ccb-cff-2023-03-01.yaml

urn: urn:intuitem:risk:library:ccb-cff-2023-03-01
locale: en
ref_id: CCB-CFF-2023-03-01
name: CCB CyberFundamentals Framework
description: 'Centre For Cybersecurity Belgium - CyberFundamentals Framework

  https://ccb.belgium.be'
copyright: All texts, layouts, designs and other elements of any nature in this document
  are subject to copyright law.
version: 4
provider: CCB
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01
    ref_id: CCB-CFF-2023-03-01
    name: CCB CyberFundamentals Framework
    description: Centre For Cybersecurity Belgium - CyberFundamentals Framework
    min_score: 1
    max_score: 5
    scores_definition:
    - score: 1
      name: Initial
      description: 'No Process documentation or not formally approved by management.

        Standard process does not exist.'
    - score: 2
      name: Repeatable
      description: 'Formally approved Process documentation exists but not reviewed
        in the previous 2 years.

        Ad-hoc process exists and is done informally.'
    - score: 3
      name: Defined
      description: 'Formally approved Process documentation exists, and exceptions
        are documented and approved. Documented & approved exceptions < 5% of the
        time.

        Formal process exists and is implemented. Evidence available for most activities.
        Less than 10% process exceptions.'
    - score: 4
      name: Managed
      description: 'Formally approved Process documentation exists, and exceptions
        are documented and approved. Documented & approved exceptions < 3% of the
        time.

        Formal process exists and is implemented. Evidence available for all activities.
        Detailed metrics of the process are captured and reported.

        Minimal target for metrics has been established. Less than 5% of process exceptions.'
    - score: 5
      name: Optimizing
      description: 'Formally approved Process documentation exists, and exceptions
        are documented and approved. Documented & approved exceptions < 0,5% of the
        time.

        Formal process exists and is implemented. Evidence available for all activities.
        Detailed metrics of the process are captured and reported.

        Minimal target for metrics has been established and continually improving.
        Less than 1% of process exceptions.'
    implementation_groups_definition:
    - ref_id: B
      name: basic
      description: null
    - ref_id: I
      name: important
      description: null
    - ref_id: E
      name: essential
      description: null
    - ref_id: BK
      name: basic - key measures
      description: null
    - ref_id: IK
      name: important - key measures
      description: null
    - ref_id: EK
      name: essential - key measures
      description: null
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      assessable: false
      depth: 1
      ref_id: ID
      name: IDENTIFY (ID)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.AM
      name: Asset Management
      description: "The data, personnel, devices, systems, and facilities that enable\
        \ the organization to achieve business purposes are identified and managed\
        \ consistent with their relative importance to organizational objectives and\
        \ the organization\u2019s risk strategy."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-1
      description: Physical devices and systems within the organization are inventoried
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: BASIC_ID.AM-1.1
      description: An inventory of assets associated with information and information
        processing facilities within the organization shall be documented, reviewed,
        and updated when changes occur.
      annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\
        \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\
        \ robots, machine tools, firmware, network switches, routers, power supplies,\
        \ and other networked components or devices. \n\u2022\tThis inventory must\
        \ include all assets, whether or not they are connected to the organization's\
        \ network.\n\u2022\tThe use of an IT asset management tool could be considered."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: IMPORTANT_ID.AM-1.2
      description: "The inventory of assets associated with information and information\
        \ processing facilities shall reflect changes in the  organization\u2019s\
        \ context and include all information necessary for effective accountability."
      annotation: "\u2022\tInventory specifications include for example, manufacturer,\
        \ device type, model, serial number, machine names and network addresses,\
        \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\
        \ justify, and take responsibility for one's actions, it implies answerability\
        \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\
        \ of material."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: IMPORTANT_ID.AM-1.3
      description: When unauthorized hardware is detected, it shall be quarantined
        for possible exception handling, removed, or replaced, and the inventory shall
        be updated accordingly.
      annotation: "\u2022\tAny unsupported hardware without an exception documentation,\
        \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\
        \ during inventory, requests for support by the user or other means."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: ID.AM-1.4
      description: Mechanisms for detecting the presence of unauthorized hardware
        and firmware components within the organization's network shall be identified.
      annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\
        \u2022\tThere should be a process to address unauthorized assets on a frequently\
        \  basis; The organization may choose to remove the asset from the network,\
        \ deny the asset from connecting remotely to the network, or quarantine the\
        \ asset."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-2
      description: Software platforms and applications within the organization are
        inventoried
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: BASIC_ID.AM-2.1
      description: An inventory that reflects what software platforms and applications
        are being used in the organization shall be documented, reviewed, and updated
        when changes occur.
      annotation: "\u2022\tThis inventory includes software programs, software platforms\
        \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\
        \ should be part of the contractual agreements with the provider.\n\u2022\t\
        Information in the inventory should include for example: name, description,\
        \ version, number of users, data processed, etc.\n\u2022\tA distinction should\
        \ be made between unsupported software and unauthorized software.\n\u2022\t\
        The use of an IT asset management tool could be considered."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.2
      description: "The inventory of software platforms and applications  associated\
        \ with information and information processing shall reflect changes in the\
        \  organization\u2019s context and include all information necessary for effective\
        \ accountability."
      annotation: The inventory of software platforms and applications should include
        the title, publisher, initial install/use date, and business purpose for each
        entry; where appropriate, include the Uniform Resource Locator (URL), app
        store(s), version(s), deployment mechanism, and decommission date.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.3
      description: Individuals who are responsible and who are accountable for administering
        software platforms and applications within the organization shall be identified.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.4
      description: When unauthorized software is detected, it shall be quarantined
        for possible exception handling, removed, or replaced, and the inventory shall
        be updated accordingly.
      annotation: "\u2022\tAny unsupported software without an exception documentation,\
        \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\
        \ during inventory, requests for support by the user or other means."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: ID.AM-2.5
      description: "Mechanisms for detecting the presence of unauthorized software\
        \ within the organization\u2019s ICT/OT environment shall be identified. "
      annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\
        \u2022\tThere should be a process to regularly address unauthorised assets;\
        \ The organization may choose to remove the asset from the network, deny the\
        \ asset from connecting remotely to the network, or quarantine the asset."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-3
      description: Organizational communication and data flows are mapped
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: BASIC_ID.AM-3.1
      description: Information that the organization stores and uses shall be identified.
      annotation: "\u2022\tStart by listing all the types of information your business\
        \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\
        \ makes sense to your business. You may want to have your employees make a\
        \ list of all the information they use in their regular activities. List everything\
        \ you can think of, but you do not need to be too specific. For example, you\
        \ may keep customer names and email addresses, receipts for raw material,\
        \ your banking information, or other proprietary information.\n\u2022\tConsider\
        \ mapping this information with the associated assets identified in the inventories\
        \ of physical devices, systems, software platforms and applications used within\
        \ the organization (see ID.AM-1 & ID.AM-2)."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: IMPORTANT_ID.AM-3.2
      description: All connections within the organization's ICT/OT environment, and
        to other organization-internal platforms shall be mapped, documented, approved,
        and updated as appropriate.
      annotation: "\u2022\tConnection information includes, for example, the interface\
        \ characteristics, data characteristics, ports, protocols, addresses, description\
        \ of the data, security requirements, and the nature of the connection.\n\u2022\
        \tConfiguration management can be used as supporting asset.\n\u2022\tThis\
        \ documentation should not be stored only on the network it represents.\n\u2022\
        \tConsider keeping a copy of this documentation in a safe offline environment\
        \ (e.g. offline hard disk, paper hardcopy, \u2026)"
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: ID.AM-3.3
      description: "The information flows/data flows within the organization\u2019\
        s ICT/OT environment, as well as to other organization-internal systems shall\
        \ be mapped, documented, authorized, and updated when changes occur."
      annotation: "\u2022\tWith knowledge of the information/data flows within a system\
        \ and between systems, it is possible to determine where information can and\
        \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\
        \ to only authorized interfaces.\no\tHeightening system monitoring activity\
        \ whenever there is an indication of increased risk to organization's critical\
        \ operations and assets.\no\tProtecting the system from information leakage\
        \ due to electromagnetic signals emanations."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-4
      description: External information systems are catalogued
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      ref_id: IMPORTANT_ID.AM-4.1
      description: The organization shall map, document, authorize and when changes
        occur, update, all external services and the connections made with them.
      annotation: "\u2022\tOutsourcing of systems, software platforms and applications\
        \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\
        \ information systems are systems or components of systems for which organizations\
        \ typically have no direct supervision and authority over the application\
        \ of security requirements and controls, or the determination of the effectiveness\
        \ of implemented controls on those systems i.e., services that are run in\
        \ cloud, SaaS, hosting or other external environments, API (Application Programming\
        \ Interface)\u2026\n\u2022\tMapping external services and the connections\
        \ made to them and authorizing them in advance avoids wasting unnecessary\
        \ resources investigating a supposedly non-authenticated connection to external\
        \ systems."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      ref_id: ID.AM-4.2
      description: The flow of information to/from external systems shall be mapped,
        documented, authorized, and update when changes occur.
      annotation: Consider requiring external service providers to identify and document
        the functions, ports, protocols, and services necessary for the connection
        services.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-5
      description: 'Resources (e.g., hardware, devices, data, time, personnel, and
        software) are prioritized based on their classification, criticality, and
        business value '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5
      ref_id: BASIC_ID.AM-5.1
      description: "The organization\u2019s resources (hardware, devices, data, time,\
        \ personnel, information, and software) shall be prioritized based on their\
        \ classification, criticality, and business value."
      annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\
        \ devices, data, time, personnel, information, and software):\no\tWhat would\
        \ happen to my business if these resources were made public, damaged, lost\u2026\
        ?\no\tWhat would happen to my business when the integrity of resources is\
        \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\
        \ couldn\u2019t access these resources? And rank these resources based on\
        \ their classification, criticality, and business value.\n\u2022\tResources\
        \ should include enterprise assets. \u2022\tCreate a classification for sensitive\
        \ information by first determining categories, e.g.\no\tPublic - freely accessible\
        \ to all, even externally\no\tInternal - accessible only to members of your\
        \ organization\no\tConfidential - accessible only to those whose duties require\
        \ access.\n\u2022\tCommunicate these categories and identify what types of\
        \ data fall into these categories (HR data, financial data, legal data, personal\
        \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\
        \u2022\tData classification should apply to the three aspects: C-I-A. Consider\
        \ implementing an automated tool, such as a host-based Data Loss Prevention\
        \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\
        \ through enterprise assets, including those located onsite or at a remote\
        \ service provider."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-6
      description: Cybersecurity roles, responsibilities, and authorities for the
        entire workforce and third-party stakeholders are established
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      ref_id: IMPORTANT_ID.AM-6.1
      description: '[KEY MEASURE] Information security and cybersecurity roles, responsibilities
        and authorities within the organization shall be documented, reviewed, authorized,
        and updated and alignment with organization-internal roles and external partners.'
      annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\
        \ and authorities: who in your organization should be consulted, informed,\
        \ and held accountable for all or part of your assets.\n\u2022\tProvide security\
        \ roles, responsibilities, and authority for all key functions in information/cyber\
        \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\
        \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\
        \ partners) with physical or logical access to the organization\u2019s ICT/OT\
        \ environment."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      ref_id: ID.AM-6.2
      description: The organization shall appoint an information security officer.
      annotation: The information security officer should be responsible for monitoring
        the implementation of the organization's information/cyber security strategy
        and safeguards.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.BE
      name: Business Environment
      description: "The organization\u2019s mission, objectives, stakeholders, and\
        \ activities are understood and prioritized; this information is used to inform\
        \ cybersecurity roles, responsibilities, and risk management decisions."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-1
      description: "The organization\u2019s role in the supply chain is identified\
        \ and communicated"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      ref_id: IMPORTANT_ID.BE-1.1
      description: "The organization\u2019s role in the supply chain shall be identified,\
        \ documented, and communicated. "
      annotation: "\u2022\tThe organisation should be able to clearly identify who\
        \ is upstream and downstream of the organisation and which suppliers provide\
        \ services, capabilities, products and items to the organisation.\n\u2022\t\
        The organisation should communicate its position to its upstream and downstream\
        \ so that it is understood where they sit in terms of critical importance\
        \ to the organisation's operations."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      ref_id: ID.BE-1.2
      description: The organization shall protect its ICT/OT environment from supply
        chain threats by applying security safeguards as part of a documented comprehensive
        security strategy.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-2
      description: "The organization\u2019s place in critical infrastructure and its\
        \ industry sector is identified and communicated"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2
      ref_id: IMPORTANT_ID.BE-2.1
      description: "The organization\u2019s place in critical infrastructure and its\
        \ industry sector shall be identified and communicated."
      annotation: The organisation covered by NIS legislation has a responsibility
        to know the other organisations in the same sector in order to work with them
        to achieve the objectives set by NIS for that particular sector.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-3
      description: Priorities for organizational mission, objectives, and activities
        are established and communicated
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3
      ref_id: IMPORTANT_ID.BE-3.1
      description: Priorities for organizational mission, objectives, and activities
        are established and communicated.
      annotation: Information protection needs should be determined, and the related
        processes revised as necessary.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-4
      description: Dependencies and critical functions for delivery of critical services
        are established
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4
      ref_id: IMPORTANT_ID.BE-4.1
      description: Dependencies and mission-critical functions for the delivery of
        critical services shall be identified, documented, and prioritized according
        to their criticality as part of the risk assessment process.
      annotation: Dependencies and business critical functions should include support
        services.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-5
      description: Resilience requirements to support delivery of critical services
        are established for all operating states (e.g. under duress/attack, during
        recovery, normal operations)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: IMPORTANT_ID.BE-5.1
      description: To support cyber resilience and secure the delivery of critical
        services, the necessary requirements are identified, documented and their
        implementation tested and approved.
      annotation: "\u2022\tConsider implementing resiliency mechanisms to support\
        \ normal and adverse operational situations (e.g., failsafe, load balancing,\
        \ hot swap).\n\u2022\tConsider aspects of business continuity management in\
        \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\
        \ Continuity Plan (BCP)."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: ID.BE-5.2
      description: Information processing & supporting facilities shall implement
        redundancy to meet availability requirements, as defined by the organization
        and/or regulatory frameworks.
      annotation: "\u2022\tConsider provisioning adequate data and network redundancy\
        \ (e.g. redundant network devices, servers with load balancing, raid arrays,\
        \ backup services, 2 separate datacentres, fail-over network connections,\
        \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\
        \ from power outages and other failures due to utility interruptions (e.g.\
        \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\
        \ redundant power cabling, 2 different power service providers...)."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: ID.BE-5.3
      description: Recovery time and recovery point objectives for the resumption
        of essential ICT/OT system processes shall be defined.
      annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\
        \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\
        \ locations and one copy should be stored at an off-site location).\n\u2022\
        \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\
        \ to increase resilience."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.GV
      name: Governance
      description: "The policies, procedures, and processes to manage and monitor\
        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
        \ requirements are understood and inform the management of cybersecurity risk."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-1
      description: Organizational cybersecurity policy is established and communicated
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      ref_id: BASIC_ID.GV-1.1
      description: Policies and procedures for information security and cyber security
        shall be created, documented, reviewed, approved, and updated when changes
        occur.
      annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\
        \ and expectations for business operations, can be used to train new employees\
        \ on your information security expectations, and can aid an investigation\
        \ in case of an incident. These policies and procedures should be readily\
        \ accessible to employees.\n\u2022\tPolicies and procedures for information-\
        \ and cybersecurity should clearly describe your expectations for protecting\
        \ the organization\u2019s information and systems, and how management expects\
        \ the company\u2019s resources to be used and protected by all employees.\n\
        \u2022\tPolicies and procedures should be reviewed and updated at least annually\
        \ and every time there are changes in the organization or technology. Whenever\
        \ the policies are changed, employees should be made aware of the changes."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      ref_id: IMPORTANT_ID.GV-1.2
      description: An organization-wide information security and cybersecurity policy
        shall be established, documented, updated when changes occur, disseminated,
        and approved by senior management.
      annotation: "The policy should include, for example:\n\u2022\tThe identification\
        \ and assignment of roles, responsibilities, management commitment, coordination\
        \ among organizational entities, and compliance. Guidance on role profiles\
        \ along with their identified titles, missions, tasks, skills, knowledge,\
        \ competences is available in the \"European Cybersecurity Skills Framework\
        \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\
        \u2022\tThe coordination among organizational entities responsible for the\
        \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\
        \ information, access control, media protection, vulnerability management,\
        \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\
        \ the ICT/OT systems."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-3
      description: Legal and regulatory requirements regarding cybersecurity, including
        privacy and civil liberties obligations, are understood and managed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      ref_id: BASIC_ID.GV-3.1
      description: Legal and regulatory requirements regarding information/cybersecurity,
        including privacy obligations, shall be understood and implemented.
      annotation: There are no additional guidelines.
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      ref_id: IMPORTANT_ID.GV-3.2
      description: Legal and regulatory requirements regarding information/cybersecurity,
        including privacy obligations, shall be managed.
      annotation: "\u2022\tThere should be regular reviews to ensure the continuous\
        \ compliance with legal and regulatory requirements regarding information/cybersecurity,\
        \ including privacy obligations.\n\u2022\tThis requirement also applies to\
        \ contractors and service providers."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-4
      description: Governance and risk management processes address cybersecurity
        risks
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      ref_id: BASIC_ID.GV-4.1
      description: As part of the company's overall risk management, a comprehensive
        strategy to manage information security and cybersecurity risks shall be developed
        and updated when changes occur.
      annotation: This strategy should include determining and allocating the required
        resources to protect the organisation's business-critical assets.
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      ref_id: IMPORTANT_ID.GV-4.2
      description: "Information security and cybersecurity risks shall be documented,\
        \ formally approved, and updated when changes occur.\t"
      annotation: Consider using Risk Management tools.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.RA
      name: Risk Assessment
      description: The organization understands the cybersecurity risk to organizational
        operations (including mission, functions, image, or reputation), organizational
        assets, and individuals.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-1
      description: Asset vulnerabilities are identified and documented
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: BASIC_ID.RA-1.1
      description: Threats and vulnerabilities shall be identified.
      annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\
        s hardware, software, or procedures. It is a gap through which a bad actor\
        \ can gain access to the organization\u2019s assets. A vulnerability exposes\
        \ an organization to threats.\n\u2022\tA threat is a malicious or negative\
        \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\
        \ potential for loss and damage when the threat does occur."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: IMPORTANT_ID.RA-1.2
      description: A process shall be established to monitor, identify, and document
        vulnerabilities of the organisation's business critical systems in a continuous
        manner.
      annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\
        \ should be considered.\n\u2022\tThe organization should establish and maintain\
        \ a testing program appropriate to its size, complexity, and maturity."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: ID.RA-1.3
      description: "To ensure that organization's operations are not adversely impacted\
        \ by the testing process, performance/load testing and penetration testing\
        \ on the organization\u2019s systems shall be conducted with care."
      annotation: Consider validating security measures after each penetration test.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-2
      description: Cyber threat intelligence is received from information sharing
        forums and sources
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      ref_id: IMPORTANT_ID.RA-2.1
      description: ' A threat and vulnerability awareness program that includes a
        cross-organization information-sharing capability shall be implemented. '
      annotation: A threat and vulnerability awareness program should include ongoing
        contact with security groups and associations to receive security alerts and
        advisories. (Security groups and associations include, for example, special
        interest groups, forums, professional associations, news groups, and/or peer
        groups of security professionals in similar organizations).This contact can
        include the sharing of information about potential vulnerabilities and incidents.
        This sharing capability should have an unclassified and classified information
        sharing capability.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      ref_id: ID.RA-2.2
      description: It shall be identified where automated mechanisms can be implemented
        to make security alert and advisory information available to relevant organization
        stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-5
      description: Threats, vulnerabilities, likelihoods, and impacts are used to
        determine risk
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: BASIC_ID.RA-5.1
      description: The organization shall conduct risk assessments in which risk is
        determined by threats, vulnerabilities and impact on business processes and
        assets.
      annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\
        \tIdentify the consequences that losses of confidentiality, integrity and\
        \ availability may have on the assets and related business processes."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: IMPORTANT_ID.RA-5.2
      description: The organization shall conduct and  document risk assessments in
        which risk is determined by threats, vulnerabilities, impact on business processes
        and assets, and the likelihood of their occurrence.
      annotation: "\u2022\tRisk assessment should include threats from insiders and\
        \ external parties.\n\u2022\tQualitative and/or quantitative  risk analysis\
        \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\
        \ software tooling."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: ID.RA-5.3
      description: Risk assessment results shall be disseminated to relevant stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-6
      description: Risk responses are identified and prioritized
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6
      ref_id: IMPORTANT_ID.RA-6.1
      description: "A comprehensive strategy shall be developed and implemented to\
        \ manage risks to the organization\u2019s critical systems, that includes\
        \ the identification and prioritization of risk responses."
      annotation: "\u2022\tManagement and employees should be involved in information-\
        \ and cybersecurity.\n\u2022\tIt should be identified what the most important\
        \ assets are, and how they are protected.\n\u2022\tIt should be clear what\
        \ impact will be if these assets are compromised.\n\u2022\tIt should be established\
        \ how the implementation of adequate mitigation measures will be organized."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.RM
      name: Risk Management Strategy
      description: "The organization\u2019s priorities, constraints, risk tolerances,\
        \ and assumptions are established and used to support operational risk decisions."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-1
      description: Risk management processes are established, managed, and agreed
        to by organizational stakeholders
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1
      ref_id: IMPORTANT_ID.RM-1.1
      description: A cyber risk management process that identifies key internal and
        external stakeholders and facilitates addressing risk-related issues and information
        shall be created, documented, reviewed, approved, and updated when changes
        occur.
      annotation: 'External stakeholders include  customers, investors and shareholders,
        suppliers, government agencies and the wider community. '
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-2
      description: Organizational risk tolerance is determined and clearly expressed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2
      ref_id: IMPORTANT_ID.RM-2.1
      description: "The organization shall clearly determine it\u2019s risk appetite."
      annotation: Determination and expression of risk tolerance (risk appetite) should
        be in line with the policies on information security and cybersecurity, to
        facilitate demonstration of coherence between policies, risk tolerance and
        measures.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-3
      description: "The organization\u2019s determination of risk tolerance is informed\
        \ by its role in critical infrastructure and sector specific risk analysis"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3
      ref_id: IMPORTANT_ID.RM-3.1
      description: "The organization\u2019s role in critical infrastructure and its\
        \ sector shall determine the organization\u2019s risk appetite."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.SC
      name: Supply Chain Risk Management
      description: "The organization\u2019s priorities, constraints, risk tolerances,\
        \ and assumptions are established and used to support risk decisions associated\
        \ with managing supply chain risk. The organization has established and implemented\
        \ the processes to identify, assess and manage supply chain risks."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-1
      description: Cyber supply chain risk management processes are identified, established,
        assessed, managed, and agreed to by organizational stakeholders
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1
      ref_id: ID.SC-1.1
      description: The organization shall document, review, approve, update when changes
        occur, and implement a cyber supply chain risk management process that supports
        the identification, assessment, and mitigation of the risks associated with
        the distributed and interconnected nature of ICT/OT product and service supply
        chains.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-2
      description: 'Suppliers and third party partners of information systems, components,
        and services are identified, prioritized, and assessed using a cyber supply
        chain risk assessment process '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      ref_id: IMPORTANT_ID.SC-2.1
      description: "The organization shall conduct cyber supply chain risk assessments\
        \ at least annually or when a change to the organization\u2019s critical systems,\
        \ operational environment, or supply chain occurs; These assessments shall\
        \ be documented, and the results disseminated to relevant stakeholders including\
        \ those responsible for ICT/OT systems."
      annotation: This assessment should identify and prioritize potential negative
        impacts to the organization from the risks associated with the distributed
        and interconnected nature of ICT/OT product and service supply chains.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      ref_id: ID.SC-2.2
      description: "A documented list of all the organization\u2019s suppliers, vendors\
        \ and partners who may be involved in a major incident shall be established,\
        \ kept up-to-date and made available online and offline."
      annotation: This list should include suppliers, vendors and partners contact
        information and the services they provide, so they can be contacted for assistance
        in the event of an outage or service degradation.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-3
      description: "Contracts with suppliers and third-party partners are used to\
        \ implement appropriate measures designed to meet the objectives of an organization\u2019\
        s cybersecurity program and Cyber Supply Chain Risk Management Plan."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: IMPORTANT_ID.SC-3.1
      description: Based on the results of the cyber supply chain risk assessment,
        a contractual framework for suppliers and external partners shall be established
        to address sharing of sensitive information and distributed and interconnected
        ICT/OT products and services.
      annotation: "\u2022\tEntities not subject to the NIS legislation should consider\
        \ business critical suppliers and third-party partners only.\n\u2022\tKeep\
        \ in mind that GDPR requirements need to be fulfilled when business information\
        \ contains personal data (applicable on all levels), i.e. security measures\
        \ need to be addressed in the contractual framework."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: ID.SC-3.2
      description: "[KEY MEASURE] Contractual information security and cybersecurity\u2019\
        \ requirements for suppliers and third-party partners shall be implemented\
        \ to ensure a verifiable flaw remediation process, and to ensure the correction\
        \ of flaws identified during \u2018information security and cybersecurity\u2019\
        \ testing and evaluation."
      annotation: "\u2022\tInformation systems containing software (or firmware) affected\
        \ by recently announced software flaws (and potential vulnerabilities resulting\
        \ from those flaws) should be identified.\n\u2022\tNewly released security\
        \ relevant patches, service packs, and hot fixes should be installed, and\
        \ these  patches, service packs, and hot fixes are tested for effectiveness\
        \ and potential side effects on the organization\u2019s information systems\
        \ before installation. Flaws discovered during security assessments, continuous\
        \ monitoring, incident response activities, or information system error handling\
        \ are also addressed expeditiously. Flaw remediation should be incorporated\
        \ into configuration management as an emergency change."
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: ID.SC-3.3
      description: "[KEY MEASURE] The organization shall establish contractual requirements\
        \ permitting the organization to review the \u2018information security and\
        \ cybersecurity\u2019 programs implemented by suppliers and third-party partners."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-4
      description: Suppliers and third-party partners are routinely assessed using
        audits, test results, or other forms of evaluations to confirm they are meeting
        their contractual obligations.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      ref_id: IMPORTANT_ID.SC-4.1
      description: "The organization shall review assessments of suppliers\u2019 and\
        \ third-party partner\u2019s compliance with contractual obligations by routinely\
        \ reviewing audits, test results, and other evaluations."
      annotation: Entities not subject to the NIS legislation could limit themselves
        to business critical suppliers and third-party partners only.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      ref_id: ID.SC-4.2
      description: "The organization shall review assessments of suppliers\u2019 and\
        \ third-party partner\u2019s compliance with contractual obligations by routinely\
        \ reviewing third-party independent audits, test results, and other evaluations."
      annotation: The depth of the review should depend on the criticality of delivered
        products and services.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-5
      description: Response and recovery planning and testing are conducted with suppliers
        and third-party providers
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      ref_id: IMPORTANT_ID.SC-5.1
      description: The organization shall identify and document key personnel from
        suppliers and third-party partners to include them as stakeholders in response
        and recovery planning activities.
      annotation: Entities not subject to the NIS legislation could limit themselves
        to business critical suppliers and third-party partners only.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      ref_id: ID.SC-5.2
      description: The organization shall identify and document key personnel from
        suppliers and third-party partners to include them as stakeholders in testing
        and execution of the response and recovery plans.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      assessable: false
      depth: 1
      ref_id: PR
      name: PROTECT (PR)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.AC
      name: Identity Management, Authentication and Access Control
      description: Access to physical and logical assets and associated facilities
        is limited to authorized users, processes, and devices, and is managed consistent
        with the assessed risk of unauthorized access to authorized activities and
        transactions.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-1
      description: Identities and credentials are issued, managed, verified, revoked,
        and audited for authorized devices, users and processes
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: BASIC_PR.AC-1.1
      description: '[KEY MEASURE] Identities and credentials for authorized devices
        and users shall be managed.'
      annotation: "Identities and credentials for authorized devices and users could\
        \ be managed through a password policy. A password policy is a set of rules\
        \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\
        (Not limitative list and measures to be considered as appropriate)\n\u2022\
        \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\
        \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\
        \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\
        \ must be longer than a state-of-the-art number of characters with a combination\
        \ of character types and changed periodically or when there is any suspicion\
        \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\
        \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\
        \ are managed by user groups."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: IMPORTANT_PR.AC-1.2
      description: Identities and credentials for authorized devices and users shall
        be managed, where feasible through automated mechanisms.
      annotation: "\u2022\tAutomated mechanisms can help to support the management\
        \ and auditing of information system credentials.\n\u2022\tConsider strong\
        \ user authentication, meaning an authentication based on the use of at least\
        \ two authentication factors from different categories of either knowledge\
        \ (something only the user knows), possession (something only the user possesses)\
        \ or inherence (something the user is) that are independent, in that the breach\
        \ of one does not compromise the reliability of the others, and is designed\
        \ in such a way to protect the confidentiality of the authentication data."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.3
      description: System credentials shall be deactivated after a specified period
        of inactivity unless it would compromise the safe operation of (critical)
        processes.
      annotation: "\u2022\tTo guarantee the safe operation, service accounts should\
        \ be used for running processes and services.\n\u2022\tConsider the use of\
        \ a formal access procedure for external parties."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.4
      description: "For transactions within the organization's critical systems, the\
        \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\
        \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\
        \ for system-to-system communications"
      annotation: Consider the use of SSO (Single Sign On) in combination with MFA
        for the organization's internal and external critical systems.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.5
      description: "The organization\u2019s critical systems shall be monitored for\
        \ atypical use of system credentials. Credentials associated with significant\
        \ risk shall be disabled."
      annotation: "\u2022\tConsider limiting the number of failed login attempts by\
        \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\
        \ accessible until it has been reset or the account lockout duration elapses."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-2
      description: Physical access to assets is managed and protected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: BASIC_PR.AC-2.1
      description: Physical access to the facility, servers and network components
        shall be managed.
      annotation: "\u2022\tConsider to strictly manage keys to access the premises\
        \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\
        \ an employee's keys or badges when they leave the company permanently.\n\
        o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\
        \ to external service providers (cleaning agents, etc.), unless it is possible\
        \ to trace these accesses and restrict them technically to given time slots.\n\
        \u2022\tConsider to not leaving internal network access outlets accessible\
        \ in public areas. These public places can be waiting rooms, corridors..."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: IMPORTANT_PR.AC-2.2
      description: The management of physical access shall include measures related
        to access in emergency situations.
      annotation: "\u2022\tPhysical access controls may include, for example: lists\
        \ of authorized individuals, identity credentials, escort requirements, guards,\
        \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\
        \u2022\tThe following measures should be considered:\no\tImplement a badge\
        \ system and create different security zones.\no\tLimit physical access to\
        \ servers and network components to authorized personnel.\no\tLog all access\
        \ to servers and network components.\n\u2022\tVisitor access records should\
        \ be maintained, reviewed and acted upon as required."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: PR.AC-2.3
      description: Physical access to critical zones shall be controlled in addition
        to the physical access to the facility.
      annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\
        \ (server rooms\u2026)"
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: PR.AC-2.4
      description: 'Assets related to critical zones shall be physically protected. '
      annotation: "\u2022\tConsider protecting power equipment, power cabling, network\
        \ cabling, and network access interfaces from accidental damage, disruption,\
        \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\
        \ separated power systems for organization\u2019s critical operations."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-3
      description: Remote access is managed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: BASIC_PR.AC-3.1
      description: The organisation's wireless access points shall be secured.
      annotation: "Consider the following when wireless networking is used:\n\u2022\
        \tChange the administrative password upon installation of a wireless access\
        \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\
        \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\
        \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\
        \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\
        \ internet access to customers is separated from your business network.\n\u2022\
        \tConnecting to unknown or unsecured / guest wireless access points, should\
        \ be avoided, and if unavoidable done through an encrypted virtual private\
        \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\
        \ mobile) according to the organization's security policies."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: BASIC_PR.AC-3.2
      description: '[KEY MEASURE] The organization''s networks when accessed remotely
        shall be secured, including through multi-factor authentication (MFA).'
      annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email,
        remote desktop, and Virtual Private Network (VPNs).
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: IMPORTANT_PR.AC-3.3
      description: "[KEY MEASURE] Usage restrictions, connection requirements, implementation\
        \ guidance, and authorizations for remote access to the organization\u2019\
        s critical systems environment shall be identified, documented and implemented. "
      annotation: "Consider the following:\n\u2022\tRemote access methods include,\
        \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\
        \ mobile device connections, and communications through external networks.\n\
        \u2022\tLogin credentials should be in line with company's user authentication\
        \ policies.\n\u2022\tRemote access for support activities or maintenance of\
        \ organizational assets should be approved, logged, and performed in a manner\
        \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\
        \ of any remote connection to its device by a visual indication."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: R.AC-3.4
      description: "Remote access to the organization\u2019s critical systems shall\
        \ be monitored and cryptographic mechanisms shall be implemented where determined\
        \ necessary."
      annotation: This should include that only authorized use of privileged functions
        from remote access is allowed.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: R.AC-3.5
      description: The security for connections with external systems shall be verified
        and framed by documented agreements.
      annotation: Access from pre-defined IP addresses could be considered.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-4
      description: Access permissions and authorizations are managed, incorporating
        the principles of least privilege and separation of duties
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.1
      description: "[KEY MEASURE] Access permissions for users to the organization\u2019\
        s systems shall be defined and managed."
      annotation: "The following should be considered:\n\u2022\tDraw up and review\
        \ regularly access lists per system (files, servers, software, databases,\
        \ etc.), possibly through analysis of the Active Directory in Windows-based\
        \ systems, with the objective of determining who needs what kind of access\
        \ (privileged or not), to what, to perform their duties in the organization.\n\
        \u2022\tSet up a separate account for each user (including any contractors\
        \ needing access) and require that strong, unique passwords be used for each\
        \ account.\n\u2022\tEnsure that all employees use computer accounts without\
        \ administrative privileges to perform typical work functions. This includes\
        \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\
        \ consider using the minimal privileges (e.g. internet access only) as required\
        \ for your business needs.\n\u2022\tPermission management should be documented\
        \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\
        \ (SSO) when appropriate."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.2
      description: '[KEY MEASURE] It shall be identified who should have access to
        the organization''s business''s critical information and technology and the
        means to get access.'
      annotation: 'Means to get access may include: a key, password, code, or administrative
        privilege.'
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.3
      description: '[KEY MEASURE] Employee access to data and information shall be
        limited to the systems and specific information they need to do their jobs
        (the principle of Least Privilege).'
      annotation: "The principle of Least Privilege should be understood as the principle\
        \ that a security architecture should be designed so that each employee is\
        \ granted the minimum system resources and authorizations that the employee\
        \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\
        \ to have access to all the business\u2019s information.\n\u2022\tLimit the\
        \ number of Internet accesses and interconnections with partner networks to\
        \ the strict necessary to be able to centralize and homogenize the monitoring\
        \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\
        \ business, all access to the business\u2019s information or systems is blocked\
        \ instantly."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.4
      description: '[KEY MEASURE] Nobody shall have administrator privileges for daily
        tasks.'
      annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\
        \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\
        \ administration tasks.\n\u2022\tCreate unique local administrator passwords\
        \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\
        \ from administrative accounts."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.5
      description: Where feasible, automated mechanisms shall be implemented to support
        the management of user accounts on the organisation's critical systems, including
        disabling, monitoring, reporting and deleting user accounts.
      annotation: Consider separately identifying each person with access to the organization's
        critical systems with a username to remove generic and anonymous accounts
        and access.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.6
      description: Separation of duties (SoD) shall be ensured in the management of
        access rights.
      annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\
        \ functions and system support functions among different roles.\n\u2022\t\
        conducting system support functions with different individuals.\n\u2022\t\
        not allow a single individual to both initiate and approve a transaction (financial\
        \ or otherwise).\n\u2022\tensuring that security personnel administering access\
        \ control functions do not also administer audit functions."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.7
      description: Priviliged users shall be managed and monitored.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: PR.AC-4.8
      description: Account usage restrictions for specific time periods and locations
        shall be taken into account in the organization's security access policy and
        applied accordingly.
      annotation: Specific restrictions can include, for example, restricting usage
        to certain days of the week, time of day, or specific durations of time.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: PR.AC-4.9
      description: Priviliged users shall be managed,  monitored and audited.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-5
      description: Network integrity is protected (e.g., network segregation, network
        segmentation)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: BASIC_PR.AC-5.1
      description: '[KEY MEASURE] Firewalls shall be installed and activated on all
        the organization''s networks.'
      annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\
        \ between your internal network and the Internet. This may be a function of\
        \ a (wireless) access point/router, or it may be a function of a router provided\
        \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\
        \ software installed on purchased firewall solutions and ensure that the administrator\u2019\
        s log-in and administrative password is changed upon installation and regularly\
        \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\
        \ computer system (including smart phones and other networked devices).\n\u2022\
        \tHave firewalls on each of your computers and networks even if you use a\
        \ cloud service provider or a virtual private network (VPN). Ensure that for\
        \ telework home network and systems have hardware and software firewalls installed,\
        \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\
        \ Detection / Prevention System (IDPS). These devices analyze network traffic\
        \ at a more detailed level and can provide a greater level of protection."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: BASIC_PR.AC-5.2
      description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s
        critical systems shall be protected by incorporating network segmentation
        and segregation.'
      annotation: "\u2022\tConsider creating different security zones in the network\
        \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\
        \ control mechanisms) and control/monitor the traffic between these zones.\n\
        \u2022\tWhen the network is \"flat\", the compromise of a vital network component\
        \ can lead to the compromise of the entire network."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: IMPORTANT_PR.AC-5.3
      description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s
        critical systems shall be protected by

        (1) Identifying, documenting, and controlling connections between system components.

        (2) Limiting external connections to the organization''s critical systems.'
      annotation: Boundary protection mechanisms include, for example, routers, gateways,
        unidirectional gateways, data diodes, and firewalls separating system components
        into logically separate networks or subnetworks.
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: IMPORTANT_PR.AC-5.4
      description: '[KEY MEASURE] The organization shall monitor and control connections
        and communications at the external boundary and at key internal boundaries
        within the organization''s critical systems by implementing boundary protection
        devices where appropriate. '
      annotation: "Consider implementing the following recommendations:\n\u2022\t\
        Separate your public WIFI network from your business network.\n\u2022\tProtect\
        \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\
        \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\
        \ your corporate network.\n\u2022\tDivide your network according to security\
        \ levels and apply firewall rules. Isolate your networks for server administration.\n\
        \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\
        \ security gateways (deny all policy: only allow/open connections that have\
        \ been explicitly pre-authorized)."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: PR.AC-5.5
      description: The organization shall implement, where feasible, authenticated
        proxy servers for defined communications traffic between the organization's
        critical systems and external networks.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: PR.AC-5.6
      description: The organization shall ensure that the organization's critical
        systems fail safely when a border protection device fails operationally.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-6
      description: Identities are proofed and bound to credentials and asserted in
        interactions
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      ref_id: IMPORTANT_PR.AC-6.1
      description: The organization shall implement documented procedures for verifying
        the identity of individuals before issuing credentials that provide access
        to organization's systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      ref_id: PR.AC-6.2
      description: The organization shall ensure the use of unique credentials bound
        to each verified user, device, and process interacting with the organization's
        critical systems; make sure that they are authenticated, and that the unique
        identifiers are captured when performing system interactions.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-7
      description: "Users, devices, and other assets are authenticated (e.g., single-factor,\
        \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\
        \ security and privacy risks and other organizational risks)"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7
      ref_id: IMPORTANT_PR.AC-7.1
      description: "[KEY MEASURE for ESSENTIAL] The organization shall perform a documented\
        \ risk assessment on organization's critical system transactions and authenticate\
        \ users, devices, and other assets (e.g., single-factor, multi-factor) commensurate\
        \ with the risk of the transaction (e.g., individuals\u2019 security and privacy\
        \ risks and other organizational risks)."
      annotation: Consider a security-by-design approach for new systems; For existing
        systems a separate risk assessment should be used.
      implementation_groups:
      - I
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.AT
      name: Awareness and Training
      description: "The organization\u2019s personnel and partners are provided cybersecurity\
        \ awareness education and are trained to perform their cybersecurity-related\
        \ duties and responsibilities consistent with related policies, procedures,\
        \ and agreements."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-1
      description: 'All users are informed and trained '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: BASIC_PR.AT-1.1
      description: Employees shall be trained as appropriate.
      annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\
        \ systems, and they should be trained immediately when hired and regularly\
        \ thereafter about the company\u2019s information security policies and what\
        \ they will be expected to do to protect company\u2019s business information\
        \ and technology.\n\u2022\tTraining should be continually updated and reinforced\
        \ by awareness campaigns."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: IMPORTANT_PR.AT-1.2
      description: The organization shall incorporate insider threat recognition and
        reporting into security awareness training.
      annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\
        \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\
        \ program by gathering in a document the messages you want to convey to your\
        \ staff (topics, audiences, objectives, etc.) and your communication rhythm\
        \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\
        \ and in an engaging way, involving management, IT colleagues, the ICT service\
        \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\
        \ recognition of fraud attempts, phishing, management of sensitive information,\
        \ incidents, etc. The goal is for all employees to understand ways to protect\
        \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\
        \ or your ICT service provider some practice scenarios (e.g. what to do if\
        \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\
        \ if an account is hacked, etc.), determine what behaviours to adopt, document\
        \ and communicate them to all your staff. The central point of contact in\
        \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\
        \ of a scenario to test your knowledge. Consider performing the exercise for\
        \ example at least once a year."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: PR.AT-1.3
      description: The organization shall implement an evaluation method to measure
        the effectiveness of the awareness trainings.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-2
      description: 'Privileged users understand their roles and responsibilities '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2
      ref_id: IMPORTANT_PR.AT-2.1
      description: Privileged users shall be qualified before privileges are granted,
        and these users shall be able to demonstrate the understanding of their roles,
        responsibilities, and authorities.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-3
      description: 'Third-party stakeholders (e.g., suppliers, customers, partners)
        understand their roles and responsibilities '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.1
      description: "The organization shall establish and enforce security requirements\
        \ for business-critical third-party providers and users.\t"
      annotation: "Enforcement should include that \u2018third party stakeholder\u2019\
        -users (e.g. suppliers, customers, partners) can demonstrate the understanding\
        \ of their roles and responsibilities."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.2
      description: "Third-party providers shall be required to notify any personnel\
        \ transfers, termination, or transition involving personnel with physical\
        \ or logical access to organization's business critical system's components.\t"
      annotation: Third-party providers include, for example, service providers, contractors,
        and other organizations providing system development, technology services,
        outsourced applications, or network and security management.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.3
      description: The organization shall monitor business critical service providers
        and users for security compliance.
      annotation: Third party audit results can be used as audit evidence.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: PR.AT-3.4
      description: The organization shall audit business-critical external service
        providers for security compliance.
      annotation: Third party audit results can be used as audit evidence.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-4
      description: 'Senior executives understand their roles and responsibilities '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4
      ref_id: IMPORTANT_PR.AT-4.1
      description: Senior executives shall demonstrate the understanding of their
        roles, responsibilities, and authorities.
      annotation: Guidance on role profiles along with their identified titles, missions,
        tasks, skills, knowledge, competences is available in the "European Cybersecurity
        Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles
        )
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-5
      description: 'Physical and cybersecurity personnel understand their roles and
        responsibilities '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5
      ref_id: IMPORTANT_PR.AT-5.1
      description: The organization shall ensure that personnel responsible for the
        physical protection and security of the organization's critical systems and
        facilities are qualified through training before privileges are granted, and
        that they understand their responsibilities.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.DS
      name: Data Security
      description: "Information and records (data) are managed consistent with the\
        \ organization\u2019s risk strategy to protect the confidentiality, integrity,\
        \ and availability of information."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-1
      description: Data-at-rest is protected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1
      ref_id: PR.DS-1.1
      description: "The organization shall protect its critical system information\
        \ determined to be critical/ sensitive while at rest.\t"
      annotation: "\u2022\tConsider using encryption techniques for data storage,\
        \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\
        \ encrypting end-user devices and removable media containing sensitive data\
        \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\
        \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt,  Apple FileVault\xAE\
        , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\
        \ in the cloud. The below measures should be considered:\n\u2022\tImplement\
        \ dedicated safeguards to prevent unauthorized access, distortion, or modification\
        \ of system data and audit records (e.g. restricted access rights, daily backups,\
        \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\
        \ media, stored files, configuration files and data stored in the cloud."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-2
      description: Data-in-transit is protected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2
      ref_id: PR.DS-2.1
      description: The organization shall protect its critical system information
        determined to be critical when in transit.
      annotation: When the organization often sends sensitive documents or e-mails,
        it is recommended to encrypt those documents and/or e-mails with appropriate,
        supported, and authorized software tools. If you send sensitive documents
        or emails, you may want to consider encrypting those documents and/or emails
        with appropriate, supported, and authorized software tools.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-3
      description: Assets are formally managed throughout removal, transfers, and
        disposition
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: BASIC_PR.DS-3.1
      description: Assets and media shall be disposed of safely.
      annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\
        \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\
        ), ensure that all   sensitive business or personal data are securely deleted\
        \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\
        \ physically destroyed (or re-commissioned). This is also known as \u201C\
        sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\
        \u2022\tConsider installing a remote-wiping application on company laptops,\
        \ tablets, cell phones, and other mobile devices."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: IMPORTANT_PR.DS-3.2
      description: The organization shall enforce accountability for all its business-critical
        assets throughout the system lifecycle, including removal, transfers, and
        disposition.
      annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\
        \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\
        \ documentation related to the movements of business-critical assets."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: IMPORTANT_PR.DS-3.3
      description: The organization shall ensure that the necessary measures are taken
        to deal with  loss, misuse, damage, or theft of assets.
      annotation: "This can be done by policies, processes & procedures (reporting),\
        \ technical & organizational means (encryption, Access Control (AC), Mobile\
        \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\
        \ agreement, guidelines & manuals, backups, inventory update \u2026)."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: PR.DS-3.4
      description: The organization shall ensure that disposal actions are approved,
        tracked, documented, and verified.
      annotation: Disposal actions include media sanitization actions (See PR.IP-6)
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-4
      description: Adequate capacity to ensure availability is maintained
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: IMPORTANT_PR.DS-4.1
      description: Capacity planning shall ensure adequate resources for organization's
        critical system information processing, networking, telecommunications, and
        data storage.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: IMPORTANT_PR.DS-4.2
      description: Audit data from the organization's critical systems shall be moved
        to an alternative system.
      annotation: Be aware that log services can become a bottleneck and hinder the
        correct functioning of the source systems.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: PR.DS-4.3
      description: "The organization\u2019s critical systems shall be protected against\
        \ denial-of-service attacks or at least the effect of such attacks will be\
        \ limited."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-5
      description: Protections against data leaks are implemented
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5
      ref_id: IMPORTANT_PR.DS-5.1
      description: '[KEY MEASURE] The organization shall take appropriate actions
        resulting in the monitoring of its critical systems at external borders and
        critical internal points when unauthorized access and activities, including
        data leakage, is detected.'
      annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\
        \ access rights, daily backups, data encryption, installation of firewalls,\
        \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\
        \ configuration of the central directory (Active Directory in Windows environment),\
        \ with specific focus on the access to data of key persons in the company."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-6
      description: Integrity checking mechanisms are used to verify software, firmware,
        and information integrity
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: IMPORTANT_PR.DS-6.1
      description: The organization shall implement software, firmware, and information
        integrity checks to detect unauthorized changes to its critical system components
        during storage, transport, start-up and when determined necessary.
      annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity
        checks, cyclical redundancy checks, cryptographic hashes) and associated tools
        can automatically monitor the integrity of information systems and hosted
        applications.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: PR.DS-6.2
      description: The organization shall implement automated tools where feasible
        to provide notification upon discovering discrepancies during integrity verification.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: PR.DS-6.3
      description: The organization shall implement automatic response capability
        with pre-defined security safeguards when integrity violations are discovered.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-7
      description: The development and testing environment(s) are separate from the
        production environment
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7
      ref_id: PR.DS-7.1
      description: The development and test environment(s) shall be isolated from
        the production environment.
      annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\
        \ should first be tested in an environment that is different and separate\
        \ from the production environment (operational environment) before that change\
        \ is effectively implemented . That way, the effect of those changes can be\
        \ analysed and adjustments can be made without disrupting operational activities.\n\
        \u2022\tConsider adding and testing cybersecurity features as early as during\
        \ development (secure development lifecycle  principles). \u2022\tAny change\
        \ one wants to make to the ICT/OT environment should first be tested in an\
        \ environment that is different and separate from the production environment\
        \ (operational environment) before that change is effectively implemented\
        \ . That way, the effect of those changes can be analysed and adjustments\
        \ can be made without disrupting operational activities.\n\u2022\tConsider\
        \ adding and testing cybersecurity features as early as during development\
        \ (secure development lifecycle  principles)."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-8
      description: Integrity checking mechanisms are used to verify hardware integrity
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      ref_id: PR.DS-8.1
      description: The organization shall implement hardware integrity checks to detect
        unauthorized tampering to its critical system's hardware.
      annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity
        checks, cyclical redundancy checks, cryptographic hashes) and associated tools
        can automatically monitor the integrity of information systems and hosted
        applications.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      ref_id: PR.DS-8.2
      description: The organization shall incorporate the detection of unauthorized
        tampering to its critical system's hardware into the organization incident
        response capability.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.IP
      name: Information Protection Processes and Procedures
      description: Security policies (that address purpose, scope, roles, responsibilities,
        management commitment, and coordination among organizational entities), processes,
        and procedures are maintained and used to manage protection of information
        systems and assets.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-1
      description: A baseline configuration of information technology/industrial control
        systems is created and maintained incorporating security principles (e.g.
        concept of least functionality)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      ref_id: IMPORTANT_PR.IP-1.1
      description: '[KEY MEASURE] The organization shall develop, document, and maintain
        a baseline configuration for the its business critical systems. '
      annotation: "\u2022\tThis control includes the concept of least functionality.\n\
        \u2022\tBaseline configurations include for example, information about organization's\
        \ business critical systems, current version numbers and patch information\
        \ on operating systems and applications, configuration settings/parameters,\
        \ network topology, and the logical placement of those components within the\
        \ system architecture.\n\u2022\tNetwork topology should include the nerve\
        \ points of the IT/OT environment (external connections, servers hosting data\
        \ and/or sensitive functions, DNS services security, etc.)."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      ref_id: PR.IP-1.2
      description: The organization shall configure its business-critical systems
        to provide only essential capabilities; Therefore the baseline configuration
        shall be reviewed, and unnecessary capabilities disabled.
      annotation: "\u2022\tConfiguration of a system to provide only organization-defined\
        \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\
        .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\
        \ services."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-2
      description: A System Development Life Cycle to manage systems is implemented
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      ref_id: IMPORTANT_PR.IP-2.1
      description: The system and application development life cycle shall include
        security considerations.
      annotation: "\u2022\tSystem and application development life cycle should include\
        \ the acquisition process of the organization's business critical systems\
        \ and its components.\n\u2022\tVulnerability awareness and prevention training\
        \ for (web application) developers, and advanced social engineering awareness\
        \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\
        \ internet facing applications the implementation of a web application firewall\
        \ (WAF) should be considered."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      ref_id: PR.IP-2.2
      description: The development process for critical systems and system components
        shall cover the full design cycle and shall provide a description of the functional
        properties of security controls, and design and implementation information
        for security-relevant system interfaces.
      annotation: "The development cycle includes:\n\u2022\tAll development phases:\
        \ specification , design, development, implementation.\n\u2022\tConfiguration\
        \ management for planned and unplanned changes and change control during the\
        \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-3
      description: Configuration change control processes are in place
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      ref_id: IMPORTANT_PR.IP-3.1
      description: Changes shall be tested and validated before being implemented
        into operational systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      ref_id: PR.IP-3.2
      description: For planned changes to the organization's critical systems, a security
        impact analysis shall be performed in a separate test environment before implementation
        in an operational environment.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-4
      description: 'Backups of information are conducted, maintained, and tested '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: BASIC_PR.IP-4.1
      description: '[KEY MEASURE] Backups for organization''s business critical data
        shall be conducted and stored on a system different from the device on which
        the original data resides'
      annotation: "\u2022\tOrganization's business critical system's data includes\
        \ for example software, configurations and settings, documentation, system\
        \ configuration data including computer configuration backups, application\
        \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\
        \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\
        \ should be considered.\n\u2022\tConsider not storing the organization's data\
        \ backup on the same network as the system on which the original data resides\
        \ and provide an offline copy. Among other things, this prevents file encryption\
        \ by hackers (risk of ransomware)."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: IMPORTANT_PR.IP-4.2
      description: The reliability and integrity of backups shall be verified and
        tested on regular basis.
      annotation: This should include regularly testing of the backup restore procedures.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: IMPORTANT_PR.IP-4.3
      description: A separate alternate storage site for system backups shall be operated
        and the same security safeguards as the primary storage location shall be
        employed.
      annotation: An offline backup of your data is ideally stored in a separate physical
        location from the original data source and where feasible offsite for extra
        protection and security.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: PR.IP-4.4
      description: Backup verification shall be coordinated with the functions in
        the organization that are responsible for related plans.
      annotation: "\u2022\tRelated plans include, for example, Business Continuity\
        \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\
        \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\
        \u2022\tRestoration of backup data during contingency plan testing should\
        \ be provided."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: PR.IP-4.5
      description: Critical system backup shall be separated from critical information
        backup.
      annotation: Seperation of critical system backup from critical information backup
        should lead to a shorter recovery time.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-5
      description: Policy and regulations regarding the physical operating environment
        for organizational assets are met
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      ref_id: IMPORTANT_PR.IP-5.1
      description: The organization shall define, implement, and enforce policy and
        procedures regarding emergency and safety systems, fire protection systems,
        and environment controls for its critical systems.
      annotation: "The below measures should be considered:\n\u2022\tProtect unattended\
        \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\
        \ suppression mechanisms should take the organization's critical system environment\
        \ into account (e.g., water sprinkler systems could be hazardous in specific\
        \ environments)."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      ref_id: PR.IP-5.2
      description: The organization shall implement fire detection devices that activate
        and notify key personnel automatically in the event of a fire.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-6
      description: Data is destroyed according to policy
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      ref_id: IMPORTANT_PR.IP-6.1
      description: The organization shall ensure that its critical system's data is
        destroyed according to policy.
      annotation: "\u2022\tDisposal actions include media sanitization actions (See\
        \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\
        o\tHard copy media (physical representations of information)\no\tElectronic\
        \ or soft copy media (the bits and bytes contained in hard drives, random\
        \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\
        \ mobile computing devices, networking equipment\u2026)"
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      ref_id: PR.IP-6.2
      description: Sanitation processes shall be documented and tested.
      annotation: "\u2022\tSanitation processes include procedures and equipment.\n\
        \u2022\tConsider applying non-destructive sanitization techniques to portable\
        \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\
        \ confidentiality requirements."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-7
      description: Protection processes are improved
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: IMPORTANT_PR.IP-7.1
      description: The organization shall incorporate improvements derived from the
        monitoring, measurements, assessments, and lessons learned into protection
        process updates (continuous improvement).
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: PR.IP-7.2
      description: The organization shall implement independent teams to assess the
        protection process(es).
      annotation: 'Independent teams, for example, may include internal or external
        impartial personnel.

        Impartiality implies that assessors are free from any perceived or actual
        conflicts of interest regarding the development, operation, or management
        of the organization''s critical system under assessment or to the determination
        of security control effectiveness.'
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: PR.IP-7.3
      description: The organization shall ensure that the security plan for its critical
        systems facilitates the review, testing, and continual improvement of the
        security protection processes.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-8
      description: 'Effectiveness of protection technologies is shared '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.1
      description: The organization shall collaborate and share information about
        its critical system's related security incidents and mitigation measures with
        designated partners.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.2
      description: Communication of effectiveness of protection technologies shall
        be shared with appropriate parties.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.3
      description: The organization shall implement, where feasible, automated mechanisms
        to assist in information collaboration.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-9
      description: Response plans (Incident Response and Business Continuity) and
        recovery plans (Incident Recovery and Disaster Recovery) are in place and
        managed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      ref_id: IMPORTANT_PR.IP-9.1
      description: Incident response plans (Incident Response and Business Continuity)
        and recovery plans (Incident Recovery and Disaster Recovery) shall be established,
        maintained, approved, and tested to determine the effectiveness of the plans,
        and the readiness to execute the plans.
      annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\
        \ set of instructions or procedures to detect, respond to, and limit consequences\
        \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\
        \ objectives, restoration priorities, metrics, contingency roles, personnel\
        \ assignments and contact information.\n\u2022\tMaintaining essential functions\
        \ despite system disruption, and the eventual restoration of the organization\u2019\
        s systems, should be addressed.\n\u2022\tConsider defining incident types,\
        \ resources and management support needed to effectively maintain and mature\
        \ the incident response and contingency capabilities."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      ref_id: PR.IP-9.2
      description: The organization shall coordinate the development and the testing
        of incident response plans and recovery plans with stakeholders responsible
        for related plans.
      annotation: Related plans include, for example, Business Continuity Plans, Disaster
        Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans,
        Critical Infrastructure Plans, Cyber incident response plans, and Occupant
        Emergency Plans.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-11
      description: Cybersecurity is included in human resources practices (e.g., deprovisioning,
        personnel screening)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      ref_id: BASIC_PR.IP-11.1
      description: "Personnel having access to the organization\u2019s most critical\
        \ information or technology shall be verified."
      annotation: "\u2022\tThe access to critical information or technology should\
        \ be considered when recruiting, during employment and at termination.\n\u2022\
        \tBackground verification checks should take into consideration applicable\
        \ laws, regulations, and ethics in proportion to the business requirements,\
        \ the classification of the information to be accessed and the perceived risks."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      ref_id: IMPORTANT_PR.IP-11.2
      description: Develop and maintain a human resource information/cyber security
        process that is applicable when recruiting, during employment and at termination
        of employment.
      annotation: "The human resource information/cyber security process should include\
        \ access to critical information or technology; background verification checks;\
        \ code of conduct; roles, authorities, and responsibilities\u2026"
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-12
      description: A vulnerability management plan is developed and implemented
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12
      ref_id: IMPORTANT_PR.IP-12.1
      description: The organization shall establish and maintain a documented process
        that allows continuous review of vulnerabilities and strategies to mitigate
        them.
      annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\
        \ in the identified components and distribute updates (software publisher\
        \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\
        \ identify where its critical system's vulnerabilities may be exposed to adversaries."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.MA
      name: Maintenance
      description: Maintenance and repairs of industrial control and information system
        components are performed consistent with policies and procedures.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      ref_id: PR.MA-1
      description: Maintenance and repair of organizational assets are performed and
        logged, with approved and controlled tools
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: BASIC_PR.MA-1.1
      description: '[KEY MEASURE] Patches and security updates for Operating Systems
        and critical system components shall be installed.'
      annotation: "The following should be considered:\n\u2022\tLimit yourself to\
        \ only install those applications (operating systems, firmware, or plugins\
        \ ) that you need to run your business and patch/update them regularly.\n\u2022\
        \tYou should only install a current and vendor-supported version of software\
        \ you choose to use. It may be useful to assign a day each month to check\
        \ for patches.\n\u2022\tThere are products which can scan your system and\
        \ notify you when there is an update for an application you have installed.\
        \ If you use one of these products, make sure it checks for updates for every\
        \ application you use.\n\u2022\tInstall patches and security updates in a\
        \ timely manner."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.2
      description: The organization shall plan, perform and document preventive maintenance
        and repairs on its critical system components according to approved processes
        and tools.
      annotation: 'Consider the below measures:

        (1) Perform security updates on all software in a timely manner.

        (2) Automate the update process and audit its effectiveness.

        (3) Introduce an internal patching culture on desktops, mobile devices, servers,
        network components, etc. to ensure updates are tracked.'
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.3
      description: The organization shall enforce approval requirements, control,
        and monitoring of maintenance tools for use on the its critical systems.
      annotation: Maintenance tools can include, for example, hardware/software diagnostic
        test equipment, hardware/software packet sniffers and laptops.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.4
      description: The organization shall verify security controls following hardware
        maintenance or repairs, and take action as appropriate.
      annotation: No additional guidance on this topic
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.5
      description: '[KEY MEASURE] The organization shall prevent the unauthorized
        removal of maintenance equipment containing organization''s critical system
        information.'
      annotation: This requirement maily focuses mainly on OT/ICS environments.
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.6
      description: '[KEY MEASURE] Maintenance tools and portable storage devices shall
        be inspected when  brought into the facility and shall be protected by anti-malware
        solutions so that they are scanned for malicious code before they are used
        on organization''s systems. '
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.7
      description: '[KEY MEASURE] The organization shall verify security controls
        following hardware and software maintenance or repairs/patching and take action
        as appropriate.'
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      ref_id: PR.MA-2
      description: Remote maintenance of organizational assets is approved, logged,
        and performed in a manner that prevents unauthorized access
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: IMPORTANT_PR.MA-2.1
      description: Remote maintenance shall only occur after prior approval, monitoring
        to avoid unauthorised access, and approval of the outcome of the maintenance
        activities as described in approved processes or procedures.
      annotation: No additional guidance on this topic
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: IMPORTANT_PR.MA-2.2
      description: The organization shall make sure that strong authenticators, record
        keeping, and session termination for remote maintenance is implemented.
      annotation: No additional guidance on this topic
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: PR.MA-2.3
      description: The organization shall require that diagnostic services pertaining
        to remote maintenance be performed from a system that implements a security
        capability comparable to the capability implemented on the equivalent organization's
        critical system.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.PT
      name: Protective Technology
      description: Technical security solutions are managed to ensure the security
        and resilience of systems and assets, consistent with related policies, procedures,
        and agreements.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-1
      description: Audit/log records are determined, documented, implemented, and
        reviewed in accordance with policy
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: BASIC_PR.PT-1.1
      description: '[KEY MEASURE]  Logs shall be maintained, documented, and reviewed.'
      annotation: "\u2022\tEnsure the activity logging functionality of protection\
        \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\
        \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\
        \tThe logs should be reviewed for any unusual or unwanted trends, such as\
        \ a large use of social media websites or an unusual number of viruses consistently\
        \ found on a particular computer. These trends may indicate a more serious\
        \ problem or signal the need for stronger protections in a particular area."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: IMPORTANT_PR.PT-1.2
      description: 'The organization shall ensure that the log records include an
        authoritative time source or internal clock time stamp that are compared and
        synchronized  to an authoritative time source. '
      annotation: Authoritative time sources include for example, an internal Network
        Time Protocol (NTP) server, radio clock, atomic clock, GPS time source.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: PR.PT-1.3
      description: "The organization shall ensure that audit processing failures on\
        \ the organization's systems generate alerts and trigger defined responses.\t"
      annotation: The use of System Logging Protocol (Syslog) servers can be considered.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: PR.PT-1.4
      description: The organization shall enable authorized individuals to extend
        audit capabilities when required by events.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-2
      description: Removable media is protected and its use restricted according to
        policy
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: IMPORTANT_PR.PT-2.1
      description: The usage restriction of portable storage devices shall be ensured
        through an appropriate documented policy and supporting safeguards.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: IMPORTANT_PR.PT-2.2
      description: The organisation should technically prohibit the connection of
        removable media unless strictly necessary; in other instances, the execution
        of autoruns from such media should be disabled.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: PR.PT-2.3
      description: '[KEY MEASURE] Portable storage devices containing system data
        shall be controlled and protected while in transit and in storage.'
      annotation: Protection and control should include the scanning of all portable
        storage devices for malicious code before they are used on organization's
        systems.
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-3
      description: The principle of least functionality is incorporated by configuring
        systems to provide only essential capabilities
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: IMPORTANT_PR.PT-3.1
      description: The organization shall configure the business critical systems
        to provide only essential capabilities.
      annotation: Consider applying the principle of least functionality to access
        systems and assets (see also PR.AC-4).
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: PR.PT-3.2
      description: The organization shall disable defined functions, ports, protocols,
        and services within its critical systems that it deems unnecessary.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: PR.PT-3.3
      description: The organization shall implement technical safeguards to enforce
        a deny-all, permit-by-exception policy to only allow the execution of authorized
        software programs.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-4
      description: Communications and control networks are protected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: BASIC_PR.PT-4.1
      description: Web and e-mail filters shall be installed and used.
      annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\
        \ should be configured based on the type of message attachments so that files\
        \ of the specified types are automatically processed (e.g. deleted).\n\u2022\
        \tWeb-filters should notify the user if a website may contain malware and\
        \ potentially preventing users from accessing that website."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: PR.PT-4.2
      description: The organization shall control the information flows/data flows
        within its critical systems and between interconnected systems.
      annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\
        \ for example, by labelling or colouring physical connectors as an aid to\
        \ manual hook-up.\n\u2022\tInspection of message content may enforce information\
        \ flow policy. For example, a message containing a command to an actuator\
        \ may not be permitted to flow between the control network and any other network.\n\
        \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\
        \ associated with labels or attributes (e.g., hardware I/O address). Manual\
        \ methods are typically static. Label or attribute policy mechanisms may be\
        \ implemented in hardware, firmware, and software that controls or has device\
        \ access, such as device drivers and communications controllers."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: PR.PT-4.3
      description: The organization shall manage the interface for external communication
        services by establishing a traffic flow policy, protecting the confidentiality
        and integrity of the information being transmitted; This includes the review
        and documenting of each exception to the traffic flow policy.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      assessable: false
      depth: 1
      ref_id: DE
      name: DETECT (DE)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.AE
      name: Anomalies and Events
      description: Anomalous activity is detected and the potential impact of events
        is understood.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-1
      description: A baseline of network operations and expected data flows for users
        and systems is established and managed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1
      ref_id: DE.AE-1.1
      description: '[KEY MEASURE] The organization shall ensure that a baseline of
        network operations and expected data flows for its critical systems is developed,
        documented and maintained to track events.'
      annotation: "\u2022\tConsider enabling local logging on all your systems and\
        \ network devices and keep them for a certain period, for example up to 6\
        \ months.\n\u2022\tEnsure that your logs contain enough information (source,\
        \ date, user, timestamp, etc.) and that you have enough storage space for\
        \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\
        \ deploying a Security Information and Event Management tool (SIEM) that will\
        \ facilitate the correlation and analysis of your data."
      implementation_groups:
      - E
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-2
      description: Detected events are analyzed to understand attack targets and methods
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      ref_id: IMPORTANT_DE.AE-2.1
      description: The organization shall review and analyze detected events to understand
        attack targets and methods.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      ref_id: DE.AE-2.2
      description: 'The organization shall implement automated mechanisms where feasible
        to review and analyze detected events. '
      annotation: Consider to review your logs regularly to identify anomalies or
        abnormal events.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-3
      description: Event data are collected and correlated from multiple sources and
        sensors
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: BASIC_DE.AE-3.1
      description: "[KEY MEASURE] The activity logging functionality of protection\
        \ / detection hardware or software \n(e.g. firewalls, anti-virus) shall be\
        \ enabled, backed-up and reviewed."
      annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\
        \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\
        \ as a large use of social media websites or an unusual number of viruses\
        \ consistently found on a particular computer. These trends may indicate a\
        \ more serious problem or signal the need for stronger protections in a particular\
        \ area."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: IMPORTANT_DE.AE-3.2
      description: The organization shall ensure that event data is compiled and correlated
        across its critical systems using various sources such as event reports, audit
        monitoring, network monitoring, physical access monitoring, and user/administrator
        reports.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: DE.AE-3.3
      description: The organization shall integrate analysis of events where feasible
        with the analysis of vulnerability scanning information; performance data;
        its critical system's monitoring, and facility monitoring to further enhance
        the ability to identify inappropriate or unusual activity.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-4
      description: Impact of events is determined
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4
      ref_id: DE.AE-4.1
      description: "Negative impacts to organization\u2019s operations, assets, and\
        \ individuals resulting from detected events shall be determined and correlated\
        \ with risk assessment outcomes."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-5
      description: Incident alert thresholds are established
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      ref_id: IMPORTANT_DE.AE-5.1
      description: The organization shall implement automated mechanisms and system
        generated alerts to support event detection and to assist in the identification
        of security alert thresholds.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      ref_id: IMPORTANT_DE.AE-5.2
      description: The organization shall define incident alert thresholds.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.CM
      name: Security Continuous Monitoring
      description: The information system and assets are monitored to identify cybersecurity
        events and verify the effectiveness of protective measures.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-1
      description: The network is monitored to detect potential cybersecurity events
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: BASIC_DE.CM-1.1
      description: Firewalls shall be installed and  operated on the network boundaries
        and completed with firewall protection on the endpoints.
      annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\
        \tConsider, where feasible, including smart phones and other networked devices\
        \ when installing and operating firewalls.\n\u2022\tConsider limiting the\
        \ number of interconnection gateways to the Internet."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: IMPORTANT_DE.CM-1.2
      description: '[KEY MEASURE] The organization shall monitor and identify unauthorized
        use of its business critical systems through the detection of unauthorized
        local connections, network connections and remote connections.'
      annotation: "\u2022\tMonitoring of network communications should happen at the\
        \ external boundary of the organization's business critical systems and at\
        \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\
        \ facing applications the implementation of a web application firewall (WAF)\
        \ should be considered."
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: DE.CM-1.3
      description: "The organization shall conduct ongoing security status monitoring\
        \ of its network to detect defined information/cybersecurity events and indicators\
        \ of potential information/cybersecurity events.\t"
      annotation: "Security status monitoring should include:\n\u2022\tThe generation\
        \ of system alerts when indications of compromise or potential compromise\
        \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\
        \ critical systems.\n\u2022\tThe establishment of audit records for defined\
        \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\
        \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\
        \ personnel, and service provider."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-2
      description: The physical environment is monitored to detect potential cybersecurity
        events
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      ref_id: IMPORTANT_DE.CM-2.1
      description: The physical environment of the facility shall be monitored for
        potential information/cybersecurity events.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      ref_id: DE.CM-2.2
      description: The physical access to organization's critical systems and devices
        shall be, on top of the physical access monitoring to the facility, increased
        through physical intrusion alarms, surveillance equipment, independent surveillance
        teams.
      annotation: It is recommended to log all visitors.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-3
      description: Personnel activity is monitored to detect potential cybersecurity
        events
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: BASIC_DE.CM-3.1
      description: End point and network protection tools to monitor end-user behavior
        for dangerous activity shall be implemented.
      annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS).
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: IMPORTANT_DE.CM-3.2
      description: End point and network protection tools that monitor end-user behavior
        for dangerous activity shall be managed.
      annotation: Consider using a centralized log platform for the consolidation
        and exploitation of log files. Consider to actively investigate the alerts
        generated because of suspicious activities and take the appropriate actions
        to remediate the threat, e.g. through the deployment of a security operations
        centre (SOC).
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: IMPORTANT_DE.CM-3.3
      description: Software usage and installation restrictions shall be enforced.
      annotation: Only authorized software should be used and user access rights should
        be limited to the specific data, resources and applications needed to complete
        a required task (least privilege principle).
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-4
      description: Malicious code is detected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      ref_id: BASIC_DE.CM-4.1
      description: '[KEY MEASURE] Anti-virus, -spyware, and other -malware programs
        shall be installed and updated.'
      annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\
        \ be countered by installing, using, and regularly updating anti-virus and\
        \ anti-spyware software on every device used in company\u2019s business (including\
        \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\
        \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\
        \ or at least daily followed by system scanning as appropriate.\n\u2022\t\
        It should be considered to provide the same malicious code protection mechanisms\
        \ for home computers (e.g. teleworking) or personal devices that are used\
        \ for professional work (BYOD)."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      ref_id: DE.CM-4.2
      description: The organisation shall set up a system to detect false positives
        while detecting and eradicating malicious code.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-5
      description: Unauthorized mobile code is detected
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5
      ref_id: IMPORTANT_DE.CM-5.1
      description: The organization shall define acceptable and unacceptable mobile
        code and mobile code technologies; and authorize, monitor, and control the
        use of mobile code within the system.
      annotation: "\u2022\tMobile code includes any program, application, or content\
        \ that can be transmitted across a network (e.g., embedded in an email, document,\
        \ or website) and executed on a remote system. Mobile code technologies include\
        \  for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\
        \tDecisions regarding the use of mobile code in organizational systems should\
        \ be based on the potential for the code to cause damage to the systems if\
        \ used maliciously. Usage restrictions and implementation guidance should\
        \ apply to the selection and use of mobile code installed."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-6
      description: External service provider activity is monitored to detect potential
        cybersecurity events
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      ref_id: IMPORTANT_DE.CM-6.1
      description: All external connections by vendors supporting IT/OT applications
        or infrastructure shall be secured and actively monitored to ensure that only
        permissible actions occur during the connection.
      annotation: This monitoring includes unauthorized personnel access, connections,
        devices, and software.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      ref_id: IMPORTANT_DE.CM-6.2
      description: External service providers' conformance with personnel security
        policies and procedures and contract security requirements shall be monitored
        relative to their cybersecurity risks.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-7
      description: Monitoring for unauthorized personnel, connections, devices, and
        software is performed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      ref_id: IMPORTANT_DE.CM-7.1
      description: The organization's business critical systems shall be monitored
        for unauthorized personnel access, connections, devices, access points, and
        software.
      annotation: "\u2022\tUnauthorized personnel access includes access by external\
        \ service providers.\n\u2022\tSystem inventory discrepancies should be included\
        \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\
        \ critical systems should be included in the monitoring."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      ref_id: DE.CM-7.2
      description: Unauthorized configuration changes to organization's systems shall
        be monitored and addressed with the appropriate mitigation actions.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-8
      description: Vulnerability scans are performed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      ref_id: IMPORTANT_DE.CM-8.1
      description: The organization shall monitor and scan for vulnerabilities in
        its critical systems and hosted applications ensuring that system functions
        are not adversely impacted by the scanning process.
      annotation: Consider the implementation of a continuous vulnerability scanning
        program; Including reporting and mitigation plans.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      ref_id: IMPORTANT_DE.CM-8.2
      description: The vulnerability scanning process shall include analysis, remediation,
        and information sharing.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.DP
      name: Detection Processes
      description: Detection processes and procedures are maintained and tested to
        ensure awareness of anomalous events.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-2
      description: Detection activities comply with all applicable requirements
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2
      ref_id: IMPORTANT_DE.DP-2.1
      description: The organization shall conduct detection activities in accordance
        with applicable federal and regional laws, industry regulations and standards,
        policies, and other applicable requirements.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-3
      description: Detection processes are tested
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3
      ref_id: IMPORTANT_DE.DP-3.1
      description: The organization shall validate that event detection processes
        are operating as intended.
      annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\
        \ be demonstrable."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-4
      description: Event detection information is communicated
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4
      ref_id: IMPORTANT_DE.DP-4.1
      description: The organization shall communicate event detection information
        to predefined parties.
      annotation: Event detection information includes for example, alerts on atypical
        account usage, unauthorized remote access, wireless connectivity, mobile device
        connection, altered configuration settings, contrasting system component inventory,
        use of maintenance tools and nonlocal maintenance, physical access, temperature
        and humidity, equipment delivery and removal, communications at the information
        system boundaries, use of mobile code, use of Voice over Internet Protocol
        (VoIP), and malware disclosure.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-5
      description: Detection processes are continuously improved
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      ref_id: IMPORTANT_DE.DP-5.1
      description: Improvements derived from the monitoring, measurement, assessment,
        testing, review, and lessons learned, shall be incorporated into detection
        process revisions.
      annotation: "\u2022\tThis results in a continuous improvement of the detection\
        \ processes.\n\u2022\tThe use of independent teams to assess the detection\
        \ process could be considered."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      ref_id: DE.DP-5.2
      description: The organization shall conduct specialized assessments including
        in-depth monitoring, vulnerability scanning, malicious user testing, insider
        threat assessment, performance/load testing, and verification and validation
        testing on the organization's critical systems.
      annotation: These activities can be outsourced, preferably to accredited organizations.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      assessable: false
      depth: 1
      ref_id: RS
      name: RESPOND (RS)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.RP
      name: Response Planning
      description: Response processes and procedures are executed and maintained,
        to ensure response to detected cybersecurity incidents.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp
      ref_id: RS.RP-1
      description: Response plan is executed during or after an incident
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1
      ref_id: BASIC_RS.RP-1.1
      description: An incident response process, including roles, responsibilities,
        and authorities, shall be executed during or after an information/cybersecurity
        event on the organization's critical systems.
      annotation: "\u2022\tThe incident response process should include a predetermined\
        \ set of instructions or procedures to detect, respond to, and limit consequences\
        \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\
        \ in the incident response plan should be specific on involved people, contact\
        \ info, different roles and responsibilities, and who makes the decision to\
        \ initiate recovery procedures as well as who will be the contact with appropriate\
        \ external stakeholders. It should be considered to determine the causes of\
        \ an information/cybersecurity event and implement a corrective action in\
        \ order that the event does not recur or occur elsewhere (an infection by\
        \ malicious code on one machine did not have spread elsewhere in the network).\
        \ The effectiveness of any corrective action taken should be reviewed. Corrective\
        \ actions should be appropriate to the effects of the information/cybersecurity\
        \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9"
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.CO
      name: Communications
      description: Response activities are coordinated with internal and external
        stakeholders (e.g. external support from law enforcement agencies).
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-1
      description: Personnel know their roles and order of operations when a response
        is needed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1
      ref_id: IMPORTANT_RS.CO-1.1
      description: The organization shall ensure that personnel understand their roles,
        objectives, restoration priorities, task sequences (order of operations) and
        assignment responsibilities for event response.
      annotation: Consider the use the CCB Incident Management Guide to guide you
        through this exercise and consider bringing in outside experts if needed.
        Test your plan regularly and adjust it after each incident.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-2
      description: Incidents are reported consistent with established criteria
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      ref_id: IMPORTANT_RS.CO-2.1
      description: The organization shall implement reporting on information/cybersecurity
        incidents on its critical systems in an organization-defined time frame to
        organization-defined personnel or roles.
      annotation: All users should have a single point of contact to report any incident
        and be encouraged to do so.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      ref_id: RS.CO-2.2
      description: Events shall be reported consistent with established criteria.
      annotation: Criteria to report should be included in the incident response plan.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-3
      description: Information is shared consistent with response plans
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      ref_id: BASIC_RS.CO-3.1
      description: "Information/cybersecurity incident information shall be communicated\
        \ and shared with the organization\u2019s employees in a format that they\
        \ can understand."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      ref_id: IMPORTANT_RS.CO-3.2
      description: The organization shall share information/cybersecurity incident
        information with relevant stakeholders as foreseen in the incident response
        plan.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-4
      description: Coordination with stakeholders occurs consistent with response
        plans
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4
      ref_id: IMPORTANT_RS.CO-4.1
      description: The organization shall coordinate information/cybersecurity incident
        response actions with all predefined stakeholders.
      annotation: "\u2022\tStakeholders for incident response include for example,\
        \ mission/business owners, organization's critical system owners, integrators,\
        \ vendors, human resources offices, physical and personnel security offices,\
        \ legal departments, operations personnel, and procurement offices.\n\u2022\
        \tCoordination with stakeholders occurs consistent with incident response\
        \ plans."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-5
      description: 'Voluntary information sharing occurs with external stakeholders
        to achieve broader cybersecurity situational awareness '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5
      ref_id: IMPORTANT_RS.CO-5.1
      description: "The organization shall share information/cybersecurity event information\
        \ voluntarily, as appropriate, with external stakeholders, industry security\
        \ groups,\u2026 to achieve broader information/cybersecurity situational awareness."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.AN
      name: Analysis
      description: Analysis is conducted to ensure effective response and support
        recovery activities.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-1
      description: Notifications from detection systems are investigated
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      ref_id: IMPORTANT_RS.AN-1.1
      description: The organization shall investigate information/cybersecurity-related
        notifications generated from detection systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      ref_id: RS.AN-1.2
      description: The organization shall implement automated mechanisms to assist
        in the investigation and analysis of information/cybersecurity-related notifications.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-2
      description: The impact of the incident is understood
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      ref_id: IMPORTANT_RS.AN-2.1
      description: Thorough investigation and result analysis shall be the base for
        understanding the full implication of the information/cybersecurity incident.
      annotation: "\u2022\tResult analysis can involve the outcome of determining\
        \ the correlation between the information of the detected event and the outcome\
        \ of risk assessments. In this way, insight is gained into the impact of the\
        \ event across the organization.\n\u2022\tConsider including detection of\
        \ unauthorized changes to its critical systems in its incident response capabilities."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      ref_id: RS.AN-2.2
      description: The organization shall implement automated mechanisms to support
        incident impact analysis.
      annotation: Implementation could vary from a ticketing system to a Security
        Information and Event Management (SIEM).
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-3
      description: Forensics are performed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      ref_id: RS.AN-3.1
      description: The organization shall provide on-demand audit review, analysis,
        and reporting for after-the-fact investigations of information/cybersecurity
        incidents.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      ref_id: RS.AN-3.2
      description: The organization shall conduct forensic analysis on collected information/cybersecurity
        event information to determine root cause.
      annotation: Consider to determine the root cause of an incident. If necessary,
        use forensics analysis on collected information/cybersecurity event information
        to achieve this.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-4
      description: Incidents are categorized consistent with response plans
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4
      ref_id: IMPORTANT_RS.AN-4.1
      description: Information/cybersecurity incidents shall be categorized according
        to the level of severity and impact consistent with the evaluation criteria
        included the incident response plan.
      annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\
        \ incident and implement a corrective action in order that the incident does\
        \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\
        \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\
        \ to the effects of the information/cybersecurity incident encountered."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-5
      description: Processes are established to receive, analyze and respond to vulnerabilities
        disclosed to the organization from internal and external sources (e.g. internal
        testing, security bulletins, or security researchers)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      ref_id: IMPORTANT_RS.AN-5.1
      description: '[KEY MEASURE] The organization shall implement vulnerability management
        processes and procedures that include processing, analyzing and remedying
        vulnerabilities from internal and external sources. '
      annotation: Internal and external sources could be e.g. internal testing, security
        bulletins, or security researchers.
      implementation_groups:
      - I
      - E
      - IK
      - EK
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      ref_id: RS.AN-5.2
      description: The organization shall implement automated mechanisms to disseminate
        and track remediation efforts for vulnerability information, captured from
        internal and external sources, to key stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.MI
      name: Mitigation
      description: Activities are performed to prevent expansion of an event, mitigate
        its effects, and resolve the incident.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi
      ref_id: RS.MI-1
      description: Incidents are contained
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1
      ref_id: IMPORTANT_RS.MI-1.1
      description: The organization shall implement an incident handling capability
        for information/cybersecurity incidents on its business critical systems that
        includes preparation, detection and analysis, containment, eradication, recovery
        and documented risk acceptance.
      annotation: A documented risk acceptance deals with risks that the organisation
        assesses as not dangerous to the organisation's business critical systems
        and where the risk owner formally accepts the risk (related with the risk
        appetite of the organization)
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.IM
      name: Improvements
      description: Organizational response activities are improved by incorporating
        lessons learned from current and previous detection/response activities.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      ref_id: RS.IM-1
      description: Response plans incorporate lessons learned
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      ref_id: BASIC_RS.IM-1.1
      description: The organization shall conduct post-incident evaluations to analyse
        lessons learned from incident response and recovery, and consequently improve
        processes / procedures / technologies to enhance its cyber resilience.
      annotation: Consider bringing involved people together after each incident and
        reflect together on ways to improve what happened, how it happened, how we
        reacted, how it could have gone better, what should be done to prevent it
        from happening again, etc.
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      ref_id: IMPORTANT_RS.IM-1.2
      description: Lessons learned from incident handling shall be translated into
        updated or new incident handling procedures that shall be tested, approved
        and trained.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      ref_id: RS.IM-2
      description: Response and Recovery strategies are updated
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2
      ref_id: IMPORTANT_RS.IM-2.1
      description: The organization shall update the response and recovery  plans
        to address changes in its context.
      annotation: "The organization\u2019s context relates to the organizational structure,\
        \ its critical systems, attack vectors, new threats, improved technology,\
        \ environment of operation, problems encountered during plan implementation/execution/testing\
        \ and lessons learned."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      assessable: false
      depth: 1
      ref_id: RC
      name: RECOVER (RC)
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.RP
      name: Recovery Planning
      description: Recovery processes and procedures are executed and maintained to
        ensure restoration of systems or assets affected by cybersecurity incidents.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp
      ref_id: RC.RP-1
      description: 'Recovery plan is executed during or after a cybersecurity incident '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      ref_id: BASIC_RC.RP-1.1
      description: A recovery process for disasters and information/cybersecurity
        incidents shall be developed and executed as appropriate.
      annotation: "A process should be developed for what immediate actions will be\
        \ taken in case of a fire, medical emergency, burglary, natural disaster,\
        \ or  an information/cyber security incident.\nThis process should consider:\n\
        \u2022\tRoles and Responsibilities, including of who makes the decision to\
        \ initiate recovery procedures and who will be the contact with appropriate\
        \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\
        \ and information systems in case of an incident. This includes shutting down\
        \ or locking computers, moving to a backup site, physically removing important\
        \ documents, etc.\n\u2022\tWho to call in case of an incident."
      implementation_groups:
      - B
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      ref_id: RC.RP-1.2
      description: "The essential organization\u2019s functions and services shall\
        \ be continued with little or no loss of operational continuity and continuity\
        \ shall be sustained until full system restoration."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.IM
      name: Improvements
      description: Recovery planning and processes are improved by incorporating lessons
        learned into future activities.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im
      ref_id: RC.IM-1
      description: Recovery plans incorporate lessons learned
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1
      ref_id: IMPORTANT_RC.IM-1.1
      description: The organization shall incorporate lessons learned from incident
        recovery activities into updated or new system recovery procedures and, after
        testing, frame this with appropriate training.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.CO
      name: Communications
      description: Restoration activities are coordinated with internal and external
        parties (e.g.  coordinating centers, Internet Service Providers, owners of
        attacking systems, victims, other CSIRTs, and vendors).
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-1
      description: Public relations are managed
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      ref_id: IMPORTANT_RC.CO-1.1
      description: The organization shall centralize and coordinate how information
        is disseminated and manage how the organization is presented to the public.
      annotation: "Public relations management may include, for example, managing\
        \ media interactions, coordinating and logging all requests for interviews,\
        \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\
        \ media requests with appropriate and available internal experts who are ready\
        \ to be interviewed, screening all of information provided to the media, ensuring\
        \ personnel are familiar with public relations and privacy policies."
      implementation_groups:
      - I
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      ref_id: RC.CO-1.2
      description: A Public Relations Officer shall be assigned.
      annotation: "The Public Relations Officer should consider the use of pre-define\
        \ external contacts \n(e.g. press, regulators, interest groups)."
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-2
      description: 'Reputation is repaired after an incident '
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2
      ref_id: RC.CO-2.1
      description: The organization shall implement a crisis response strategy to
        protect the organization from the negative consequences of a crisis and help
        restore its reputation.
      annotation: Crisis response strategies include, for example, actions to shape
        attributions of the crisis, change perceptions of the organization in crisis,
        and reduce the negative effect generated by the crisis.
      implementation_groups:
      - E
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-3
      description: Recovery activities are communicated to internal and external stakeholders
        as well as executive and management teams
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3
      ref_id: IMPORTANT_RC.CO-3.1
      description: The organization shall communicate recovery activities to predefined
        stakeholders, executive and management teams.
      annotation: Communication of recovery activities to all relevant stakeholders
        applies only to entities subject to the NIS legislation.
      implementation_groups:
      - I
      - E