices
16 Account Monitoring and Control
Maintain an Inventory of Authentication
16.1 Users Identify
Systems
Configure Centralized Point of
16.2 Users Protect
Authentication
16.3 Users Protect Require Multi-factor Authentication
 Encrypt or Hash all Authentication
16.4 Users Protect
Credentials
Encrypt Transmittal of Username and
16.5 Users Protect
Authentication Credentials
16.6 Users Identify Maintain an Inventory of Accounts
16.7 Users Protect Establish Process for Revoking Access
16.8 Users Respond Disable Any Unassociated Accounts
16.9 Users Respond Disable Dormant Accounts
Ensure All Accounts Have An Expiration
16.10 Users Protect
Date
Lock Workstation Sessions After
16.11 Users Protect
Inactivity
Monitor Attempts to Access Deactivated
16.12 Users Detect
Accounts
Alert on Account Login Behavior
16.13 Users Detect
Deviation
17 Implement a Security Awareness and Training Program
17.1 N/A N/A Perform a Skills Gap Analysis
17.2 N/A N/A Deliver Training to Fill the Skills Gap
Implement a Security Awareness
17.3 N/A N/A
Program

17.4 N/A N/A Update Awareness Content Frequently

Train Workforce on Secure
17.5 N/A N/A
Authentication
Train Workforce on Identifying Social
17.6 N/A N/A
Engineering Attacks
Train Workforce on Sensitive Data
17.7 N/A N/A
Handling
Train Workforce on Causes of
17.8 N/A N/A
Unintentional Data Exposure
Train Workforce Members on Identifying
17.9 N/A N/A
and Reporting Incidents
18 Application Software Security
18.1 N/A N/A Establish Secure Coding Practices
Ensure Explicit Error Checking is
18.2 N/A N/A Performed for All In-house Developed
Software
Verify That Acquired Software is Still
18.3 N/A N/A
Supported
Only Use Up-to-date And Trusted Third-
18.4 N/A N/A
Party Components
Use Only Standardized and Extensively
18.5 N/A N/A
Reviewed Encryption Algorithms

Ensure Software Development Personnel

18.6 N/A N/A
are Trained in Secure Coding

Apply Static and Dynamic Code Analysis

18.7 N/A N/A
Tools
 Establish a Process to Accept and
18.8 N/A N/A Address Reports of Software
Vulnerabilities
Separate Production and Non-Production
18.9 N/A N/A
Systems

Deploy Web Application Firewalls

18.10 N/A N/A
(WAFs)

Use Standard Hardening Configuration

18.11 N/A N/A
Templates for Databases
19 Incident Response and Management
Document Incident Response
19.1 N/A N/A
Procedures
Assign Job Titles and Duties for Incident
19.2 N/A N/A
Response
Designate Management Personnel to
19.3 N/A N/A
Support Incident Handling

Devise Organization-wide Standards for

19.4 N/A N/A
Reporting Incidents

Maintain Contact Information For

19.5 N/A N/A
Reporting Security Incidents

Publish Information Regarding Reporting

19.6 N/A N/A
Computer Anomalies and Incidents

Conduct Periodic Incident Scenario

19.7 N/A N/A
Sessions for Personnel

Create Incident Scoring and Prioritization

19.8 N/A N/A
Schema
20 Penetration Tests and Red Team Exercises
20.1 N/A N/A Establish a Penetration Testing Program
Conduct Regular External and Internal
20.2 N/A N/A
Penetration Tests
20.3 N/A N/A Perform Periodic Red Team Exercises
Include Tests for Presence of
20.4 N/A N/A Unprotected System Information and
Artifacts
Create Test Bed for Elements Not
20.5 N/A N/A
Typically Tested in Production
Use Vulnerability Scanning and
20.6 N/A N/A
Penetration Testing Tools in Concert
Ensure Results from Penetration Test are
20.7 N/A N/A Documented Using Open, Machine-
readable Standards
Control and Monitor Accounts Associated
20.8 N/A N/A
with Penetration Testing
 Description
dware Assets
Utilize an active discovery tool to identify devices connected to the organization's network and update the hardwa
Utilize a passive discovery tool to identify devices connected to the organization's network and automatically upd
hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools
hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process infor
include all hardware assets, whether connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware address, machine name, data
for each asset and whether the hardware asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the netw
system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the
Use client certificates to authenticate hardware assets connecting to the organization's trusted network.
ware Assets
Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose o
Ensure that only software applications or operating systems currently supported by the software's vendor are add
authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of all software on bus
The software inventory system should track the name, version, publisher, and install date for all software, includi
authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices and associated so
single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all u
blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software libraries (such as *
allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (suc
*.py, macros, etc) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is required for busines
risk for the organization.

Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network
basis to identify all potential vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners
elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administra
tied to specific machines at specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems are running the most rece
by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all systems is running the
provided by the software vendor.
Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been reme
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
tive Privileges
 Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure tha
have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with administrative leve
Ensure that all users with administrative account access use a dedicated or secondary account for elevated activ
be used for administrative activities and not internet browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accou
unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account access.

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative acce
segmented from the organization's primary network and not be allowed Internet access. This machine will not be
composing documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development
those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from any group assign

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
dware and Software on Mobile Devices, Laptops, Workstations and Servers
Maintain documented, standard security configuration standards for all authorized operating systems and softwa
Maintain secure images or templates for all systems in the enterprise based on the organization's approved conf
system deployment or existing system that becomes compromised should be imaged using one of those images
Store the master images and templates on securely configured servers, validated with integrity monitoring tools,
changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy configuration setting
scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all se
catalog approved exceptions, and alert when unauthorized changes occur.
Analysis of Audit Logs
Use at least three synchronized time sources from which all servers and network devices retrieve time informatio
timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date, user, timestamp, source add
addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideal
of the browsers and email clients provided by the vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organiz
enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.
Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website catego
Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to iden
activity and assist incident handlers with identifying potentially compromised systems.
 Use DNS filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Auth
Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) an
Mail(DKIM) standards.
Block all e-mail attachments entering the organization's e-mail gateway if the file types are unnecessary for the o
Use sandboxing to analyze and block inbound email attachments with malicious behavior.

Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's w

Ensure that the organization's anti-malware software updates its scanning engine and signature database on a r

Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomiza
in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set o
executables.

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted o

Configure devices to not auto-run content from removable media.

Send all malware detection events to enterprise anti-malware administration tools and event log servers for analy
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.
work Ports, Protocols, and Services
Associate active ports, services and protocols to the hardware assets in the asset inventory.

Ensure that only network ports, protocols, and services listening on a system with validated business needs, are
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic exce
that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any u
blocked and logged.

Ensure that all system data is automatically backed up on regular basis.

Ensure that each of the organization's key systems are backed up as a complete system, through processes suc
quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that th
Ensure that backups are properly protected via physical security or encryption when they are stored, as well as w
the network. This includes remote backups and cloud services.

Ensure that all backups have at least one backup destination that is not continuously addressable through opera

work Devices, such as Firewalls, Routers and Switches

Maintain standard, documented security configuration standards for all authorized network devices.

All configuration rules that allow traffic to flow through network devices should be documented in a configuration
specific business reason for each rule, a specific individual’s name responsible for that business need, and an ex

Compare all network device configuration against approved security configurations defined for each network dev
deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated acces
segmented from the organization's primary network and not be allowed Internet access. This machine shall not b
composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the business use of that
VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

Maintain an up-to-date inventory of all of the organization's network boundaries.

Perform regular scans from outside each trusted network boundary to detect any unauthorized connections whic
boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and
at each of the organization's network boundaries,.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized pr
the network boundary in or out of the network at each of the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each of the organizatio
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and de
systems at each of the organization's network boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organ

Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy tha
unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organiza
allowed sites that can be accessed through the proxy without decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authe
Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ens
organization's security policies has been enforced in the same manner as local network devices.

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technolo
located onsite or at a remote service provider.
Remove sensitive data or systems not regularly accessed by the organization from the network. These systems
alone systems (disconnected from the network) by the business unit needing to occasionally use the system or c
powered off until needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information
while alerting information security professionals.
Only allow access to authorized cloud storage or email providers.

Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure systems to allow the
inventory of such devices should be maintained.
 Configure systems not to write data to external removable media, if there is no business need for supporting suc
If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
the Need to Know
Segment the network based on the label or classification level of the information stored on the servers, locate all
separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with oth
their specific responsibilities.
Disable all workstation to workstation communication to limit an attacker's ability to move laterally and compromi
through technologies such as Private VLANs or microsegmentation.
Encrypt all sensitive information in transit.
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organi
including those located onsite or at a remote service provider and update the organization's sensitive information
Protect all information stored on systems with file system, network share, claims, application, or database specifi
controls will enforce the principle that only authorized individuals should have access to the information based on
information as a part of their responsibilities.

Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when
Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not inte
system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as Fil
Security Information and Event Monitoring).

Maintain an inventory of authorized wireless access points connected to the wired network.

Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connec

Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points con

Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business purpose, to allow acce
networks and to restrict access to other wireless networks.
Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.

Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.

Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transpor
that requires mutual, multi-factor authentication.

Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is required for a
Create a separate wireless network for personal or untrusted devices. Enterprise access from this network shoul
filtered and audited accordingly.
trol
Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a
Configure access for all accounts through as few centralized points of authentication as possible, including netwo
systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a third-pa
 Encrypt or hash with a salt all authentication credentials when stored.

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypt
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts immediately upon
responsibilities of an employee or contractor . Disabling these accounts, instead of deleting accounts, allows pre
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.

Automatically lock workstation sessions after a standard period of inactivity.

Monitor attempts to access deactivated accounts through audit logging.

Alert when users deviate from normal login behavior, such as time-of-day, workstation location and duration.
ess and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, usin
baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members' security behavior.
Create a security awareness program for all workforce members to complete on a regular basis to ensure they u
necessary behaviors and skills to help ensure the security of the organization. The organization's security aware
communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least annually) to address n
standards and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.

Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scam

Train workforce on how to identify and properly store, transfer, archive and destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile de
person due to autocomplete in email.
Train employees to be able to identify the most common indicators of an incident and be able to report such an in

Establish secure coding practices appropriate to the programming language and development environment being
For in-house developed software, ensure that explicit error checking is performed and documented for all input, i
and acceptable ranges or formats.

Verify that the version of all software acquired from outside your organization is still supported by the developer o
based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the organization.

Use only standardized and extensively reviewed encryption algorithms.

Ensure that all software development personnel receive training in writing secure code for their specific developm
responsibilities.

Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally d
 Establish a process to accept and address reports of software vulnerabilities, including providing a means for ext
security group.

Maintain separate environments for production and nonproduction systems. Developers should not have unmoni
environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web a
application attacks. For applications that are not web-based, specific application firewalls should be deployed if s
given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable
analysis. If neither option is appropriate, a host-based web application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All systems that are pa
processes should also be tested.

Ensure that there are written incident response plans that defines roles of personnel as well as phases of inciden
Assign job titles and duties for handling computer and network incidents to specific individuals and ensure trackin
throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling process by acting

Devise organization-wide standards for the time required for system administrators and other workforce member
to the incident handling team, the mechanisms for such reporting, and the kind of information that should be inclu
notification.
Assemble and maintain information on third-party contact information to be used to report a security incident, suc
relevant government departments, vendors, and ISAC partners.

Publish information for all workforce members, regarding reporting computer anomalies and incidents to the incid
information should be included in routine employee awareness activities.

Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident res
and comfort in responding to real world threats. Exercises should test communication channels, decision making
technical capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize
status updates and escalation procedures.
eam Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-ba
attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be u
systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond
Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, i
configuration files, older penetration test reports, e-mails or documents containing passwords or other informatio

Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks aga
typically tested in production, such as attacks against supervisory control and data acquisition and other control s
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessm
starting point to guide and focus penetration testing efforts.

Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards (e
method for determining the results of Red Team exercises so that results can be compared over time.

Any user or system accounts used to perform penetration testing should be controlled and monitored to make su
legitimate purposes, and are removed or restored to normal function after testing is over.