[ { "authors": [ "Koen Van Impe" ], "label": "Baseline Security Guidelines (BSG)", "language": "FR", "refs": [ "https://cyberguide.ccb.belgium.be/fr" ], "uuid": "8c386095-dcbb-44e3-8c02-7fafecd19112", "values": [ { "category": "Politique de s\u00e9curit\u00e9", "code": "4.1.1", "label": "Chaque organisation doit disposer d'une politique de s\u00e9curit\u00e9 approuv\u00e9e et soutenue par la direction.", "uuid": "1cc160ac-8d5c-4ca3-bb72-62a10719c123" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.1", "label": "Chaque organisation mettra en place un syst\u00e8me de gestion des risques.", "uuid": "007b3160-1740-45c7-94c6-ca941c0fb139" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.2", "label": "La s\u00e9curit\u00e9 de l'information sera int\u00e9gr\u00e9e dans la gestion des projets (S\u00e9curit\u00e9 d\u00e8s la conception - 'security by design') afin d'int\u00e9grer le plus t\u00f4t possible les aspects de s\u00e9curit\u00e9.", "uuid": "611de8f9-c8a9-41ed-92f0-924f220bc43a" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.3", "label": "Afin de mettre \u00e0 jour les connaissances et de favoriser les \u00e9changes sur les derni\u00e8res tendances en mati\u00e8re de s\u00e9curit\u00e9 de l'information, il sera n\u00e9cessaire de participer aux forums sp\u00e9cialis\u00e9s abordant les questions de s\u00e9curit\u00e9 de l'information.", "uuid": "85d026e4-e8f5-42f4-9833-fc5fdfb6b7df" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.4", "label": "Afin que ces mesures organisationnelles soient appliqu\u00e9es, chaque organisation (in)formera son personnel et les tiers op\u00e9rant sous sa responsabilit\u00e9.", "uuid": "3b96ee40-70c3-452a-849c-4cda88d9f4c0" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.5", "label": "D\u00e9signer et mandater un responsable de la s\u00e9curit\u00e9.", "uuid": "6ea237dc-cb92-4bcd-a688-a5ea7ba3d783" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.6", "label": "Un tableau de bord permettant de mesurer son niveau de s\u00e9curit\u00e9 par rapport aux objectifs fix\u00e9s par la strat\u00e9gie de l'organisation.", "uuid": "12d776b0-2b90-4f2c-a59e-8cb6d173ebdd" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.7", "label": "Un code de conduite et de bonnes pratiques en mati\u00e8re d'utilisation des syst\u00e8mes d'information sera \u00e9labor\u00e9, approuv\u00e9 et communiqu\u00e9.", "uuid": "ca1b4896-cb90-4890-b62c-1e1590425ba0" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.8", "label": "Un plan d'information & de formation sera adopt\u00e9.", "uuid": "65a113ed-1a28-4f16-a205-6dcd58684f59" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.8.1", "label": "Chaque organisation d\u00e9finira les r\u00e8gles et mesures de s\u00e9curit\u00e9 d'usage des supports m\u00e9dia amovibles.", "uuid": "20062322-d837-4144-b3e0-fd69e3d63f1b" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.8.2", "label": "Une politique d'acc\u00e8s, de gestion des informations \u00e0 distance (t\u00e9l\u00e9travail) sera adopt\u00e9e.", "uuid": "89f5c88a-d730-45d2-a4de-77b84f267690" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.9", "label": "Chaque organisation doit identifier les r\u00f4les et responsabilit\u00e9s des diff\u00e9rents acteurs dans la s\u00e9curit\u00e9 de l'information.", "uuid": "0d9d2a96-7a52-4872-8ba0-f4068082144b" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.10_AVG", "label": "Chaque organisation mettra en place un syst\u00e8me de gestion des risques pour la gestion des donn\u00e9es personnelles.", "uuid": "8a772336-e4ad-4fd7-a093-c4e34779aaf7" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.11_AVG", "label": "Configurer et g\u00e9rer le registre de traitement RGPD.", "uuid": "be3c2eb6-61c4-4f8b-b27f-d03eb3443b05" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.12_AVG", "label": "Chaque organisation veille \u00e0 ce qu'un d\u00e9l\u00e9gu\u00e9 \u00e0 la protection des donn\u00e9es (ci-apr\u00e8s d\u00e9sign\u00e9 DPO) dot\u00e9 d'un mandat clair soit d\u00e9sign\u00e9 et mandat\u00e9.", "uuid": "995f60bd-fa47-4ffe-b6ce-9905229bf860" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.13_AVG", "label": "La protection des donn\u00e9es sera int\u00e9gr\u00e9e \u00e0 la gestion du projet (protection des donn\u00e9es par conception) afin d'int\u00e9grer les aspects de s\u00e9curit\u00e9 le plus rapidement possible.", "uuid": "d82fc564-3d0c-43d3-80b0-306c250bfbbb" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.14_AVG", "label": "Pour mettre \u00e0 jour les connaissances et promouvoir l'\u00e9change des tendances en mati\u00e8re de protection des donn\u00e9es, il sera n\u00e9cessaire de participer \u00e0 des forums sp\u00e9cialis\u00e9s et \u00e0 des canaux d'information traitant de la protection des donn\u00e9es.", "uuid": "fcd838d6-ab69-46f8-a7a2-17c84b6bb777" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.15_AVG", "label": "Pour s'assurer que les mesures organisationnelles n\u00e9cessaires sont mises en \u0153uvre, chaque organisation informe son personnel et les tiers travaillant sous sa responsabilit\u00e9.", "uuid": "a101acbd-a409-4ef6-ba97-c0c123742f93" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.16_AVG", "label": "Chaque organisation dispose d'un tableau de bord pour mesurer et contr\u00f4ler l'\u00e9tat et maturit\u00e9 de protection des donn\u00e9es par rapport aux objectifs de sa strat\u00e9gie.", "uuid": "ac29f819-028f-43a9-b64e-36502c01cc0d" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.17_AVG", "label": "Un code de conduite et de bonnes pratiques pour l'utilisation de donn\u00e9es \u00e0 caract\u00e8re personnel seront d\u00e9velopp\u00e9s, approuv\u00e9s et communiqu\u00e9s.", "uuid": "59e0247f-668a-440f-83cc-eee08b15d875" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.18_AVG", "label": "Un plan d'information et de formation sera approuv\u00e9.", "uuid": "eb865e05-a869-4ec1-9f93-e7e9d2b8311a" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.19_AVG", "label": "Les r\u00e8gles d'acc\u00e8s aux donn\u00e9es sont d\u00e9termin\u00e9es.", "uuid": "5fd7bb7e-9704-4616-b687-947a2b022e8e" }, { "category": "Organisation de la s\u00e9curit\u00e9", "code": "4.2.20_AVG", "label": "Chaque organisation doit identifier les t\u00e2ches et les responsabilit\u00e9s des diff\u00e9rents acteurs de la protection des donn\u00e9es.", "uuid": "ce01c440-aa4f-432f-b4f0-6e89dd0f5cc6" }, { "category": "La s\u00e9curite\u00e9 des ressources humaines", "code": "4.3.1", "label": "Une politique relative \u00e0 la gestion des collaborateurs (internes et/ou externes) sera adopt\u00e9e.", "uuid": "df696f9a-646d-4db1-bebf-ff2066e6ebdf" }, { "category": "La s\u00e9curite\u00e9 des ressources humaines", "code": "4.3.2", "label": "R\u00e9glementation de l'emploi", "uuid": "8a6d3cf4-0a31-4e41-a2ec-cf13c6d04688" }, { "category": "La s\u00e9curite\u00e9 des ressources humaines", "code": "4.3.3_AVG", "label": "La politique pour les employ\u00e9s (internes et externes) contient une bonne protection juridique et / ou contractuelle des donn\u00e9es personnelles.", "uuid": "441aaa8d-5641-4ac2-90d8-bf5bdf121ce8" }, { "category": "La s\u00e9curite\u00e9 des ressources humaines", "code": "4.3.4_AVG", "label": "Proc\u00e9dure de recrutement.", "uuid": "0694ce82-792f-4e7e-ad5d-b75f24cbc822" }, { "category": "La s\u00e9curite\u00e9 des ressources humaines", "code": "4.3.5_AVG", "label": "R\u00e9glementation de l'emploi contient des accords de confidentialit\u00e9 ou de non-divulgation.", "uuid": "564b2edb-0c96-42e4-b99c-aa4dbbedfd09" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.1", "label": "Un plan de formation, de d\u00e9veloppement et de communication sera d\u00e9fini afin que tous les collaborateurs de l'organisation, internes et externes, suivent, dans la mesure du possible, la formation en mati\u00e8re de s\u00e9curit\u00e9 de l'information et soient r\u00e9guli\u00e8rement inform\u00e9s sur les adaptations apport\u00e9es aux directives et proc\u00e9dures.", "uuid": "417e07f4-62fe-4503-b34b-6d1c4ecf705c" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.2", "label": "Un plan de communication sera d\u00e9fini pour que toutes les parties int\u00e9ress\u00e9es de l'organisation, en interne et en externe, re\u00e7oivent les informations n\u00e9cessaires sur la s\u00e9curit\u00e9 de l'information, le cas \u00e9ch\u00e9ant, et soient r\u00e9guli\u00e8rement inform\u00e9es des adaptations apport\u00e9es aux lignes directrices et aux proc\u00e9dures.", "uuid": "b969dd46-b70d-4ec7-a8b5-df763ff556b1" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.3_AVG", "label": "Vad\u00e9m\u00e9cum avec la terminologie RGPD.", "uuid": "5299522f-d771-4939-b5f7-61501fb65558" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.4_AVG", "label": "Un plan de formation et d'\u00e9ducation sera d\u00e9fini de mani\u00e8re a\u00e8 ce que tous les employ\u00e9s de l'ensemble de l'organisation, qu'ils soient internes ou externes, re\u00e7oivent l'instruction et la formation n\u00e9cessaires a\u00e8 intervalles r\u00e9guliers sur la RGPD et la protection des donn\u00e9es, dans les mesures applicables a\u00e8 leurs fonctions/ poste leur r\u00f4le et leur responsabilit\u00e9 a\u00e8 cet \u00e9gard, et \u00eatre tenu inform\u00e9 des modifications apport\u00e9es aux directives et proc\u00e9dures.", "uuid": "7a29e969-f986-4f44-8a5c-d8f354563a88" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.5_AVG", "label": "Un plan de communication sera d\u00e9fini de mani\u00e8re \u00e0 ce que toutes les parties int\u00e9ress\u00e9es de l'organisation, tant internes qu'externes, re\u00e7oivent les informations de protection des donn\u00e9es n\u00e9cessaires, le cas \u00e9ch\u00e9ant, et soient r\u00e9guli\u00e8rement inform\u00e9es des modifications apport\u00e9es aux directives et aux proc\u00e9dures.", "uuid": "cdee47f8-8bf0-4de4-a873-b4ecc2974047" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.6_AVG", "label": "Pr\u00e9parez une d\u00e9claration de protection des donn\u00e9es expliquant quelles donn\u00e9es sont trait\u00e9es, comment et les mesures de protections mises en \u0153uvre.", "uuid": "362c3ed6-18bc-4dfa-923a-55e4d050edb5" }, { "category": "Sensibilisation, formation, d\u00e9veloppement & Communication", "code": "4.4.7_AVG", "label": "Proc\u00e9dure de communication pour l'exercice des droits de la personne concern\u00e9e.", "uuid": "7dc57262-e4c2-4da6-ba41-9e094c2dd8db" }, { "category": "La gestion des actifs", "code": "4.5.1", "label": "Chaque organisation \u00e9tablira un inventaire de ses actifs essentiels, quelle que soit sa cat\u00e9gorie (information, donn\u00e9es, transmission, application, r\u00e9seaux, processus, syst\u00e8mes, ...).", "uuid": "52f3722e-4eda-4d51-859f-ed29ffacbd51" }, { "category": "La gestion des actifs", "code": "4.5.2", "label": "Un inventaire des syst\u00e8mes d'information sera tenu a\u00e8 jour.", "uuid": "fe16340a-926f-4829-955d-a547c046061c" }, { "category": "La gestion des actifs", "code": "4.5.3", "label": "Chaque organisation veillera a\u00e8 mettre en place une proc\u00e9dure de gestion des actifs de l'information en tenant compte de l'importance des donn\u00e9es de l'organisation.", "uuid": "88e0be5c-8ba0-4159-a9ca-c2e3f511c1cd" }, { "category": "La gestion des actifs", "code": "4.5.4", "label": "Chaque organisation d\u00e9finira les r\u00e8gles et mesures de s\u00e9curit\u00e9 d'usage des supports m\u00e9dia amovibles.", "uuid": "ae470d7b-c065-4f30-b34a-471221f48e0d" }, { "category": "La gestion des actifs", "code": "4.5.5", "label": "Chaque organisation mettra en place les mesures de s\u00e9curit\u00e9 des donn\u00e9es sensibles et des syst\u00e8mes d'information.", "uuid": "dee024e0-2f15-42ba-bb19-0e4c4e412505" }, { "category": "La gestion des actifs", "code": "4.5.5.1", "label": "Chaque organisation mettra en place les mesures de se\u0301curite\u0301 re\u0301gissant les moyens de communication e\u0301lectronique.", "uuid": "357d56a0-5328-4bdd-a30d-18e70018c50a" }, { "category": "La gestion des actifs", "code": "4.5.6_AVG", "label": "Les donn\u00e9es personnelles sont suffisamment prot\u00e9g\u00e9es sur la base de l'\u00e9valuation des risques.", "uuid": "9d210d3d-fc82-49b1-9e38-16125abb72c2" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.1", "label": "L'organisation d\u00e9finira par actif (au sens large du terme) les r\u00e8gles claires d'acc\u00e8s.", "uuid": "362ef0e0-f7e2-4a61-be0d-912286237e0c" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.2", "label": "Un registre des autorisations d'acc\u00e8s sera tenu et mis \u00e0 jour par l'organisation.", "uuid": "ca38f20d-15d0-43c6-a5a0-9705e53b97a9" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.3", "label": "Les utilisateurs seront clairement form\u00e9s et inform\u00e9s de leurs devoirs & responsabilit\u00e9s.", "uuid": "f88ba193-9859-44e6-b35b-c92eb0daaf02" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.4", "label": "Pour chaque \u00e9l\u00e9ment de l'inventaire (renforcement des mesures de s\u00e9curit\u00e9, rapport \u00e0 une autorit\u00e9).", "uuid": "0e53cc22-6627-4ce8-b9f9-4ba8dbe3d7de" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.5", "label": "Contr\u00f4le d'acc\u00e8s aux donn\u00e9es personnelles.", "uuid": "0b28f89f-00c6-4a7f-8cff-73c1ebbd299d" }, { "category": "Le contr\u00f4le d'acc\u00e8s", "code": "4.6.6_AVG", "label": "V\u00e9rification de l'identit\u00e9 de la personne voulant exercer ses droits.", "uuid": "dea2dbfe-fd32-485c-8a6b-7e7ee0dae5b8" }, { "category": "La cryptographie", "code": "4.7.1", "label": "Si des mesures cryptographiques sont mises en \u0153uvre, l'organisation d\u00e9taillera ces mesures.", "uuid": "7b225b04-3dc2-42c4-a920-f343be6b28c6" }, { "category": "La cryptographie", "code": "4.7.2", "label": "En r\u00e8gle g\u00e9n\u00e9rale, l'acc\u00e8s aux actifs essentiels doit \u00eatre bas\u00e9 sur des acc\u00e8s individuels. Le partage de codes d'acc\u00e8s n'est pas permis.", "uuid": "36f43595-5efb-4478-9c0c-25f0a866e49e" }, { "category": "La cryptographie", "code": "4.7.3", "label": "Key management.", "uuid": "6366690a-d5c2-4354-989c-596e255d6e50" }, { "category": "La cryptographie", "code": "4.7.4_AVG", "label": "Les donn\u00e9es personnelles sont suffisamment prot\u00e9g\u00e9es lors du stockage, du transport et de l'utilisation des donn\u00e9es personnelles.", "uuid": "4d151f6c-f1f7-45fc-be24-26983be7a9c7" }, { "category": "La s\u00e9curit\u00e9 physique et environnementale", "code": "4.8.1", "label": "Espaces s\u00e9curis\u00e9s.", "uuid": "9f06714f-30a2-4223-9758-d906e8685808" }, { "category": "La s\u00e9curit\u00e9 physique et environnementale", "code": "4.8.2", "label": "Protection des appareils.", "uuid": "e851eb18-01d1-4a6c-8325-153228e07c66" }, { "category": "La s\u00e9curit\u00e9 physique et environnementale", "code": "4.8.3", "label": "Politique 'Clear screen'.", "uuid": "da39891f-0050-4c08-90eb-a66c96122f95" }, { "category": "La s\u00e9curit\u00e9 physique et environnementale", "code": "4.8.4", "label": "Politique 'Clear desk'.", "uuid": "7a6c19b2-4929-4dda-b844-ca9bf7f78666" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.1", "label": "Pour chaque \u00e9l\u00e9ment d'actif login & monitoring avec rapportage des incidents et des mesures de s\u00e9curit\u00e9 prises.", "uuid": "c600645e-682b-4256-9d69-1b03ef261932" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.2", "label": "Un inventaire de l'environnement de test sera dress\u00e9.", "uuid": "4604aab0-7c9e-45cd-ad38-579be27f08f8" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.1", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Antimalware/antivirus mis \u00e0 jour.", "uuid": "7090e984-01ef-4813-ab37-490b9ef01a0b" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.2", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Syst\u00e8me de d\u00e9tection des intrusions ou des acc\u00e8s non autoris\u00e9s/software non autoris\u00e9s.", "uuid": "9752d5a2-6f9d-4763-8445-39811f4b283c" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.3", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Proc\u00e9dures de blocage/isolement pour anomalies/acc\u00e8s non autoris\u00e9, \u2026", "uuid": "3b3a63ad-486b-4ea6-8b2c-b7ae99f17710" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.4", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Up to date hardware & software avec test pr\u00e9alable des nouvelles releases & fall back sc\u00e9nario.", "uuid": "beb2d7a4-ef17-4ad7-9e35-d7bf90a1209b" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.5", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Gestion des incidents (y compris la communication).", "uuid": "86d92098-6655-492c-a2cb-6909a0ca0783" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.6", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Avoir des proc\u00e9dures de backup: cr\u00e9ation, test de restauration.", "uuid": "c5162eaa-b141-4898-9c5a-09efab5f3e2f" }, { "category": "La s\u00e9curit\u00e9 li\u00e9e aux op\u00e9rations", "code": "4.9.3.7", "label": "Les mesures techniques mises en place pour l'architecture seront au minimum: Avoir une proc\u00e9dure li\u00e9e au cryptage des donn\u00e9es.", "uuid": "bd5a5d3d-bf22-463b-abf5-6357b5667d1b" }, { "category": "La s\u00e9curit\u00e9 des communications", "code": "4.10.1", "label": "Une mesure de s\u00e9curit\u00e9 doit prendre en compte la s\u00e9curit\u00e9 des transmissions de l'information afin d'\u00e9viter les acc\u00e8s non autoris\u00e9s aux infrastructures et aux donn\u00e9es de l'organisation, que cet acc\u00e8s soit volontaire ou non.", "uuid": "2087bc31-184b-4b28-a9e0-de6cc6f47115" }, { "category": "La s\u00e9curit\u00e9 des communications", "code": "4.10.2", "label": "Cette mesure de s\u00e9curit\u00e9 devra tenir compte de l'accessibilit\u00e9 requise pour les syst\u00e8mes de l'organisation.", "uuid": "c2a9d554-e4e1-4b2b-ae3a-bdbb0184bdc1" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "4.11.1", "label": "Impl\u00e9mentez des contr\u00f4les pour l'acquisition, le d\u00e9veloppement et la maintenance de tout nouveau syst\u00e8me. L'aspect d'outsourcing, l'utilisation de services en nuage ou l'achat de produits n\u00e9cessitent une attention particuli\u00e8re.", "uuid": "882aec33-b8c1-4ace-a933-adc33ee62281" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "4.11.2", "label": "Chaque organisation tiendra un journal.", "uuid": "8d13a8ef-68cb-4059-955f-18706bc2534a" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "4.11.3", "label": "Le journal sp\u00e9cifiera aussi les mesures de s\u00e9curit\u00e9 mises en place.", "uuid": "2e6a0a11-0b5f-46e3-ab94-86b8958f502b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "4.11.4", "label": "L'organisation mettra en \u0153uvre des proc\u00e9dures afin de maintenir ses solutions \u00e0 jour et assurera une mesure de s\u00e9curit\u00e9 de backup test\u00e9e tant pour ses syst\u00e8mes que pour ses donn\u00e9es.", "uuid": "314754df-57aa-46b2-bba1-a742becbb18e" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "4.11.5_AVG", "label": "Lors de l'achat, le d\u00e9veloppement et la maintenance de syst\u00e8mes, processus et proc\u00e9dures doivent \u00eatre utilis\u00e9s pour prot\u00e9ger les donn\u00e9es personnelles, \u00e0 la fois pendant la conception et la gestion op\u00e9rationnelle.", "uuid": "3a2efe2f-c165-45cd-9a62-d178a8d91694" }, { "category": "Relations avec les fournisseurs", "code": "4.12.1", "label": "L'organisation s'assurera que les contrats entre parties mentionneront les mesures de s\u00e9curit\u00e9 impos\u00e9es par l'organisation, les lois et r\u00e8glements (notamment le RGPD) ainsi que les \u00e9l\u00e9ments de contr\u00f4le et de revue.", "uuid": "5a0139be-8db3-49d5-b20d-8df2da066684" }, { "category": "Relations avec les fournisseurs", "code": "4.12.1.2", "label": "Chaque organisation veillera \u00e0 encadrer les relations avec les fournisseurs et les autorit\u00e9s.", "uuid": "b8722b1c-7644-46be-b9a0-eeaf16b7e26d" }, { "category": "Relations avec les fournisseurs", "code": "4.12.2", "label": "Chaque organisation veillera \u00e0 faire appel aux services de 'cloud computing' qui correspondent aux mesures de s\u00e9curit\u00e9 n\u00e9cessaires pour l'organisation.", "uuid": "5b05804b-9d29-4360-8252-218e92193db5" }, { "category": "Relations avec les fournisseurs", "code": "4.12.3_AVG", "label": "Chaque organisation veillera \u00e0 ce que les relations avec les fournisseurs et les autorit\u00e9s soient d\u00e9finies.", "uuid": "827585e6-6044-4918-bd3e-cd6e68d4b872" }, { "category": "Politique Coordonn\u00e9e pour publication des vuln\u00e9rabilit\u00e9s de s\u00e9curit\u00e9", "code": "4.13.1", "label": "Une Politique Coordonn\u00e9e pour publication des vuln\u00e9rabilit\u00e9s ('Coordinated Vulnerability Disclosure Policy' \u2013 ci-dessous CVDP) L'organisation \u00e9labore et applique une CVDP.", "uuid": "06413a61-a94b-4f5b-9682-64a3d01fe18a" }, { "category": "Politique Coordonn\u00e9e pour publication des vuln\u00e9rabilit\u00e9s de s\u00e9curit\u00e9", "code": "4.13.2", "label": "Les employ\u00e9s internes et externes ainsi que les personnes impliqu\u00e9es doivent disposer d'une proc\u00e9dure permettant de signaler les activit\u00e9s suspectes.", "uuid": "0ddaed31-8775-472a-8027-5311e4d1ceea" }, { "category": "Politique Coordonn\u00e9e pour publication des vuln\u00e9rabilit\u00e9s de s\u00e9curit\u00e9", "code": "4.13.3_AVG", "label": "Notification \u00e0 l'autorit\u00e9 de contr\u00f4le d'une violation de donn\u00e9es \u00e0 caract\u00e8re personnel.", "uuid": "b47adcd3-b5e6-47d7-9b30-24b116041e17" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "4.14.1", "label": "Chaque organisation mettra en place un plan de gestion des incidents qui reprendra les r\u00f4les et responsabilit\u00e9s.", "uuid": "866d0e78-cf90-43ba-b80b-fc024d9e353d" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "4.14.2", "label": "Chaque incident sera analys\u00e9 afin d'\u00e9valuer la pertinence de nouvelles mesures de s\u00e9curit\u00e9.", "uuid": "61353cc1-2e98-4a53-9439-5042b4330617" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "4.14.3_AVG", "label": "Chaque organisation \u00e9tablit un plan de gestion des incidents comprenant les t\u00e2ches et responsabilit\u00e9s suivantes, qui r\u00e9git le traitement des violations de donn\u00e9es \u00e0 caract\u00e8re personnel.", "uuid": "bd868c76-36fc-454b-bb2c-75aff696a176" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "4.14_4_AVG", "label": "Notification \u00e0 l'autorit\u00e9 de contr\u00f4le d'une violation de donn\u00e9es \u00e0 caract\u00e8re personnel.", "uuid": "d5fa0e1e-6e73-417d-812d-d479958ca619" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "4.15.1", "label": "Pour tout syst\u00e8me critique ou toute donn\u00e9e sensible n\u00e9cessaires \u00e0 la continuit\u00e9 de l'organisation, un plan de continuit\u00e9 sera mis en place.", "uuid": "fa2092d3-2e09-45fd-9281-e4c0acafdd77" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "4.15.2", "label": "Maintenance du plan de continuit\u00e9.", "uuid": "c6ef4a4d-256f-4031-a0ae-bc3c840649ec" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "4.15.3", "label": "Syst\u00e8me de protection garantissant la confidentialit\u00e9, l'int\u00e9grit\u00e9 et la disponibilit\u00e9 des donn\u00e9es personnelles et de l'entreprise.", "uuid": "a122fa15-6a0d-461f-b3bb-86bfa1e2a5b9" }, { "category": "Encadrer les relations avec les tiers et les autorit\u00e9s", "code": "4.16.1", "label": "Conformit\u00e9 aux dispositions l\u00e9gales et r\u00e8glementaires.", "uuid": "9bd1bf6d-e4a4-4936-a4f0-6cdd7f7a0770" }, { "category": "Encadrer les relations avec les tiers et les autorit\u00e9s", "code": "4.16.2", "label": "Chaque organisation veillera \u00e0 ce que les relations avec les fournisseurs et les autorit\u00e9s soient d\u00e9finies.", "uuid": "91f2af81-e57d-4c40-aeea-9c9811f68cbd" }, { "category": "Encadrer les relations avec les tiers et les autorit\u00e9s", "code": "4.16.3_AVG", "label": "Suivi de la l\u00e9gislation et des avis \u00e9mis ou modifi\u00e9s par les autorit\u00e9s comp\u00e9tentes.", "uuid": "6a129d85-8f6b-4a98-90d7-ac90c2dc0215" }, { "category": "Evaluation des mesures des s\u00e9curit\u00e9", "code": "4.17.1", "label": "Chaque organisation organisera r\u00e9guli\u00e8rement une \u00e9valuation interne ou externe sur la s\u00e9curit\u00e9 de l'information.", "uuid": "32716663-cd17-42be-a47c-359ffaf6bd52" } ], "version": 2 }, { "authors": [ "Koen Van Impe" ], "label": "Baseline Security Guidelines (BSG)", "language": "NL", "refs": [ "https://cyberguide.ccb.belgium.be/nl" ], "uuid": "4c3c3755-1b24-4ba3-8f49-0942af399669", "values": [ { "category": "Veiligheidsbeleid", "code": "4.1.1", "label": "Een informatiebeveiligingsbeleid hebben dat is goedgekeurd en ondersteund wordt door het management.", "uuid": "81a49bfb-6b4c-44d8-8747-229ebc0a9115" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.1", "label": "Een risicomanagementsysteem opzetten.", "uuid": "0c1aec74-6216-45a0-94a3-5483ed0b6444" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.2", "label": "De informatiebeveiliging zal worden ge\u00efntegreerd in het projectmanagement (veiligheid per ontwerp 'Security by design') om veiligheids-aspecten zo snel mogelijk te integreren.", "uuid": "59bf4006-ef36-43f9-aef2-c37035128cad" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.3", "label": "Om kennis te actualiseren en de uitwisseling van informatiebeveiligingstrends te bevorderen, zal het noodzakelijk zijn deel te nemen aan gespecialiseerde fora en gebruikersgroepen die zich bezighouden met informatiebeveiliging.", "uuid": "13dd88e7-1755-4556-a97a-702d2df01e62" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.4", "label": "Om ervoor te zorgen dat deze organisatorische maatregelen worden uitgevoerd, informeert elke organisatie haar personeel en derden die onder haar verantwoordelijkheid werken.", "uuid": "f5ba73fc-4450-4cbb-baba-352e303f2136" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.5", "label": "Een informatiebeveiliger met een duidelijk mandaat wordt aangewezen en gemandateerd.", "uuid": "099aa548-9a92-4bc1-b73a-7e610d755472" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.6", "label": "Een dashboard om het beveiligingsniveau te meten en op te volgen aan de hand van de doelstellingen van de strategie van de organisatie.", "uuid": "31943510-7424-45e2-8af3-7832b7d1cee9" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.7", "label": "Er zullen een gedragscode en goede praktijken voor het gebruik van informatiesystemen worden ontwikkeld, goedgekeurd en gecommuniceerd.", "uuid": "2a490b72-5d50-459a-bf61-08828479e076" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.8", "label": "Er zal een informatie- en opleidingsplan worden goedgekeurd.", "uuid": "30c0e0e1-b670-4513-9fa3-93f18b3ab345" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.9", "label": "Taken en verantwoordelijkheden van de verschillende actoren in de informatiebeveiliging identificeren.", "uuid": "32c11810-0de4-4141-af57-31f50f3643e3" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.10_AVG", "label": "Een risicomanagementsysteem opzetten voor het beheer van persoonsgegevens.", "uuid": "8048b05c-0a0c-46ed-9283-ef807790f286" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.11_AVG", "label": "Opzetten en beheren van het AVG verwerkingsregister.", "uuid": "b7ee51c3-e305-427f-8214-f5488ddb73e3" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.12_AVG", "label": "Een functionaris voor gegevensbescherming (DPO) met een duidelijk mandaat wordt aangewezen en gemandateerd.", "uuid": "c168c2aa-16b3-4475-8828-d565e2486f8d" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.13_AVG", "label": "Dataprotectie zal worden ge\u00efntegreerd in het projectmanagement (gegevensbescherming per ontwerp) om veiligheidsaspecten zo snel mogelijk te integreren.", "uuid": "2686475c-8758-483d-be79-e03ecc69c194" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.14_AVG", "label": "Om kennis te actualiseren en de uitwisseling van dataprotectietrends te bevorderen, zal het noodzakelijk zijn deel te nemen aan gespecialiseerde fora en informatiekanalen die zich bezighouden met gegevensbescherming.", "uuid": "6a70af9b-55d0-4f22-a9f0-92933602f436" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.15_AVG", "label": "Om ervoor te zorgen dat de nodige organisatorische maatregelen worden uitgevoerd, informeert elke organisatie haar personeel en derden die onder haar verantwoordelijkheid werken.", "uuid": "04384bce-d861-438b-bef9-29d06155f54d" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.16_AVG", "label": "Een dashboard om het dataprotectieniveau te meten en op te volgen aan de hand van de doelstellingen van de strategie van de organisatie.", "uuid": "5c4754c7-5a19-429c-91a3-7801ea8b70e1" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.17_AVG", "label": "Richtlijnen en goede praktijken voor het gebruik van persoonsgegevens worden ontwikkeld, goedgekeurd en gecommuniceerd.", "uuid": "6ba6edfa-fa35-450f-a389-042380e0dbdd" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.18_AVG", "label": "Er zal een informatie- en opleidingsplan worden goedgekeurd.", "uuid": "b275984a-98ff-4bf7-b827-d164766bf046" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.19_AVG", "label": "Regels voor de toegang tot gegevens via remote toegang (telewerk) worden bepaald.", "uuid": "12815f93-691d-4ba2-a0ab-ccfe52a8d576" }, { "category": "Organisatie van beveiliging en data protectie", "code": "4.2.20_AVG", "label": "De taken en verantwoordelijkheden van de verschillende actoren in de gegevensbescherming identificeren.", "uuid": "397482eb-4050-4d6d-84cb-d46a3b5047af" }, { "category": "Veiligheid van personeel", "code": "4.3.1", "label": "Een beleid voor het management van medewerkers (intern en/of extern) zal worden gedefinieerd.", "uuid": "f876a183-af81-4cc7-a638-9a242aff2907" }, { "category": "Veiligheid van personeel", "code": "4.3.2", "label": "Arbeidsreglement : er moet een beleid gedefineerd worden dat duidelijk de veranwoordelijkheiden van de organisatie, de interne en externe medewerkers vastlegt wat betreft informatiebeveiling en dataprotectie.", "uuid": "dac32519-a68c-4165-b94f-07c34750e3c6" }, { "category": "Veiligheid van personeel", "code": "4.3.3_AVG", "label": "Het beleid voor werknemers (intern en extern) bevat een goede legale en/of contractuele bescherming van de persoonsgegevens.", "uuid": "d93def34-8208-4405-aa81-30dcb1e01536" }, { "category": "Veiligheid van personeel", "code": "4.3.4_AVG", "label": "In de aanwervingsprocedure is er voldoende aandacht gespendeerd aan de bescherming van de persoonsgegevens.", "uuid": "9fa0d2da-995d-43a9-9e36-390a4eb670a4" }, { "category": "Veiligheid van personeel", "code": "4.3.5_AVG", "label": "Arbeidsreglement bevat onderdelen voor geheimhoudingsplicht en vertrouwelijkheidsovereenkomst.", "uuid": "7cd5b472-2845-4563-9532-800d90c9d379" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.1", "label": "Er zal een opleidings- en trainingsplan worden gedefinieerd, zodat alle medewerkers van de hele organisatie, zowel intern als extern, de nodige informatiebeveiligingsopleiding krijgen, voor zover relevant voor hun functie, en op geregelde tijdstippen op de hoogte worden gehouden van aanpassingen van de richtlijnen en procedures.", "uuid": "7b9cf51b-23db-4e76-90c8-58b6bc085ec1" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.2", "label": "Er zal een communicatieplan worden gedefinieerd, zodat alle belanghebbende partijen van de organisatie, zowel intern als extern, de nodige informatiebeveiligingsinformatie ontvangen, voor zover van toepassing, en op geregelde tijdstippen op de hoogte worden gehouden van aanpassingen van de richtlijnen en procedures.", "uuid": "d3caa2ec-da72-4ddd-80e8-eefa3bf8a487" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.3_AVG", "label": "Vademecum met GDPR terminologie.", "uuid": "08acbdbf-94e0-406b-a5cc-23d9e1c3d623" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.4_AVG", "label": "Er zal een opleidings- en trainingsplan worden gedefinieerd, zodat alle medewerkers van de hele organisatie, zowel intern als extern, op geregelde tijdstippen de nodige opleiding en training krijgen over AVG en dataprotectie, voor zover relevant voor hun functie, en op geregelde tijdstippen op de hoogte worden gehouden van aanpassingen van de richtlijnen en procedures.", "uuid": "fe26c4b4-2489-42d0-8cfd-f4f34c51b7ef" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.5_AVG", "label": "Er zal een communicatieplan worden gedefinieerd, zodat alle belanghebbende partijen van de organisatie, zowel intern als extern, de nodige dataprotectie-informatie ontvangen, voor zover van toepassing, en op geregelde tijdstippen op de hoogte worden gehouden van aanpassingen van de richtlijnen en procedures.", "uuid": "b2e5e01c-e2d0-4f00-b7ce-2e03183ca93d" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.6_AVG", "label": "Een gegevensbeschermingsverklaring die uitlegt welke gegevens verwerkt worden en op welke manier, en hoe ze beveiligd worden.", "uuid": "5d69ff7f-a42a-4efb-b9db-66a8623abcbb" }, { "category": "Bewustmaking, opleiding, training & communicatie", "code": "4.4.7_AVG", "label": "Een communicatie procedure voor het uitoefenen van de rechten van betrokkene.", "uuid": "f37be6dd-4170-4309-aefd-eed348b4e0e6" }, { "category": "Beheer Activa", "code": "4.5.1", "label": "Een inventaris van kernactiva, ongeacht de categorie ervan (informatie, gegevens, transmissie, toepassing, netwerken, processen, systemen etc.).", "uuid": "dcc264b0-ca6a-4455-beaf-af32a586dc27" }, { "category": "Beheer Activa", "code": "4.5.2", "label": "Er zal een inventaris van informatiesystemen worden bijgehouden.", "uuid": "9a749ac1-4cca-4cb8-b4da-67e369512786" }, { "category": "Beheer Activa", "code": "4.5.3", "label": "Een procedure voor het beheer van informatiemiddelen, waarbij rekening wordt gehouden met het belang van de gegevens van de organisatie.", "uuid": "bbbf99e4-ec62-4483-97ab-2aa976ebeee7" }, { "category": "Beheer Activa", "code": "4.5.4", "label": "De regels en beveiligingsmaatregelen voor het gebruik van verwijderbare media defini\u00ebren.", "uuid": "7791ba79-d8d6-4f1b-86c8-b064a84c4abd" }, { "category": "Beheer Activa", "code": "4.5.5", "label": "Beveiligingsmaatregelen voor gevoelige gegevens en informatiesystemen.", "uuid": "f5976522-5ba7-4525-8394-f68b28cea22c" }, { "category": "Beheer Activa", "code": "4.5.6_AVG", "label": "De persoonsgegevens zijn voldoende beschermd op basis van de risico analyse.", "uuid": "377456e5-e683-4f14-8d83-a1140b6768bb" }, { "category": "Toegangscontrole", "code": "4.6.1", "label": "Unieke toegang: Duidelijke toegangsregels (beveiligingsmaatregelen, RCA- model) per actief (ruime betekenis) defini\u00ebren", "uuid": "b1799296-a0af-445c-a3d7-106432a5f2df" }, { "category": "Toegangscontrole", "code": "4.6.2", "label": "Een register van toegangsbevoegdheden bijhouden en bijwerken.", "uuid": "c495ae3b-b020-4f37-b451-893df8350249" }, { "category": "Toegangscontrole", "code": "4.6.3", "label": "Gebruikers worden goed opgeleid en geinformeerd over hun taken en verantwoordelijkheden.", "uuid": "ba68664c-cd76-4935-b345-20ec7151bbad" }, { "category": "Toegangscontrole", "code": "4.6.4", "label": "Voor elk onderdeel van de inventarisatie (versterkende beveiligingsmaatregelen, rapportage aan een autoriteit) worden de acties gecontroleerd door middel van een logboek, waarvan de toegang beveiligd is en alleen toegankelijk is voor geautoriseerde en geidentificeerde personen.", "uuid": "c21d9313-0c6e-4065-9c54-280a3308d0b0" }, { "category": "Toegangscontrole", "code": "4.6.5", "label": "Toegangscontrole op persoonsgegevens.", "uuid": "227fc9a4-6b46-4fbe-94dd-d327c831af08" }, { "category": "Toegangscontrole", "code": "4.6.6_AVG", "label": "Verificatie identiteit van betrokken persoon bij uitoefenen van rechten.", "uuid": "9b9e31e3-9593-4923-93ec-8f4720754fe1" }, { "category": "Cryptografie", "code": "4.7.1", "label": "Als er cryptografische maatregelen worden geimplementeerd, zal de organisatie details geven.", "uuid": "c71bd225-4f48-4250-9992-aa0abe186a86" }, { "category": "Cryptografie", "code": "4.7.2", "label": "In het algemeen, voor toegang tot essenti\u00eble activa, moet per persoon een toegangscode worden gebruikt. Het delen van toegangscodes is niet toegestaan.", "uuid": "7642e697-6e0a-4406-8b7f-86d214e38d43" }, { "category": "Cryptografie", "code": "4.7.3", "label": "Sleutelbeheer.", "uuid": "827f4a94-9c5f-4b4b-84dc-6ded671f9921" }, { "category": "Cryptografie", "code": "4.7.4_AVG", "label": "Persoonsgegevens worden voldoende beschermd tijdens opslag, transport en gebruik van persoonsgegevens.", "uuid": "2dc077f4-3e78-4f14-9c44-036df86e6f78" }, { "category": "Fysieke en milieuveiligheid", "code": "4.8.1", "label": "Beveiligde ruimten.", "uuid": "ef81df57-be4b-415d-baef-83ad2dacc8e0" }, { "category": "Fysieke en milieuveiligheid", "code": "4.8.2", "label": "Bescherming van apparaten.", "uuid": "f11b09b9-d660-4b9b-8cde-10ab4b5baf45" }, { "category": "Fysieke en milieuveiligheid", "code": "4.8.3", "label": "Clear screen.", "uuid": "0d741d71-f9fe-4ab9-aaa9-941b29ecca78" }, { "category": "Fysieke en milieuveiligheid", "code": "4.8.4", "label": "Clear desk beleid.", "uuid": "8a1791ba-a987-485e-a48b-1e88a7789b93" }, { "category": "Operationele veiligheid", "code": "4.9.1", "label": "Voor elke asset is er een login & monitoring met melding van incidenten en getroffen beveiligingsmaatregelen.", "uuid": "aafa2f2e-3025-416a-abf6-9d530dba7a2a" }, { "category": "Operationele veiligheid", "code": "4.9.2", "label": "Een inventarisatie van de testomgeving.", "uuid": "cb31567d-0cf8-4c19-b7e0-841fd27c8d9c" }, { "category": "Operationele veiligheid", "code": "4.9.3.1", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Anti-malware/antivirus moet up-to-date zijn.", "uuid": "5f30ce78-ae78-461f-b298-129c7431392b" }, { "category": "Operationele veiligheid", "code": "4.9.3.2", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Detectiesysteem voor inbraak of onbevoegde of niet-toegelaten software.", "uuid": "685869ab-0728-4c1a-82ac-f3b0da34251e" }, { "category": "Operationele veiligheid", "code": "4.9.3.3", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Procedures voor het blokkeren/isoleren van anomalie\u00ebn of niet-geautoriseerde toegang.", "uuid": "621a3a62-b90f-4b86-a56d-40f020299ff2" }, { "category": "Operationele veiligheid", "code": "4.9.3.4", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Up-to-date hardware & software met pre-testen van nieuwe releases en fall-back-scenario's.", "uuid": "1b6889ed-fb66-451c-9cd9-78d802c1416b" }, { "category": "Operationele veiligheid", "code": "4.9.3.5", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Incidentmanagement (inclusief communicatie).", "uuid": "249fbdf8-395b-4e35-af58-7d209b1585e7" }, { "category": "Operationele veiligheid", "code": "4.9.3.6", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Beschikken over back-upprocedures: maken, testen van restauratie.", "uuid": "92815303-5986-458e-985b-9990ff26e8c1" }, { "category": "Operationele veiligheid", "code": "4.9.3.7", "label": "De minimale technische maatregelen die voor de architectuur worden genomen, zijn: Beschikken over een procedure met betrekking tot gegevensencryptie.", "uuid": "81c71d8c-fdc6-412d-9cca-c7d33089c97f" }, { "category": "Communicatiebeveiliging", "code": "4.10.1", "label": "Bij een beveiligingsmaatregel moet rekening worden gehouden met de beveiliging van de informatieoverdracht om ongeoorloofde toegang tot de infrastructuur en gegevens van de organisatie te voorkomen, ongeacht of deze toegang al dan niet vrijwillig is.", "uuid": "7b324ca8-0f09-413b-839e-fea3aa5121af" }, { "category": "Communicatiebeveiliging", "code": "4.10.2", "label": "Rekening houden met de toegankelijkheid die nodig is voor de systemen van de organisatie.", "uuid": "a9e65f83-2877-43ab-9189-bc6c5ca654d8" }, { "category": "Aankoop, ontwikkeling en onderhoud van informatiesystemen", "code": "4.11.1", "label": "Stel voor alle informatiesystemen controles in voor acquisitie, ontwikkeling en onderhoud. Er zal bijzondere aandacht worden besteed aan outsourcing, gebruik van cloud-services of aankoop van producten.", "uuid": "e3ce304d-a114-4eb7-a9d5-53dbcce5a188" }, { "category": "Aankoop, ontwikkeling en onderhoud van informatiesystemen", "code": "4.11.2", "label": "Logboek bijhouden.", "uuid": "27a4961b-a67f-4da7-a5d7-a6d10c529965" }, { "category": "Aankoop, ontwikkeling en onderhoud van informatiesystemen", "code": "4.11.3", "label": "In het logboek worden ook de beveiligingsmaatregelen vermeld waarvoor de nodige maatregelen zijn getroffen.", "uuid": "2ad9e3dc-4d58-4bd2-98ee-3907ac749571" }, { "category": "Aankoop, ontwikkeling en onderhoud van informatiesystemen", "code": "4.11.4", "label": "Procedures implementeren om oplossingen up-to-date te houden en te zorgen voor een geteste back-up-beveiligingsmaatregel voor zowel systemen als gegevens.", "uuid": "561da413-a109-4108-8e2a-cac5c6edb126" }, { "category": "Aankoop, ontwikkeling en onderhoud van informatiesystemen", "code": "4.11.5_AVG", "label": "Bij aankoop, ontwikkeling en onderhoud van systemen moeten er processen en procedures gebruikt worden die persoonsgegevens beschermen, zowel bij ontwerp als operationeel beheer.", "uuid": "747beed5-104d-4f74-a95c-4fbe708b8f5e" }, { "category": "Betrekkingen met derden (leveranciers, autoriteiten)", "code": "4.12.1", "label": "De contracten tussen de partijen bevatten beveiligingsmaatregelen, opgelegd door de organisatie door wet- en regelgeving (inclusief het AVG, Cyber Act) en die de elementen van controle en toetsing bevatten.", "uuid": "3e9d3ded-9f04-44fb-b7fd-9224bdab9ee8" }, { "category": "Betrekkingen met derden (leveranciers, autoriteiten)", "code": "4.12.2", "label": "Bij gebruik van cloud-computing-diensten worden de nodige beveiligingsmaatregelen ingezet die nodig zijn voor de organisatie.", "uuid": "0f14c5b8-8a91-4d6f-9ab2-b6456270e43e" }, { "category": "Betrekkingen met derden (leveranciers, autoriteiten)", "code": "4.12.3_AVG", "label": "Erop toezien de relaties met leveranciers en met de autoriteiten te defini\u00ebren.", "uuid": "738ad217-4c42-4d69-82d5-dc550114d51b" }, { "category": "Geco\u00f6rdineerd bekendmakingsbeleid van kwetsbaarheden (CVDP)", "code": "4.13.1", "label": "Een CVDP opstellen en onderhouden.", "uuid": "55efb31d-8362-45f8-9e1b-2a1e5dba575c" }, { "category": "Geco\u00f6rdineerd bekendmakingsbeleid van kwetsbaarheden (CVDP)", "code": "4.13.2", "label": "Zowel voor interne als externe medewerkers en betrokken personen moet er een procedure bestaan die het mogelijk maakt om verdachte activiteiten te rapporteren.", "uuid": "e9978bb5-26a5-491e-99d6-9f85c674ed03" }, { "category": "Geco\u00f6rdineerd bekendmakingsbeleid van kwetsbaarheden (CVDP)", "code": "4.13.3_AVG", "label": "Kennisgeving aan de toezichthoudende autoriteit van een inbreuk op persoonsgegevens", "uuid": "a144e735-7e53-4f62-8078-aa9b60675566" }, { "category": "Incident management", "code": "4.14.1", "label": "Een Incident Management Plan dat de taken en verantwoordelijkheden omvat.", "uuid": "781fb42c-a5d0-4b51-8ded-a5c81e61baac" }, { "category": "Incident management", "code": "4.14.2", "label": "Elk incident zal worden geanalyseerd om de relevantie van nieuwe beveiligings- maatregelen te evalueren.", "uuid": "04abda3c-6b69-4b30-819b-3e2106bf9fea" }, { "category": "Incident management", "code": "4.14.3_AVG", "label": "Een Incident Management Plan dat de taken en verantwoordelijkheden omvat die de behandeling van inbreuken op persoonsgegevens regelt.", "uuid": "4333cba2-7c00-4301-9b5b-0d1b3220b28f" }, { "category": "Incident management", "code": "4.14_4_AVG", "label": "Kennisgeving aan de toezichthoudende autoriteit van een inbreuk op persoonsgegevens.", "uuid": "ade66b8c-0eeb-41b9-b4d6-6df1d20aa826" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "4.15.1", "label": "Voor kritieke systemen of gevoelige gegevens die nodig zijn voor de continu\u00efteit van de organisatie wordt een continu\u00efteitsplan opgesteld.", "uuid": "bd3de39d-00f7-4e0f-b693-a0b2d24f7fe1" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "4.15.2", "label": "Onderhoud van het continu\u00efteitsplan.", "uuid": "c6ca06f6-db7b-4721-8de9-091c08db4b94" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "4.15.3", "label": "Beschermingssysteem dat de confidentialiteit, integriteit en beschikbaarheid van de bedrijfs- en persoonsgegevens garandeert.", "uuid": "59b65555-9e9a-489c-b109-fb5a1df18d21" }, { "category": "Naleving en opvolging wet- en regelgeving", "code": "4.16.1", "label": "Naleving van wet- en regelgeving.", "uuid": "972b19e7-f686-40ba-abb6-6fb7b21da61c" }, { "category": "Naleving en opvolging wet- en regelgeving", "code": "4.16.2", "label": "Elke organisatie zal erop toezien de relaties met leveranciers en met de autoriteiten te defini\u00ebren.", "uuid": "64a3b31e-789c-4663-b6ab-743e226ab946" }, { "category": "Naleving en opvolging wet- en regelgeving", "code": "4.16.3_AVG", "label": "Opvolging van wetgeving en advies die door de betrokken autoriteiten worden uitgevaardigd of aangepast.", "uuid": "d41c4056-4595-4325-84f9-10a284a1a530" }, { "category": "Evaluatie en controle van de beveiligingsmaatregelen", "code": "4.17.1", "label": "Elke organisatie organiseert op geregelde tijdstippen een evaluatie van de maatregelen.", "uuid": "2a14a2ac-8469-4ee7-a12e-ca6b5aea5562" } ], "version": 2 }, { "label": "Normes minimales s\u00e9curit\u00e9 de l'information (MNM)", "uuid": "a7834009-a391-47ee-ba09-dcc2661d2d95", "values": [ { "category": "Principes cl\u00e9s", "code": "5.1.1", "label": "Toute organisation doit int\u00e9grer les principes cl\u00e9s dans sa politique de s\u00e9curit\u00e9 de l\u2019information.", "uuid": "179fef25-18e6-4c6b-8cab-a0b7e99d1b73" }, { "category": "Politique de s\u00e9curit\u00e9 de l\u2019information", "code": "5.2.1", "label": "Information Security Policy3", "uuid": "983a2145-207d-4299-86d6-204c595c69a6" }, { "category": "Politique de s\u00e9curit\u00e9 de l\u2019information", "code": "5.2.2", "label": "Evaluation des risques", "uuid": "6b75904a-f7d1-4fba-8eee-eb1662318dcb" } ], "version": 1 }, { "authors": [ "Hanna Lteif" ], "label": "PSDC v3.1", "language": "FR", "refs": [ "http://legilux.public.lu/eli/etat/leg/rgd/2017/09/21/a865/jo" ], "uuid": "55e7e3f0-2e59-491e-bc92-349a4bc3922a", "values": [ { "category": "Politiques de s\u00e9curit\u00e9 de l\u2019information", "code": "5.2.1", "label": "Politiques de d\u00e9mat\u00e9rialisation ou de conservation", "uuid": "8e43a8eb-7868-49d2-a629-5b2b166c86ca" }, { "category": "Politiques de s\u00e9curit\u00e9 de l\u2019information", "code": "5.2.2", "label": "Revue de la politique de d\u00e9mat\u00e9rialisation ou de conservation", "uuid": "207cc214-1938-4ae4-b69f-5123d07dab2e" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l\u2019information et des processus de d\u00e9mat\u00e9rialisation ou de conservation", "code": "6.1.1", "label": "Fonctions et responsabilit\u00e9s li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information et aux processus de d\u00e9mat\u00e9rialisation ou de conservation", "uuid": "f5594a4a-5c9d-4fc3-bb67-2283e952a611" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l\u2019information et des processus de d\u00e9mat\u00e9rialisation ou de conservation", "code": "6.1.2", "label": "S\u00e9paration des t\u00e2ches", "uuid": "709b7236-5268-4b71-bff8-ed505f2376ef" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l\u2019information et des processus de d\u00e9mat\u00e9rialisation ou de conservation", "code": "6.1.5", "label": "La s\u00e9curit\u00e9 de l\u2019information dans la gestion de projet", "uuid": "1b5cc8d6-a9e4-4b0a-b9c5-aad0b7d75021" }, { "category": "Organisation interne sp\u00e9cifique aux processus de d\u00e9mat\u00e9rialisation et de conservation", "code": "6.3.1", "label": "V\u00e9rification des documents num\u00e9riques apr\u00e8s d\u00e9mat\u00e9rialisation", "uuid": "4ecb54b0-a6aa-46a3-b674-c63665500274" }, { "category": "Organisation interne sp\u00e9cifique aux processus de d\u00e9mat\u00e9rialisation et de conservation", "code": "6.3.2", "label": "Principes du double contr\u00f4le pour la modification ou la suppression d\u2019archives num\u00e9riques", "uuid": "07527027-5eb4-4665-806e-da4082725ae6" }, { "category": "Organisation interne sp\u00e9cifique aux processus de d\u00e9mat\u00e9rialisation et de conservation", "code": "6.3.3", "label": "Gestion des preuves", "uuid": "16d1b645-7d5f-488e-9fb0-52b652a98ebd" }, { "category": "Organisation interne sp\u00e9cifique aux processus de d\u00e9mat\u00e9rialisation et de conservation", "code": "6.3.4", "label": "Relations avec l\u2019autorit\u00e9 nationale", "uuid": "772fa867-6fe2-4762-80ff-4757a853eb0a" }, { "category": "Organisation des processus de d\u00e9mat\u00e9rialisation et de conservation impliquant les clients", "code": "6.4.1", "label": "La s\u00e9curit\u00e9 dans les accords avec le client", "uuid": "b63f36e1-1a08-4734-be65-c16eed4b93c3" }, { "category": "Organisation des processus de d\u00e9mat\u00e9rialisation et de conservation impliquant les clients", "code": "6.4.2", "label": "Obligation d\u2019information pr\u00e9alable du client", "uuid": "adec2acd-23ff-445a-baf6-e36be8671b28" }, { "category": "Organisation des processus de d\u00e9mat\u00e9rialisation et de conservation impliquant les clients", "code": "6.4.3", "label": "Classification des actifs du client", "uuid": "3c58a881-25f1-431e-90ae-790e83d4c5f0" }, { "category": "Organisation des processus de d\u00e9mat\u00e9rialisation et de conservation impliquant les clients", "code": "6.4.4", "label": "Obligation d\u2019information du client en cas de changements ou d\u2019incidents", "uuid": "37a57686-d05b-45bb-a030-9a6d35bd5002" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.2.4", "label": "Ebgagement vers les politiques", "uuid": "888cbcc3-6db0-449d-b5c7-dca7ebdfdde8" }, { "category": "Gestion des actifs", "code": "8.1.1", "label": "Inventaire des actifs", "uuid": "7e63016d-60c1-4ed3-958b-eeaa0e7e3099" }, { "category": "Gestion des actifs", "code": "8.1.2", "label": "propri\u00e9t\u00e9 des actifs", "uuid": "eabe1c39-d9c4-4b02-b0ff-3ad77d5b7c5f" }, { "category": "Gestion des actifs", "code": "8.1.4", "label": "Cloisonnement d\u2019informations secr\u00e8tes ou d\u2019informations \u00e0 caract\u00e8re personnel", "uuid": "eabefd09-b554-4532-91cd-8fc2e8b833c6" }, { "category": "Gestion des actifs", "code": "8.2.1", "label": "Classification des informations", "uuid": "a0709511-2e99-4d95-9aa6-82e00187873d" }, { "category": "Gestion des actifs", "code": "8.3.2", "label": "Mise au rebut des supports", "uuid": "81bbde74-7809-423f-b1c6-fb210d9b2831" }, { "category": "Contr\u00f4le d\u2019acc\u00e8s", "code": "9.1.3", "label": "S\u00e9gr\u00e9gation effective li\u00e9e aux droits d\u2019acc\u00e8s", "uuid": "e4ebc3c1-2af0-421b-a236-282d05ff7c21" }, { "category": "Cryptographie", "code": "10.1.1", "label": "Politique d\u2019utilisation des mesures cryptographiques", "uuid": "2e5831fd-4a0e-4fc9-9cc8-2d1a3c8ef32b" }, { "category": "Cryptographie", "code": "10.1.3", "label": "Authentification \u00e0 deux facteurs", "uuid": "a137ffa1-0e21-4bfd-8644-ef2682abcfb4" }, { "category": "Cryptographie", "code": "10.1.4", "label": "Protection de l\u2019int\u00e9grit\u00e9 des documents num\u00e9riques ou des archives num\u00e9riques", "uuid": "6063d1ac-0e2b-4a13-be79-c27515f2f28c" }, { "category": "Cryptographie", "code": "10.1.5", "label": "Protection de l\u2019int\u00e9grit\u00e9 des documents internes", "uuid": "fc7f5063-c38b-43f9-8b76-329b15348c90" }, { "category": "Cryptographie", "code": "10.1.6", "label": "Signature \u00e9lectroniques des documents internes", "uuid": "efa37bfd-f020-4618-aa48-b1837a0bb09c" }, { "category": "Cryptographie", "code": "10.1.7", "label": "Protection des transmissions de documents", "uuid": "e6a856e3-0e7c-46bb-8be0-4f5cdaaa4f79" }, { "category": "Cyptographie", "code": "10.1.8", "label": "Conservation des signatures \u00e9lectroniques", "uuid": "a9ac69a6-c0f5-442c-962f-31958e490084" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.7", "label": "Accompagnement des visiteurs", "uuid": "906b78b1-b7ac-4bfa-8cd1-ad614c743f76" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.1", "label": "Emplacement et protection du mat\u00e9riel", "uuid": "246fcd93-d57e-4ca8-bf13-e8dfdd4c18d2" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.5", "label": "Sortie des actifs", "uuid": "a0c72242-6a8f-47b8-afbb-6b910b13839f" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.1.5", "label": "Proc\u00e9dures d\u2019exploitation du SDC", "uuid": "47768649-7edc-4141-acc7-b185907415f6" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.1", "label": "Journalisation des \u00e9v\u00e9nements", "uuid": "e1eff0a9-af59-4fb9-94d6-52aae25f99d0" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.3", "label": "Journaux administrateur et op\u00e9rateur", "uuid": "43431fb4-c6c1-43ed-9957-d051d5c193ca" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.4", "label": "Synchronisation des horloges", "uuid": "d837858b-fe56-4eab-8f5b-2dac6cacd965" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.5", "label": "Exploitabilit\u00e9 des journaux d\u2019\u00e9v\u00e9nements", "uuid": "1203c306-3c05-4f10-a410-916b0ed57d6d" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.8.1", "label": "Ad\u00e9quation du SDC", "uuid": "ea5928b6-649f-48f1-9e83-c9dedc654ec4" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.8.2", "label": "Description d\u00e9taill\u00e9e du SDC", "uuid": "77191554-8851-4914-834c-1416675d78f6" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.8.3", "label": "M\u00e9canismes de s\u00e9curit\u00e9 du SDC", "uuid": "51265af3-b83f-4680-b0c4-5d70dce3d587" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.8.4", "label": "Supervision des aspects op\u00e9rationnels du SDC", "uuid": "f54019e3-657e-448c-8a0c-8a6ba35de3c3" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.8.5", "label": "Contr\u00f4le r\u00e9gulier de l'int\u00e9grit\u00e9 du SDC", "uuid": "66d8e041-cba3-4536-a1f2-5838f18bfacb" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.1.1", "label": "Analyse et sp\u00e9cification des exigences de s\u00e9curit\u00e9 de l\u2019information", "uuid": "90351cfa-b8a9-4eba-ad0d-e27b833194d8" }, { "category": "Relation avec les fournisseurs", "code": "15.1.4", "label": "Conditions contractuelles pour les fournisseurs intervenant dans le processus de d\u00e9mat\u00e9rialisation et de conservation", "uuid": "2c78971f-9f0b-4730-aecd-5b4fc391e70b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.1", "label": "Responsabilit\u00e9s et proc\u00e9dures", "uuid": "1f8e8865-032c-4d61-9de1-c7b1a6dd3088" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.3.1", "label": "Organisation de la continuit\u00e9", "uuid": "7b2684cf-881c-48b7-9536-677af7b8b7db" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.3.2", "label": "Mise en oeuvre de la continuit\u00e9", "uuid": "02de269b-c745-4d6f-8e66-0464e50a2ca7" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.3.3", "label": "V\u00e9rifier, revoir et \u00e9valuer la continuit\u00e9", "uuid": "8f87dd7a-c913-40c3-8297-9f48bd3df13a" }, { "category": "Conformit\u00e9", "code": "18.1.3", "label": "Protection des enregistrements", "uuid": "00d8f557-b34d-4c81-be8d-d3e2caeb8761" }, { "category": "Conformit\u00e9", "code": "18.2.4", "label": "Revue ind\u00e9pendante de la conformit\u00e9 du syst\u00e8me et des processus de d\u00e9mat\u00e9rialisation ou de conservation", "uuid": "e3d48bd2-a585-4f7d-9fa6-438a7f81716b" }, { "category": "Conformit\u00e9", "code": "18.2.5", "label": "Revue ind\u00e9pendante de la s\u00e9curit\u00e9 du SDC", "uuid": "7bbfec44-526b-457a-aee5-3ba2c336a5a8" } ], "version": 1, "version_ext": "PSDC" }, { "label": "NIS security measures for OES", "language": "EN", "refs": [ "https://www.enisa.europa.eu/publications/mapping-of-oes-security-requirements-to-specific-sectors" ], "uuid": "3f4a2a67-a1f9-46e1-8d71-7f6486217bb7", "values": [ { "category": "Information System Security Governance & Risk Management", "code": "1.1.1", "label": "Information system security risk analysis", "uuid": "030ef936-d0fe-4d6b-9238-e3004f58f7b6" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.2", "label": "Information system security policy", "uuid": "02527779-a76f-42fc-b420-6726099d4241" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.3", "label": "Information system security accreditation", "uuid": "8ead422e-2d73-48e8-82f9-b82fe363d072" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.4", "label": "Information system security indicators", "uuid": "7d1e4532-ddb1-408c-8a9d-ffed0cef3821" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.5", "label": "Information system security audit", "uuid": "d646a78e-68d8-4d60-a01f-455b1a0df4f1" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.6", "label": "Human resource security", "uuid": "cfda8669-f42c-4917-833e-b873110b4380" }, { "category": "Information System Security Governance & Risk Management", "code": "1.1.7", "label": "Asset Management", "uuid": "11c11899-6a4d-4937-ae09-fc3dcfdb26f9" }, { "category": "Ecosystem management", "code": "1.2.1", "label": "Ecosystem mapping", "uuid": "66b045d6-77a5-426f-afe5-55cac81ac5c8" }, { "category": "Ecosystem management", "code": "1.2.2", "label": "Ecosystem relations", "uuid": "26b54bed-01d5-4614-b0ed-907af072b8a9" }, { "category": "IT Security Architecture", "code": "2.1.1", "label": "Systems configuration", "uuid": "8e6bf606-42cf-4f85-bedd-5e633d241183" }, { "category": "IT Security Architecture", "code": "2.1.2", "label": "System segregation", "uuid": "a3f6ee47-de81-400a-a7dc-79e79fb73729" }, { "category": "IT Security Architecture", "code": "2.1.3", "label": "Traffic filtering", "uuid": "7374508b-6114-4219-8834-7b87117fcbf9" }, { "category": "IT Security Architecture", "code": "2.1.4", "label": "Cryptography", "uuid": "fd44edba-005b-447c-8612-c0a92cbb0ec6" }, { "category": "IT Security Administration", "code": "2.2.1", "label": "Administration accounts", "uuid": "9fa537a3-efc0-4624-aeae-ab975076e1c0" }, { "category": "IT Security Administration", "code": "2.2.2", "label": "Administration information systems", "uuid": "4baf165d-b157-4c19-bbd6-ad3ddd5dbe79" }, { "category": "Identity and access management", "code": "2.3.1", "label": "Authentication and identification", "uuid": "f5f8ef4a-25f2-4169-b279-424081fc6125" }, { "category": "Identity and access management", "code": "2.3.2", "label": "Access rights", "uuid": "6b327343-7f81-4a40-bc46-194cf5aa54df" }, { "category": "IT Security Maintenance", "code": "2.4.1", "label": "IT security maintenance procedure", "uuid": "752f00ca-196b-4055-b660-4a09185ce3a7" }, { "category": "IT Security Maintenance", "code": "2.4.2", "label": "Remote access", "uuid": "efcb645f-ca20-484d-a3b7-6ef98db907ff" }, { "category": "Physical and environmental security", "code": "2.5.1", "label": "Physical and environmental security", "uuid": "157d5514-b3cd-4d31-9bff-560a1a436d96" }, { "category": "Detection", "code": "3.1.1", "label": "Detection", "uuid": "725706a3-fa1d-48e1-8458-21974439b34b" }, { "category": "Detection", "code": "3.1.2", "label": "Logging", "uuid": "1b9d05fc-e385-4fdb-aa44-54e069a9ea91" }, { "category": "Detection", "code": "3.1.3", "label": "Logs correlation and analysis", "uuid": "957b42b2-b3c6-4d0c-b32e-fcc4bea29ffd" }, { "category": "Computer Security Incident Management", "code": "3.2.1", "label": "Information system security incident response", "uuid": "f739cbb5-8ed4-4136-b4c0-4fd3edb84cd8" }, { "category": "Computer Security Incident Management", "code": "3.2.2", "label": "Incident Report", "uuid": "ea405481-cbe2-4e15-b2a3-f45563e160cc" }, { "category": "Computer Security Incident Management", "code": "3.2.3", "label": "Communication with competent authorities and CSIRTs", "uuid": "fbfa7c30-f131-4e9b-9e8a-53ad4b90b164" }, { "category": "Continuity of operations", "code": "4.1.1", "label": "Business continuity management", "uuid": "b24b90b0-eeea-4a56-b5ef-2c484467c97a" }, { "category": "Continuity of operations", "code": "4.1.2", "label": "Disaster recovery management", "uuid": "f87f15fe-0170-4164-90de-091d9519d140" }, { "category": "Crisis management", "code": "4.2.1", "label": "Crisis management organization", "uuid": "0ca52ad9-4570-46be-88ce-d22efd4a145b" }, { "category": "Crisis management", "code": "4.2.2", "label": "Crisis management process", "uuid": "e1a91f54-34e4-45c7-8eae-dfc6dee15854" } ], "version": 1 }, { "label": "NIST SP 800-53", "language": "EN", "refs": [ "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft" ], "uuid": "cfd2cd50-95fa-4143-b0e5-794249bacae1", "values": [ { "category": "Access Control", "code": "AC-1", "label": "Access Control Policy and Procedures", "uuid": "ebf10522-0f57-4880-aa73-e28a206b7be4" }, { "category": "Access Control", "code": "AC-2", "label": "Account Management", "uuid": "8245e3a6-09ee-488a-880f-8d1b811b2091" }, { "category": "Access Control", "code": "AC-3", "label": "Access Enforcement", "uuid": "f3cc0b06-2294-49fe-aca4-3eb929cc87eb" }, { "category": "Access Control", "code": "AC-4", "label": "Information Flow Enforcement", "uuid": "e2323e31-d4c5-4f58-8de3-529d41c7fde6" }, { "category": "Access Control", "code": "AC-5", "label": "Separation of Duties", "uuid": "35f0172f-4770-4f69-9aa7-8b48a880c85a" }, { "category": "Access Control", "code": "AC-6", "label": "Least Privilege", "uuid": "cea02331-b15a-42bb-ae5c-826afb449240" }, { "category": "Access Control", "code": "AC-7", "label": "Unsuccessful Logon Attempts", "uuid": "f8e45f26-413c-4c61-be2c-216ec688ecb1" }, { "category": "Access Control", "code": "AC-8", "label": "System Use Notification", "uuid": "2006d82c-a148-470f-ad3d-339980bb69b9" }, { "category": "Access Control", "code": "AC-9", "label": "Previous Logon (Access) Notification", "uuid": "a06fe04e-e834-42c9-8b4f-d998eb493136" }, { "category": "Access Control", "code": "AC-10", "label": "Concurrent Session Control", "uuid": "2feed753-8333-46b9-b4a0-ffd78e6d5f96" }, { "category": "Access Control", "code": "AC-11", "label": "Device Lock", "uuid": "48e9827d-60b5-4637-89fa-45dfb4231ff7" }, { "category": "Access Control", "code": "AC-12", "label": "Session Termination", "uuid": "db302cfa-325b-4d4d-a6b3-f85618ca4eb6" }, { "category": "Access Control", "code": "AC-14", "label": "Permitted Actions without Identification or Authentication", "uuid": "90b4a207-023d-4ac4-a1dd-c5ca32453de2" }, { "category": "Access Control", "code": "AC-16", "label": "Security and Privacy Attributes", "uuid": "33d42330-bde6-4964-82c9-fd2eaa07792d" }, { "category": "Access Control", "code": "AC-17", "label": "Remote Access", "uuid": "1b2e1483-0a0e-4c84-ad44-42db07d6172f" }, { "category": "Access Control", "code": "AC-18", "label": "Wireless Access", "uuid": "5dad70d6-04e6-4ad0-9c32-c565e40329ad" }, { "category": "Access Control", "code": "AC-19", "label": "Access Control for Mobile Devices", "uuid": "250001c2-f02d-496c-917e-70034724bfd6" }, { "category": "Access Control", "code": "AC-20", "label": "Use of External Systems", "uuid": "fc9d8985-7dea-4b78-b977-7c5ac82e15f2" }, { "category": "Access Control", "code": "AC-21", "label": "Information Sharing", "uuid": "5d4dc43c-9c46-4fc5-969b-02a1421acf42" }, { "category": "Access Control", "code": "AC-22", "label": "Publicly Accessible Content", "uuid": "81cc10c0-de1e-4317-aae9-304a4c45151e" }, { "category": "Access Control", "code": "AC-23", "label": "Data Mining Protection", "uuid": "ccd5e72f-92d7-4824-8caa-9a75209849d2" }, { "category": "Access Control", "code": "AC-24", "label": "Access Control Decisions", "uuid": "5493d4a2-bae6-4bdf-ba84-79bbae4fb53b" }, { "category": "Access Control", "code": "AC-25", "label": "Reference Monitor", "uuid": "6922787a-2fcb-4cfe-a3bc-a75e7c49fccd" }, { "category": "Awareness And Training", "code": "AT-1", "label": "Awareness and Training Policy and Procedures", "uuid": "468658d8-61b8-4757-8c28-d6017337ea91" }, { "category": "Awareness And Training", "code": "AT-2", "label": "Awareness Training", "uuid": "3f956648-f1a8-4c8f-9e4b-11e4da8afc6a" }, { "category": "Awareness And Training", "code": "AT-3", "label": "Role-Based Training", "uuid": "64694da5-0ca9-44f6-bd94-0dc1fa8f69ea" }, { "category": "Awareness And Training", "code": "AT-4", "label": "Training Records", "uuid": "a32e8643-88b7-4fa6-9a25-f67b9236b9d0" }, { "category": "Audit And Accountability", "code": "AU-1", "label": "Audit and Accountability Policy and Procedures", "uuid": "0de44076-cd30-439a-9375-c7c6692da6b2" }, { "category": "Audit And Accountability", "code": "AU-2", "label": "Audit Events", "uuid": "8b250e6b-4463-4d55-9241-c99db31a838c" }, { "category": "Audit And Accountability", "code": "AU-3", "label": "Content of Audit Records", "uuid": "aefeafa5-2f92-4a78-a149-6b00f8a0f9f1" }, { "category": "Audit And Accountability", "code": "AU-4", "label": "Audit Storage Capacity", "uuid": "6145995f-74e1-4479-ba93-c1cdd9e34f8c" }, { "category": "Audit And Accountability", "code": "AU-5", "label": "Response to Audit Processing Failures", "uuid": "bcc90c0a-8c92-4e75-ba67-a9dd2a64ca9d" }, { "category": "Audit And Accountability", "code": "AU-6", "label": "Audit Review, Analysis, and Reporting", "uuid": "cb39be02-c637-4984-ad59-ad1b5afd7609" }, { "category": "Audit And Accountability", "code": "AU-7", "label": "Audit Reduction and Report Generation", "uuid": "8314aca6-82c0-4955-a6d3-78f41146ef15" }, { "category": "Audit And Accountability", "code": "AU-8", "label": "Time Stamps", "uuid": "b9383590-e160-4840-b6e7-9476aeb6b8c0" }, { "category": "Audit And Accountability", "code": "AU-9", "label": "Protection of Audit Information", "uuid": "aff838cd-5392-4620-be39-87c4ae7b6d33" }, { "category": "Audit And Accountability", "code": "AU-10", "label": "Non-repudiation", "uuid": "52e68421-ebcf-453f-8e42-48813d47dcf6" }, { "category": "Audit And Accountability", "code": "AU-11", "label": "Audit Record Retention", "uuid": "30ccd853-e570-4c61-98d0-4837692d0654" }, { "category": "Audit And Accountability", "code": "AU-12", "label": "Audit Generation", "uuid": "67e16eb6-14cb-41a4-aea0-8f0dc7ed1023" }, { "category": "Audit And Accountability", "code": "AU-13", "label": "Monitoring for Information Disclosure", "uuid": "ca6dc3b4-45ad-4a17-84c2-06fe7de2936e" }, { "category": "Audit And Accountability", "code": "AU-14", "label": "Session Audit", "uuid": "d447bf80-7c6e-4e16-9f69-a15ed7eafd92" }, { "category": "Audit And Accountability", "code": "AU-15", "label": "Alternate Audit Capability", "uuid": "43d6e18f-7d4e-43f5-af7f-ea6d07d37299" }, { "category": "Audit And Accountability", "code": "AU-16", "label": "Cross-Organizational Auditing", "uuid": "e499f145-1fad-49e2-9403-f50a2a9801e8" }, { "category": "Security Assessment And Authorization", "code": "CA-1", "label": "Assessment, Authorization, and Monitoring Policies and Procedures", "uuid": "9bc48f7a-6863-421d-96c5-7e7099ef2415" }, { "category": "Security Assessment And Authorization", "code": "CA-2", "label": "Assessments", "uuid": "1efbb7bc-a9df-41b0-af65-c8c7cc593246" }, { "category": "Security Assessment And Authorization", "code": "CA-3", "label": "System Interconnections", "uuid": "6c55f12d-0f58-4caf-9c27-91c38d3620e3" }, { "category": "Security Assessment And Authorization", "code": "CA-5", "label": "Plan of Action and Milestones", "uuid": "0af9100d-df42-4d7e-953d-8c1fd56dff85" }, { "category": "Security Assessment And Authorization", "code": "CA-6", "label": "Authorization", "uuid": "de31dbbb-4981-4815-acfa-8375989d98cd" }, { "category": "Security Assessment And Authorization", "code": "CA-7", "label": "Continuous Monitoring", "uuid": "5264169d-4e61-40b7-800e-1998f41af781" }, { "category": "Security Assessment And Authorization", "code": "CA-8", "label": "Penetration Testing", "uuid": "2080500f-047a-4695-841f-326310fd6a79" }, { "category": "Security Assessment And Authorization", "code": "CA-9", "label": "Internal System Connections", "uuid": "063f894b-5f12-4e99-8277-6e21692c977d" }, { "category": "Configuration Management", "code": "CM-1", "label": "Configuration Management Policy and Procedures", "uuid": "698ebcc9-cf38-49d4-9a7a-dce61bbff968" }, { "category": "Configuration Management", "code": "CM-2", "label": "Baseline Configuration", "uuid": "3b076d55-a168-4e4e-ba44-cac820929399" }, { "category": "Configuration Management", "code": "CM-3", "label": "Configuration Change Control", "uuid": "27086d2c-4ed0-4163-89c3-d280559102ea" }, { "category": "Configuration Management", "code": "CM-4", "label": "Security and Privacy Impact Analyses", "uuid": "4d738f6e-3999-4a07-97f8-552ef2df77f3" }, { "category": "Configuration Management", "code": "CM-5", "label": "Access Restrictions for Change", "uuid": "dce2b6b6-33dd-45b1-9006-e09493aa95e3" }, { "category": "Configuration Management", "code": "CM-6", "label": "Configuration Settings", "uuid": "dfeeec44-4cd4-49f8-8a41-2c03f786f818" }, { "category": "Configuration Management", "code": "CM-7", "label": "Least Functionality", "uuid": "d0557646-d1eb-4d79-8670-b1cdaf1072be" }, { "category": "Configuration Management", "code": "CM-8", "label": "System Component Inventory", "uuid": "36ae972c-4543-4548-8946-47cb651ed0ef" }, { "category": "Configuration Management", "code": "CM-9", "label": "Configuration Management Plan", "uuid": "b53a00fb-054c-4f9e-8aff-69ad91c1dcb8" }, { "category": "Configuration Management", "code": "CM-10", "label": "Software Usage Restrictions", "uuid": "8ccaf96b-99b1-4677-be72-1e072cc26ebd" }, { "category": "Configuration Management", "code": "CM-11", "label": "User-Installed Software", "uuid": "0e0864af-bd66-4012-b7ea-75ee7a57ef0b" }, { "category": "Configuration Management", "code": "CM-12", "label": "Information Location", "uuid": "50310b7b-0a4b-4572-998c-5954f7d6750e" }, { "category": "Contingency Planning", "code": "CP-1", "label": "Contingency Planning Policy and Procedures", "uuid": "c1aa25a1-a0cf-483d-8b7d-44725cd3f6ed" }, { "category": "Contingency Planning", "code": "CP-2", "label": "Contingency Plan", "uuid": "4f08538a-9f7d-422f-aaae-0949bf39c028" }, { "category": "Contingency Planning", "code": "CP-3", "label": "Contingency Training", "uuid": "a3a1db7e-c1e1-409d-aa9a-e4b4ca925be6" }, { "category": "Contingency Planning", "code": "CP-4", "label": "Contingency Plan Testing", "uuid": "4c98569b-ec41-4758-b8a3-5bd75b56d38b" }, { "category": "Contingency Planning", "code": "CP-6", "label": "Alternate Storage Site", "uuid": "60a84903-025a-40c5-9cf6-dad960e55cf1" }, { "category": "Contingency Planning", "code": "CP-7", "label": "Alternate Processing Site", "uuid": "1dfd046a-a422-4089-9fda-c141e865042a" }, { "category": "Contingency Planning", "code": "CP-8", "label": "Telecommunications Services", "uuid": "01096bf7-a45e-40d9-851e-72a6b8d7344a" }, { "category": "Contingency Planning", "code": "CP-9", "label": "System Backup", "uuid": "5cdd85f2-15b0-4c61-b3d4-66f4ba9114c8" }, { "category": "Contingency Planning", "code": "CP-10", "label": "System Recovery and Reconstitution", "uuid": "5ba61017-362e-411b-929d-c76c27358660" }, { "category": "Contingency Planning", "code": "CP-11", "label": "Alternate Communications Protocols", "uuid": "b705c1c5-aee2-4cb0-9f55-f045fc627f34" }, { "category": "Contingency Planning", "code": "CP-12", "label": "Safe Mode", "uuid": "b827b7db-76ee-4fda-b193-3004feef59e0" }, { "category": "Contingency Planning", "code": "CP-13", "label": "Alternative Security Mechanisms", "uuid": "5278ff6f-473b-4a2c-8234-1a6a3198c701" }, { "category": "Identification And Authentication", "code": "IA-1", "label": "Identification and Authentication Policy and Procedures", "uuid": "99e77822-723b-4a08-8ee0-4c73ad494db7" }, { "category": "Identification And Authentication", "code": "IA-2", "label": "Identification and Authentication (Organizational Users)", "uuid": "b82eba2f-bbf7-4390-aa9e-e35ccae691ba" }, { "category": "Identification And Authentication", "code": "IA-3", "label": "Device Identification and Authentication", "uuid": "e37e0d76-3ea8-49e4-b65b-a5e2645a902a" }, { "category": "Identification And Authentication", "code": "IA-4", "label": "Identifier Management", "uuid": "23ab9d48-396c-4f20-9344-e6a6bd2439a2" }, { "category": "Identification And Authentication", "code": "IA-5", "label": "Authenticator Management", "uuid": "d0c5fc8d-1e95-4e70-bdfd-f31d368af8f0" }, { "category": "Identification And Authentication", "code": "IA-6", "label": "Authenticator Feedback", "uuid": "1bf6a2b8-b728-49a2-953f-0a965d966db1" }, { "category": "Identification And Authentication", "code": "IA-7", "label": "Cryptographic Module Authentication", "uuid": "7c68c0c2-fea5-44d1-8580-5170edd92e22" }, { "category": "Identification And Authentication", "code": "IA-8", "label": "Identification and Authentication (Non-Organizational Users)", "uuid": "df6812ce-357b-44ae-8979-a663a85fa687" }, { "category": "Identification And Authentication", "code": "IA-9", "label": "Service Identification and Authentication", "uuid": "17a82de8-0490-4100-a4fb-2ad9af49d594" }, { "category": "Identification And Authentication", "code": "IA-10", "label": "Adaptive Authentication", "uuid": "f0b81b68-372d-4ced-9c6b-7d8ae3da799c" }, { "category": "Identification And Authentication", "code": "IA-11", "label": "Re-authentication", "uuid": "625e343d-7aa1-46e1-939b-50f5b8f5f5b4" }, { "category": "Identification And Authentication", "code": "IA-12", "label": "Identity Proofing", "uuid": "c183aff2-8e42-439c-9392-d6823321ec9e" }, { "category": "Individual Participation", "code": "IP-1", "label": "Individual Participation Policy and Procedures", "uuid": "b41dacdb-78d6-4744-bcae-5a46b95cfe04" }, { "category": "Individual Participation", "code": "IP-2", "label": "Consent", "uuid": "4123ace0-da01-431c-997c-bd03e3319f36" }, { "category": "Individual Participation", "code": "IP-3", "label": "Redress", "uuid": "72eed0db-aa5a-4677-899f-b56d01187c6e" }, { "category": "Individual Participation", "code": "IP-4", "label": "Privacy Notice", "uuid": "d351c523-45f7-405c-aa9e-eb4289dea021" }, { "category": "Individual Participation", "code": "IP-5", "label": "Privacy Act Statement", "uuid": "90b76f4c-10ec-4530-a7c8-b3d488d8886d" }, { "category": "Individual Participation", "code": "IP-6", "label": "Individual Access", "uuid": "67e6c588-aea1-47c7-a34e-e04bf91df582" }, { "category": "Incident Response", "code": "IR-1", "label": "Incident Response Policy and Procedures", "uuid": "74b14d2d-6320-4ac9-9b74-d93177dd4329" }, { "category": "Incident Response", "code": "IR-2", "label": "Incident Response Training", "uuid": "1476a1d4-f1f5-42ae-93a6-1227a89cb3e3" }, { "category": "Incident Response", "code": "IR-3", "label": "Incident Response Testing", "uuid": "e8449cab-54ae-4bd4-8b6e-de2820e8ec4b" }, { "category": "Incident Response", "code": "IR-4", "label": "Incident Handling", "uuid": "3e0e9ea8-db9d-4825-b76a-17859f2f8e67" }, { "category": "Incident Response", "code": "IR-5", "label": "Incident Monitoring", "uuid": "10213f53-5179-42f2-beb6-1364872d983d" }, { "category": "Incident Response", "code": "IR-6", "label": "Incident Reporting", "uuid": "69e93c59-0239-4bc8-8d5f-d2c65c706f46" }, { "category": "Incident Response", "code": "IR-7", "label": "Incident Response Assistance", "uuid": "54802539-1d62-43c3-8f7e-8c7e03087812" }, { "category": "Incident Response", "code": "IR-8", "label": "Incident Response Plan", "uuid": "c2260bd5-161f-4fb9-8496-0de50c2c3440" }, { "category": "Incident Response", "code": "IR-9", "label": "Information Spillage Response", "uuid": "e1211579-cdf4-4357-ba8a-3a5c46401837" }, { "category": "Incident Response", "code": "IR-10", "label": "Integrated Information Security Analysis Team", "uuid": "a781d945-be41-4457-aef9-5f1757031940" }, { "category": "Maintenance", "code": "MA-1", "label": "System Maintenance Policy and Procedures", "uuid": "7fb408ab-f358-489d-be81-5b9395da78a7" }, { "category": "Maintenance", "code": "MA-2", "label": "Controlled Maintenance", "uuid": "9d4a3657-457f-4223-adfe-d0b2df91ffc3" }, { "category": "Maintenance", "code": "MA-3", "label": "Maintenance Tools", "uuid": "508b0a74-cd81-4a65-b2c1-bb4c193adc53" }, { "category": "Maintenance", "code": "MA-4", "label": "Nonlocal Maintenance", "uuid": "a8768b25-29ff-4b0a-a61e-89a2dacb2ff8" }, { "category": "Maintenance", "code": "MA-5", "label": "Maintenance Personnel", "uuid": "be8d5a19-945d-4b26-9499-790193e65b06" }, { "category": "Maintenance", "code": "MA-6", "label": "Timely Maintenance", "uuid": "9368a916-1fac-4dd2-b621-751ef4483a72" }, { "category": "Media Protection", "code": "MP-1", "label": "Media Protection Policy and Procedures", "uuid": "bcc51690-d12c-41a8-bd76-6aae187a8afc" }, { "category": "Media Protection", "code": "MP-2", "label": "Media Access", "uuid": "14555491-0f15-428b-9ecd-836c6307675c" }, { "category": "Media Protection", "code": "MP-3", "label": "Media Marking", "uuid": "70ccf1af-4cad-443a-9dcd-9b49c4b6aec8" }, { "category": "Media Protection", "code": "MP-4", "label": "Media Storage", "uuid": "50272033-eb78-4309-84e0-303320d75b87" }, { "category": "Media Protection", "code": "MP-5", "label": "Media Transport", "uuid": "025d84e9-5612-404e-acf4-5d860c01a73c" }, { "category": "Media Protection", "code": "MP-6", "label": "Media Sanitization", "uuid": "b0779c7f-7db2-4af2-ab93-5c000a889408" }, { "category": "Media Protection", "code": "MP-7", "label": "Media Use", "uuid": "cc087e48-874b-4953-adcc-96fac3f19306" }, { "category": "Media Protection", "code": "MP-8", "label": "Media Downgrading", "uuid": "b6ed1637-26e3-4278-9552-89601f278d8c" }, { "category": "Privacy Authorization", "code": "PA-1", "label": "Privacy Authorization Policy and Procedures", "uuid": "5b92c7ee-202b-4de8-983c-74937b86b48f" }, { "category": "Privacy Authorization", "code": "PA-2", "label": "Authority to Collect", "uuid": "ee9525ea-a06f-4862-b6c8-c09fa266ea38" }, { "category": "Privacy Authorization", "code": "PA-3", "label": "Purpose Specification", "uuid": "dc814dd1-359d-4245-839c-5a1cdd6e1bad" }, { "category": "Privacy Authorization", "code": "PA-4", "label": "Information Sharing With External Parties", "uuid": "f7c64768-dc70-4e4d-b121-58f41bfde7c6" }, { "category": "Physical And Environmental Protection", "code": "PE-1", "label": "Physical and Environmental Protection Policy and Procedures", "uuid": "c1738677-3cae-4833-97b4-f2f3c04dd5e0" }, { "category": "Physical And Environmental Protection", "code": "PE-2", "label": "Physical Access Authorizations", "uuid": "e3d43ffd-1286-42c0-98fa-0e2e75d233e7" }, { "category": "Physical And Environmental Protection", "code": "PE-3", "label": "Physical Access Control", "uuid": "06679cfa-1bfd-436a-b99d-698fb275dfdb" }, { "category": "Physical And Environmental Protection", "code": "PE-4", "label": "Access Control for Transmission", "uuid": "f1dc5cba-17a8-4bee-aad0-d6b0ca84124d" }, { "category": "Physical And Environmental Protection", "code": "PE-5", "label": "Access Control for Output Devices", "uuid": "e8ed7158-ffc1-44a4-8673-80286ad97b36" }, { "category": "Physical And Environmental Protection", "code": "PE-6", "label": "Monitoring Physical Access", "uuid": "e48c2a77-93da-4afb-bde7-7bd957196286" }, { "category": "Physical And Environmental Protection", "code": "PE-8", "label": "Visitor Access Records", "uuid": "b3ee40ae-b296-4e88-9033-cb669e98f11c" }, { "category": "Physical And Environmental Protection", "code": "PE-9", "label": "Power Equipment and Cabling", "uuid": "7c9127dc-e0e8-4a6f-9cf9-82f5a7b18f37" }, { "category": "Physical And Environmental Protection", "code": "PE-10", "label": "Emergency Shutoff", "uuid": "990ee3a7-3044-4c8f-8387-946a7a9aba76" }, { "category": "Physical And Environmental Protection", "code": "PE-11", "label": "Emergency Power", "uuid": "6d3fbb99-fa7d-4c65-9c5f-928044a5840f" }, { "category": "Physical And Environmental Protection", "code": "PE-12", "label": "Emergency Lighting", "uuid": "5cf67afa-7a43-4dd4-b1db-dd28862a689c" }, { "category": "Physical And Environmental Protection", "code": "PE-13", "label": "Fire Protection", "uuid": "51e4fd6c-0aa8-4604-b13d-bf74c9706922" }, { "category": "Physical And Environmental Protection", "code": "PE-14", "label": "Temperature and Humidity Controls", "uuid": "9dda0a30-be3d-4752-867d-bf9570971c52" }, { "category": "Physical And Environmental Protection", "code": "PE-15", "label": "Water Damage Protection", "uuid": "6448f036-bdb2-4f21-8e30-0acf8073215d" }, { "category": "Physical And Environmental Protection", "code": "PE-16", "label": "Delivery and Removal", "uuid": "de6195c6-1fc1-423a-a748-785653c9324f" }, { "category": "Physical And Environmental Protection", "code": "PE-17", "label": "Alternate Work Site", "uuid": "aead24db-a196-4daf-a099-60b1d1991d70" }, { "category": "Physical And Environmental Protection", "code": "PE-18", "label": "Location of System Components", "uuid": "53ae3aa9-d88e-4f55-a040-375cfe348c48" }, { "category": "Physical And Environmental Protection", "code": "PE-19", "label": "Information Leakage", "uuid": "244cbc08-55d5-46ea-ba28-aec72f16b337" }, { "category": "Physical And Environmental Protection", "code": "PE-20", "label": "Asset Monitoring and Tracking", "uuid": "2fd70998-9247-4efd-923d-276f5c76b3b9" }, { "category": "Physical And Environmental Protection", "code": "PE-21", "label": "Electromagnetic Pulse Protection", "uuid": "b3523d09-add6-4b33-aa3e-6f780d83a9d6" }, { "category": "Physical And Environmental Protection", "code": "PE-22", "label": "Component Marking", "uuid": "cd7d903b-0282-4895-8501-47b568183e97" }, { "category": "Planning", "code": "PL-1", "label": "Planning Policy and Procedures", "uuid": "3c492512-da9f-4112-a76a-3e5cb0400e6f" }, { "category": "Planning", "code": "PL-2", "label": "Security and Privacy Plans", "uuid": "8047a1c6-e890-4817-982d-04fcdc2820a2" }, { "category": "Planning", "code": "PL-4", "label": "Rules of Behavior", "uuid": "7b481f8c-2485-40a8-aee7-03b39721e103" }, { "category": "Planning", "code": "PL-7", "label": "Concept of Operations", "uuid": "7f388f12-77ec-47bf-b816-79cb42086b09" }, { "category": "Planning", "code": "PL-8", "label": "Security and Privacy Architectures", "uuid": "3bffd1eb-e6a7-47ad-927a-0d679048ed5a" }, { "category": "Planning", "code": "PL-9", "label": "Central Management", "uuid": "5b9bdfcc-3150-4c4a-8b08-386d9a829585" }, { "category": "Planning", "code": "PL-10", "label": "Baseline Selection", "uuid": "5df5007e-c8cd-4cc8-845b-0d0bb0daf66f" }, { "category": "Planning", "code": "PL-11", "label": "Baseline Tailoring", "uuid": "828560f0-7ac9-4960-aed9-6d618173a663" }, { "category": "Program Management", "code": "PM-1", "label": "Information Security Program Plan", "uuid": "3ceb9dfc-c9e2-4cb6-830d-8170d53d5b05" }, { "category": "Program Management", "code": "PM-2", "label": "Information Security Program Roles", "uuid": "293ebc1c-0452-41f8-ab14-101846241a47" }, { "category": "Program Management", "code": "PM-3", "label": "Information Security and Privacy Resources", "uuid": "898d7024-6d3f-4d9a-868f-34ea1e451801" }, { "category": "Program Management", "code": "PM-4", "label": "Plan of Action and Milestones Process", "uuid": "08327040-541f-40b4-a1cc-815d9298afe0" }, { "category": "Program Management", "code": "PM-5", "label": "System Inventory", "uuid": "515fb4c4-2a45-47b7-9a7a-5878f1bbad9c" }, { "category": "Program Management", "code": "PM-6", "label": "Measures of Performance", "uuid": "d5a60a37-684d-4b4b-b8a2-7d03814ff70d" }, { "category": "Program Management", "code": "PM-7", "label": "Enterprise Architecture", "uuid": "ecefd9da-a07c-41c2-9397-017e878bdb67" }, { "category": "Program Management", "code": "PM-8", "label": "Critical Infrastructure Plan", "uuid": "2d2a7dc6-2770-4897-ac0b-492e7ddd24ed" }, { "category": "Program Management", "code": "PM-9", "label": "Risk Management Strategy", "uuid": "44b2a62a-6bc7-4474-b618-f1bc15e9798f" }, { "category": "Program Management", "code": "PM-10", "label": "Authorization Process", "uuid": "ec1457b8-d116-45a4-8c61-5b8ddba8a2b9" }, { "category": "Program Management", "code": "PM-11", "label": "Mission and Business Process Definition", "uuid": "9a4b8ede-d722-44b8-a04f-ae78cbd266ab" }, { "category": "Program Management", "code": "PM-12", "label": "Insider Threat Program", "uuid": "9a9f32cf-d951-4909-98fe-c6a936af3913" }, { "category": "Program Management", "code": "PM-13", "label": "Security and Privacy Workforce", "uuid": "b395f91d-24a4-4720-8534-3b491bb41002" }, { "category": "Program Management", "code": "PM-14", "label": "Testing, Training, and Monitoring", "uuid": "8ff7acc4-c71b-4e1d-89f3-0c7db4a5055f" }, { "category": "Program Management", "code": "PM-15", "label": "Contacts with Groups and Associations", "uuid": "e1219fd8-9db2-4297-99da-63be2b433aa8" }, { "category": "Program Management", "code": "PM-16", "label": "Threat Awareness Program", "uuid": "9dd48833-5045-4e37-aa9a-2b69ee11739d" }, { "category": "Program Management", "code": "PM-17", "label": "Protecting Controlled Unclassified Information on External Systems", "uuid": "e25168b6-fb5b-4ae7-a14c-6afc86246348" }, { "category": "Program Management", "code": "PM-18", "label": "Privacy Program Plan", "uuid": "ab16520f-0c45-404d-8852-df2722a96412" }, { "category": "Program Management", "code": "PM-19", "label": "Privacy Program Roles", "uuid": "8e3958aa-59c3-4c3e-9cf0-1283d783ec46" }, { "category": "Program Management", "code": "PM-20", "label": "System of Records Notice", "uuid": "3585bbce-5c3b-4a2a-8a53-5c4af9467365" }, { "category": "Program Management", "code": "PM-21", "label": "Dissemination of Privacy Program Information", "uuid": "41ad2d98-3dc5-4167-a8cf-869b3b53c495" }, { "category": "Program Management", "code": "PM-22", "label": "Accounting of Disclosures", "uuid": "d7d3d288-cd67-40ea-871a-4aa256262dbf" }, { "category": "Program Management", "code": "PM-23", "label": "Data Quality Management", "uuid": "a43a957c-c1ce-462f-87b8-bcb962a26991" }, { "category": "Program Management", "code": "PM-24", "label": "Data Management Board", "uuid": "9c603ddb-5850-42a9-85bd-641667182bed" }, { "category": "Program Management", "code": "PM-25", "label": "Data Integrity Board", "uuid": "54ca56bb-3a0e-47b9-8cdb-b28976481e54" }, { "category": "Program Management", "code": "PM-26", "label": "Minimization of Personally Identifiable Information", "uuid": "e2aa9575-d1f9-440c-a3ae-72f79489dd3c" }, { "category": "Program Management", "code": "PM-27", "label": "Individual Access Control", "uuid": "ce8a976a-536a-44ea-bb8b-bcf28a6931c8" }, { "category": "Program Management", "code": "PM-28", "label": "Complaint Management", "uuid": "15f0293a-cef3-4c58-a6cf-725f0ea044c5" }, { "category": "Program Management", "code": "PM-29", "label": "Inventory of Personally Identifiable Information", "uuid": "7f02ee88-5118-467b-bffc-c6176276db0a" }, { "category": "Program Management", "code": "PM-30", "label": "Privacy Reporting", "uuid": "a6ae4db0-5f77-4e60-ae47-fa721623bcdb" }, { "category": "Program Management", "code": "PM-31", "label": "Supply Chain Risk Management Plan", "uuid": "da890a6a-f2be-44f2-b3f2-4ac8e84cd66a" }, { "category": "Program Management", "code": "PM-32", "label": "Risk Framing", "uuid": "2c4575a5-0d0a-40f7-8b8f-8a1c1a67b1e4" }, { "category": "Personnel Security", "code": "PS-1", "label": "Personnel Security Policy and Procedures", "uuid": "3e6cdfcd-14f3-4b34-a6d4-62d677332806" }, { "category": "Personnel Security", "code": "PS-2", "label": "Position Risk Designation", "uuid": "fd87a967-2217-418d-8378-b0773b7ca356" }, { "category": "Personnel Security", "code": "PS-3", "label": "Personnel Screening", "uuid": "22faa4a0-2027-4150-8176-c77e84e3f03d" }, { "category": "Personnel Security", "code": "PS-4", "label": "Personnel Termination", "uuid": "4d28a85e-20d2-4186-995e-de48a90eebb4" }, { "category": "Personnel Security", "code": "PS-5", "label": "Personnel Transfer", "uuid": "db5781c8-b759-47de-9862-27b2d3c2b568" }, { "category": "Personnel Security", "code": "PS-6", "label": "Access Agreements", "uuid": "012149b7-7c59-4220-83bf-d6879a886f20" }, { "category": "Personnel Security", "code": "PS-7", "label": "External Personnel Security", "uuid": "54db3434-c9cc-4a09-90a0-7e94aa29ae61" }, { "category": "Personnel Security", "code": "PS-8", "label": "Personnel Sanctions", "uuid": "4b7824ea-dc4e-4938-9ebd-36b865f88585" }, { "category": "Risk Assessment", "code": "RA-1", "label": "Risk Assessment Policy and Procedures", "uuid": "675a9b3f-8abe-4b6f-948e-b701c2a02a84" }, { "category": "Risk Assessment", "code": "RA-2", "label": "Security Categorization", "uuid": "e30e5bc6-c3f4-4714-9c0a-6aed3e4daa6d" }, { "category": "Risk Assessment", "code": "RA-3", "label": "Risk Assessment", "uuid": "8a174f26-95ff-41dd-8042-039189065395" }, { "category": "Risk Assessment", "code": "RA-5", "label": "Vulnerability Scanning", "uuid": "9e62441a-c6d5-4707-a835-6230dc5b0d53" }, { "category": "Risk Assessment", "code": "RA-6", "label": "Technical Surveillance Countermeasures Survey", "uuid": "8bc26841-e02d-4eb6-9842-fbd30b5a9e6a" }, { "category": "Risk Assessment", "code": "RA-7", "label": "Risk Response", "uuid": "f19db716-460e-44f8-a2d2-304cbbe54b73" }, { "category": "Risk Assessment", "code": "RA-8", "label": "Privacy Impact Assessment", "uuid": "e54190a1-12f2-46d1-b36b-0e7b49b85e43" }, { "category": "Risk Assessment", "code": "RA-9", "label": "Criticality Analysis", "uuid": "a6a327ee-3850-4c6c-8828-03cbe4ac83df" }, { "category": "System And Services Acquisition", "code": "SA-1", "label": "System and Services Acquisition Policy and Procedures", "uuid": "53cbe570-60ce-4aba-9f32-f7cfce6fdc56" }, { "category": "System And Services Acquisition", "code": "SA-2", "label": "Allocation of Resources", "uuid": "54613df0-e745-4205-a828-827aca596814" }, { "category": "System And Services Acquisition", "code": "SA-3", "label": "System Development Life Cycle", "uuid": "d6871e86-4df5-4d80-8529-3ec214940b69" }, { "category": "System And Services Acquisition", "code": "SA-4", "label": "Acquisition Process", "uuid": "729aa83b-a59b-48a0-b0a0-c592402dcae7" }, { "category": "System And Services Acquisition", "code": "SA-5", "label": "System Documentation", "uuid": "d32c4960-9581-4717-9a02-690d61709153" }, { "category": "System And Services Acquisition", "code": "SA-8", "label": "Security and Privacy Engineering Principles", "uuid": "6fd6cc79-208a-4f2c-8a05-9adae75fd255" }, { "category": "System And Services Acquisition", "code": "SA-9", "label": "External System Services", "uuid": "64f93d70-568f-404a-a049-b7f37598ec66" }, { "category": "System And Services Acquisition", "code": "SA-10", "label": "Developer Configuration Management", "uuid": "769c7460-a4d0-45f3-a36e-4b8347526278" }, { "category": "System And Services Acquisition", "code": "SA-11", "label": "Developer Testing and Evaluation", "uuid": "cd6f1fb6-d9ee-40c8-bc00-8b485185cf15" }, { "category": "System And Services Acquisition", "code": "SA-12", "label": "Supply Chain Risk Management", "uuid": "9df48cd7-7ec8-4ac6-9563-68087e9c49d6" }, { "category": "System And Services Acquisition", "code": "SA-15", "label": "Development Process, Standards, and Tools", "uuid": "650ec6f8-fbad-4fe7-a0db-62d3861a5372" }, { "category": "System And Services Acquisition", "code": "SA-16", "label": "Developer-Provided Training", "uuid": "6c3aaa6d-9e7c-4dd3-b753-ba11c11ae5a6" }, { "category": "System And Services Acquisition", "code": "SA-17", "label": "Developer Security Architecture and Design", "uuid": "95f027c8-c84f-474f-bd23-872f96e00dc9" }, { "category": "System And Services Acquisition", "code": "SA-18", "label": "Tamper Resistance and Detection", "uuid": "280c9bba-f2e4-401f-911a-cdab227ac433" }, { "category": "System And Services Acquisition", "code": "SA-19", "label": "Component Authenticity", "uuid": "bf85f2a4-2b80-4ae9-b4b5-5c2084c04061" }, { "category": "System And Services Acquisition", "code": "SA-20", "label": "Customized Development of Critical Components", "uuid": "6a025dc5-0215-4e6d-a637-554dadeee055" }, { "category": "System And Services Acquisition", "code": "SA-21", "label": "Developer Screening", "uuid": "7277cac1-5813-4356-b108-72fe5263f8c3" }, { "category": "System And Services Acquisition", "code": "SA-22", "label": "Unsupported System Components", "uuid": "b39366a0-a64c-4b2f-b414-3798db55ecbd" }, { "category": "System And Communications Protection", "code": "SC-1", "label": "System and Communications Protection Policy and Procedures", "uuid": "11fe35fa-d904-4137-9961-307097961e0c" }, { "category": "System And Communications Protection", "code": "SC-2", "label": "Application Partitioning", "uuid": "48a48a13-9de4-4284-adba-4dbdca2ff535" }, { "category": "System And Communications Protection", "code": "SC-3", "label": "Security Function Isolation", "uuid": "44defc1c-50d1-43a3-9ffe-c85213ef031a" }, { "category": "System And Communications Protection", "code": "SC-4", "label": "Information in Shared Systems Resources", "uuid": "bfd580de-f47b-43b4-9470-7416ff778c72" }, { "category": "System And Communications Protection", "code": "SC-5", "label": "Denial of Service Protection", "uuid": "f929ec71-03e0-40a2-92eb-4078894a18a2" }, { "category": "System And Communications Protection", "code": "SC-6", "label": "Resource Availability", "uuid": "76c33e82-04e2-4ee5-88c6-40939d8349a7" }, { "category": "System And Communications Protection", "code": "SC-7", "label": "Boundary Protection", "uuid": "a6586afd-bc0f-4334-88da-615989665368" }, { "category": "System And Communications Protection", "code": "SC-8", "label": "Transmission Confidentiality and Integrity", "uuid": "583129dc-d3e3-49c3-8ee9-3fbf18e020de" }, { "category": "System And Communications Protection", "code": "SC-10", "label": "Network Disconnect", "uuid": "09932f73-e48b-4d2b-bced-733f4039902e" }, { "category": "System And Communications Protection", "code": "SC-11", "label": "Trusted Path", "uuid": "282a9038-ea94-420f-bbaf-fe4abc7addce" }, { "category": "System And Communications Protection", "code": "SC-12", "label": "Cryptographic Key Establishment and Management", "uuid": "6726eb21-52f9-4922-a1d6-50c098ddba74" }, { "category": "System And Communications Protection", "code": "SC-13", "label": "Cryptographic Protection", "uuid": "edd532b7-577e-441b-820c-3b73fbd11c79" }, { "category": "System And Communications Protection", "code": "SC-15", "label": "Collaborative Computing Devices and Applications", "uuid": "d44c41d6-5fa9-4fac-9751-a8236a103c35" }, { "category": "System And Communications Protection", "code": "SC-16", "label": "Transmission of Security and Privacy Attributes", "uuid": "35964415-2e6b-4a69-b04b-5e0208872f56" }, { "category": "System And Communications Protection", "code": "SC-17", "label": "Public Key Infrastructure Certificates", "uuid": "c2f67a16-dc82-4d43-a71b-63e2143f9b73" }, { "category": "System And Communications Protection", "code": "SC-18", "label": "Mobile Code", "uuid": "6f766bc2-750a-4249-89c9-39cf288143d5" }, { "category": "System And Communications Protection", "code": "SC-19", "label": "Voice Over Internet Protocol", "uuid": "a33021fe-acc7-43cb-9556-8d0ccfe41cf1" }, { "category": "System And Communications Protection", "code": "SC-20", "label": "Secure Name / Address Resolution Service (Authoritative Source)", "uuid": "4797690e-c2e2-4106-878e-14d789fe1b06" }, { "category": "System And Communications Protection", "code": "SC-21", "label": "Secure Name / Address Resolution Service (Recursive or Caching Resolver)", "uuid": "6938d14b-381c-4077-9505-7c33c62b6e34" }, { "category": "System And Communications Protection", "code": "SC-22", "label": "Architecture and Provisioning for Name / Address Resolution Service", "uuid": "ac363e88-daae-4198-aa53-f704e103ef02" }, { "category": "System And Communications Protection", "code": "SC-23", "label": "Session Authenticity", "uuid": "d80f59b0-9c5f-4ca8-b18f-9e07f791e66e" }, { "category": "System And Communications Protection", "code": "SC-24", "label": "Fail in Known State", "uuid": "a3829b6b-d219-4f77-9da6-528349ddd6e4" }, { "category": "System And Communications Protection", "code": "SC-25", "label": "Thin Nodes", "uuid": "6eadc9b8-2337-4847-ace5-f68686199ee7" }, { "category": "System And Communications Protection", "code": "SC-26", "label": "Honeypots", "uuid": "61ba9758-69d7-4794-a425-187b9ab3750e" }, { "category": "System And Communications Protection", "code": "SC-27", "label": "Platform-Independent Applications", "uuid": "65261ecf-bb17-4e63-af33-46b0084bb27a" }, { "category": "System And Communications Protection", "code": "SC-28", "label": "Protection of Information At Rest", "uuid": "a35f7748-5868-46cd-9dea-b4e87fde8311" }, { "category": "System And Communications Protection", "code": "SC-29", "label": "Heterogeneity", "uuid": "d9e23dad-dcf3-4def-86e9-5af6a6d631ce" }, { "category": "System And Communications Protection", "code": "SC-30", "label": "Concealment and Misdirection", "uuid": "84eca642-948e-466e-91cf-509f6f4b74fa" }, { "category": "System And Communications Protection", "code": "SC-31", "label": "Covert Channel Analysis", "uuid": "716c6729-ab0f-4334-a9e6-278dea6a702b" }, { "category": "System And Communications Protection", "code": "SC-32", "label": "System Partitioning", "uuid": "41ba0004-50a7-44bb-9ca4-5f84ce06e4c0" }, { "category": "System And Communications Protection", "code": "SC-34", "label": "Non-Modifiable Executable Programs", "uuid": "158f92a7-c6fe-4f88-bf35-b6ea4163ff28" }, { "category": "System And Communications Protection", "code": "SC-35", "label": "Honeyclients", "uuid": "d7baf2e4-8155-4e33-aa3b-4474252c4de4" }, { "category": "System And Communications Protection", "code": "SC-36", "label": "Distributed Processing and Storage", "uuid": "f3a16482-f15d-49ea-b206-b3f7400513fd" }, { "category": "System And Communications Protection", "code": "SC-37", "label": "Out-of-Band Channels", "uuid": "108a06d5-4b5d-4728-9823-d106445d8880" }, { "category": "System And Communications Protection", "code": "SC-38", "label": "Operations Security", "uuid": "cb78c641-26f3-4a31-bcec-ab7ffdeafef2" }, { "category": "System And Communications Protection", "code": "SC-39", "label": "Process Isolation", "uuid": "be303727-2dc9-4e23-a026-282fa8012ed6" }, { "category": "System And Communications Protection", "code": "SC-40", "label": "Wireless Link Protection", "uuid": "714ae5c2-00a0-4163-b949-699dfd3ab8a0" }, { "category": "System And Communications Protection", "code": "SC-41", "label": "Port and I/O Device Access", "uuid": "f98811b7-6972-4372-96b0-4f13bb8d49d6" }, { "category": "System And Communications Protection", "code": "SC-42", "label": "Sensor Capability and Data", "uuid": "d6dbd662-e58c-4422-b591-d7b0be5d73fd" }, { "category": "System And Communications Protection", "code": "SC-43", "label": "Usage Restrictions", "uuid": "b5a7b5c7-6c5b-4014-b30c-6fe8325b564c" }, { "category": "System And Communications Protection", "code": "SC-44", "label": "Detonation Chambers", "uuid": "d8aa0a75-a5b2-4556-9664-5b1d5ea7419c" }, { "category": "System And Information Integrity", "code": "SI-1", "label": "System and Information Integrity Policy and Procedures", "uuid": "96e2a11b-1b39-4903-be42-374102c930df" }, { "category": "System And Information Integrity", "code": "SI-2", "label": "Flaw Remediation", "uuid": "83caa43e-7179-4477-8665-66d47d058417" }, { "category": "System And Information Integrity", "code": "SI-3", "label": "Malicious Code Protection", "uuid": "15dfbe37-4a2d-4df7-b00c-f558524b561c" }, { "category": "System And Information Integrity", "code": "SI-4", "label": "System Monitoring", "uuid": "d4546ede-ed2f-4bbc-a485-150bbdb4e9c2" }, { "category": "System And Information Integrity", "code": "SI-5", "label": "Security Alerts, Advisories, and Directives", "uuid": "3d9c8de5-f6f2-4a5d-8093-74849dc24a82" }, { "category": "System And Information Integrity", "code": "SI-6", "label": "Security and Privacy Function Verification", "uuid": "fa2d6a81-6a4e-41c7-91da-9024f91a7685" }, { "category": "System And Information Integrity", "code": "SI-7", "label": "Software, Firmware, and Information Integrity", "uuid": "b4f2c588-db91-4ad4-8122-9d3805a8a54a" }, { "category": "System And Information Integrity", "code": "SI-8", "label": "Spam Protection", "uuid": "8cf0e5df-fb43-4dd0-a65e-d635d5902ffc" }, { "category": "System And Information Integrity", "code": "SI-10", "label": "Information Input Validation", "uuid": "b3fef043-6788-406c-857f-788a044344a3" }, { "category": "System And Information Integrity", "code": "SI-11", "label": "Error Handling", "uuid": "16a412c2-2f76-4b61-917b-cb5372626bb2" }, { "category": "System And Information Integrity", "code": "SI-12", "label": "Information Handling and Retention", "uuid": "2fd75399-324e-40ed-9a82-80089816f398" }, { "category": "System And Information Integrity", "code": "SI-13", "label": "Predictable Failure Prevention", "uuid": "1f5c3fc5-4d27-4018-9f49-ca7edc61d5b4" }, { "category": "System And Information Integrity", "code": "SI-14", "label": "Non-Persistence", "uuid": "fc3d8c4c-8ced-4f4a-8ad0-a1ae01b35a21" }, { "category": "System And Information Integrity", "code": "SI-15", "label": "Information Output Filtering", "uuid": "039e5e9e-19cf-436b-b4fd-d0cfa4547110" }, { "category": "System And Information Integrity", "code": "SI-16", "label": "Memory Protection", "uuid": "9e1e9b36-aa61-4d54-a07c-2c74c341282c" }, { "category": "System And Information Integrity", "code": "SI-17", "label": "Fail-Safe Procedures", "uuid": "f2787cae-deb0-4090-9ed7-866b15d96df2" }, { "category": "System And Information Integrity", "code": "SI-18", "label": "Information Disposal", "uuid": "bf1d6c37-e1e1-4c78-8055-79a364219193" }, { "category": "System And Information Integrity", "code": "SI-19", "label": "Data Quality Operations", "uuid": "bca47b93-453b-47d8-8527-16c4fdd8f6e5" }, { "category": "System And Information Integrity", "code": "SI-20", "label": "De-Identification", "uuid": "5c1413f5-14f3-48bc-b371-5fda85e52cb8" } ], "version": 5 }, { "authors": [ "The MONARC project" ], "label": "NIST Core", "language": "EN", "refs": [ "https://www.nist.gov/cyberframework/framework" ], "uuid": "fcf78560-3d12-42ba-8f4a-5761ca02ac94", "values": [ { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-1", "label": "Physical devices and systems within the organization are inventoried", "uuid": "231fc2b1-80c2-450e-9d80-f804f5a8984c" }, { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-2", "label": "Software platforms and applications within the organization are inventoried", "uuid": "f4f7466f-0ae6-4867-a2ee-6be4e1f02329" }, { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-3", "label": "Organizational communication and data flows are mapped", "uuid": "b0cebf68-a023-40af-ba24-e59bd4a45c90" }, { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-4", "label": "External information systems are catalogued", "uuid": "57e92f7c-f5ed-4611-a1be-d7f4e1456f9c" }, { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-5", "label": "Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value", "uuid": "50fc2488-b730-48ae-abf8-93e60f141404" }, { "category": "Asset Management (ID.AM)", "code": "1_ID.AM-6", "label": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established", "uuid": "766520fa-3439-4382-babc-eb7d9d6b1f52" }, { "category": "Business Environment (ID.BE)", "code": "1_ID.BE-1", "label": "The organization\u2019s role in the supply chain is identified and communicated", "uuid": "46555297-7af1-4d59-ac07-6e627aef4dda" }, { "category": "Business Environment (ID.BE)", "code": "1_ID.BE-2", "label": "The organization\u2019s place in critical infrastructure and its industry sector is identified and communicated", "uuid": "63f9f527-2c63-4fda-acda-7ebcf3025873" }, { "category": "Business Environment (ID.BE)", "code": "1_ID.BE-3", "label": "Priorities for organizational mission, objectives, and activities are established and communicated", "uuid": "1a422e41-50fc-4c74-b1e4-e3d40b7c82f3" }, { "category": "Business Environment (ID.BE)", "code": "1_ID.BE-4", "label": "Dependencies and critical functions for delivery of critical services are established", "uuid": "eaa4fb9d-e687-41a0-8d4b-1ca972bed10a" }, { "category": "Business Environment (ID.BE)", "code": "1_ID.BE-5", "label": "Resilience requirements to support delivery of critical services are established", "uuid": "75942c69-3336-4e82-bf59-515aaa6e3513" }, { "category": "Governance (ID.GV)", "code": "1_ID.GV-1", "label": "Organizational information security policy is established", "uuid": "7a4074cc-5b40-486a-9a52-6b49be7f95e6" }, { "category": "Governance (ID.GV)", "code": "1_ID.GV-2", "label": "Information security roles & responsibilities are coordinated and aligned with internal roles and external partners", "uuid": "29613b2e-8def-417e-85fa-31aa5ef5de3b" }, { "category": "Governance (ID.GV)", "code": "1_ID.GV-3", "label": "Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed", "uuid": "4e2499c0-d23d-4977-9e9f-6323af31be24" }, { "category": "Governance (ID.GV)", "code": "1_ID.GV-4", "label": "Governance and risk management processes address cybersecurity risks", "uuid": "d2e86e2d-5bec-42a2-b642-69995b6abcf0" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-1", "label": "Asset vulnerabilities are identified and documented", "uuid": "cc6aad46-1887-4da6-93e3-c707be07b9f5" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-2", "label": "Threat and vulnerability information is received from information sharing forums and sources", "uuid": "0550c268-534a-4311-920d-84466e4865c4" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-3", "label": "Threats, both internal and external, are identified and documented", "uuid": "1bad7834-b740-48ff-8450-5792b55614db" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-4", "label": "Potential business impacts and likelihoods are identified", "uuid": "7c09a9bf-407c-4509-94c0-af8314fc3b86" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-5", "label": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk", "uuid": "6d0bfd47-88dc-484a-aed8-196eaa12c4db" }, { "category": "Risk Assessment (ID.RA)", "code": "1_ID.RA-6", "label": "Risk responses are identified and prioritized", "uuid": "98ce2a28-d424-4436-8c41-2ec0e8d563fa" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1_ID.RM-1", "label": "Risk management processes are established, managed, and agreed to by organizational stakeholders", "uuid": "e384f897-1b70-49a5-8491-24c035e1451f" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1_ID.RM-2", "label": "Organizational risk tolerance is determined and clearly expressed", "uuid": "7a9f7d35-6714-4182-ae88-d9ff575224a6" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1_ID.RM-3", "label": "The organization\u2019s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis", "uuid": "97331ab3-3365-4fb0-894c-578c460720fa" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1_ID.SC-1", "label": "Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders", "uuid": "03dee2e6-285f-44e4-acc5-2388f62584a5" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1_ID.SC-2", "label": "Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process", "uuid": "b9d19a14-74ab-46ae-8456-189d1a180dbf" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1_ID.SC-3", "label": "Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization\u2019s cybersecurity program and Cyber Supply Chain Risk Management Plan.", "uuid": "1e5aa8d3-b1e9-43e0-9e7e-54bdadac89ea" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1_ID.SC-4", "label": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.", "uuid": "f6d606f5-9a22-4a53-87c1-ebe36f4fe939" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1_ID.SC-5", "label": "Response and recovery planning and testing are conducted with suppliers and third-party providers", "uuid": "aa988775-7261-412e-bbee-bfd90db78a59" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-1", "label": "Identities and credentials are managed for authorized devices and users", "uuid": "a6b301ed-e0c1-467d-8e42-e2796c64b785" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-2", "label": "Physical access to assets is managed and protected", "uuid": "382fe4f1-9f05-4169-a343-2c961a8cf359" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-3", "label": "Remote access is managed", "uuid": "7ec8092e-3e41-43e0-a8b2-c42b980dd29b" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-4", "label": "Access permissions are managed, incorporating the principles of least privilege and separation of duties", "uuid": "8feec5e9-c2b2-465b-8fa3-8b65b6a09fcb" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-5", "label": "Network integrity is protected, incorporating network segregation where appropriate", "uuid": "800fc6f9-e574-4152-89e6-30bae7da4adc" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-6", "label": "Identities are proofed and bound to credentials and asserted in interactions", "uuid": "d44d0823-1523-457a-b028-6ea0da3adb34" }, { "category": "Access Control (PR.AC)", "code": "2_PR.AC-7", "label": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019 security and privacy risks and other organizational risks)", "uuid": "14aab29b-4760-4f32-ad21-06367a8ea05e" }, { "category": "Awareness and Training (PR.AT)", "code": "2_PR.AT-1", "label": "All users are informed and trained", "uuid": "01d259f0-ece0-4f7c-91bf-d09844c576cc" }, { "category": "Awareness and Training (PR.AT)", "code": "2_PR.AT-2", "label": "Privileged users understand roles & responsibilities", "uuid": "6386d5df-56f8-46ad-b181-e870491004a5" }, { "category": "Awareness and Training (PR.AT)", "code": "2_PR.AT-3", "label": "Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities", "uuid": "4879e4fb-cd0e-4968-8dd2-4b6dbe977cdc" }, { "category": "Awareness and Training (PR.AT)", "code": "2_PR.AT-4", "label": "Senior executives understand roles & responsibilities", "uuid": "987e9304-80fd-4470-b8b4-213f41a0a957" }, { "category": "Awareness and Training (PR.AT)", "code": "2_PR.AT-5", "label": "Physical and information security personnel understand roles & responsibilities", "uuid": "92a81683-1877-48d3-9d5a-c7c0ddd9852b" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-1", "label": "Data-at-rest is protected", "uuid": "d798a390-f23a-4bbc-abe5-588ab58811c6" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-2", "label": "Data-in-transit is protected", "uuid": "38022045-6812-4623-8409-7a9d6b3f7ce8" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-3", "label": "Assets are formally managed throughout removal, transfers, and disposition", "uuid": "acfea27c-c6d5-421a-9ae4-2db82610cc41" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-4", "label": "Adequate capacity to ensure availability is maintained", "uuid": "e4380999-3c82-4b85-86cd-86f1f37f97ab" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-5", "label": "Protections against data leaks are implemented", "uuid": "e760c443-e572-43cb-bf5b-8aeb3b42ef65" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-6", "label": "Integrity checking mechanisms are used to verify software, firmware, and information integrity", "uuid": "e5b116b5-b806-4863-92ba-d8c2f477813b" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-7", "label": "The development and testing environment(s) are separate from the production environment", "uuid": "6604ef4c-a1d7-43d2-90e4-d2b8d97d880f" }, { "category": "Data Security (PR.DS)", "code": "2_PR.DS-8", "label": "Integrity checking mechanisms are used to verify hardware integrity", "uuid": "892d5462-ee77-4379-ab88-a78f3eff45c1" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-1", "label": "A baseline configuration of information technology/industrial control systems is created and maintained", "uuid": "30a7a092-3e00-4d33-aec2-66d019c2ff03" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-2", "label": "A System Development Life Cycle to manage systems is implemented", "uuid": "7cd438b8-038b-4f1f-a431-a1a1a83e009c" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-3", "label": "Configuration change control processes are in place", "uuid": "6f6442e8-952b-4a13-9e97-7c233a7b2a1c" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-4", "label": "Backups of information are conducted, maintained, and tested periodically", "uuid": "2e411d93-1836-4dbc-baf1-a747d2a9915a" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-5", "label": "Policy and regulations regarding the physical operating environment for organizational assets are met", "uuid": "f01b50b8-0e54-4f8f-afee-0ec56f788a42" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-6", "label": "Data is destroyed according to policy", "uuid": "0fd12bc3-c80d-4baa-bc1b-a7fbfb152f86" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-7", "label": "Protection processes are continuously improved", "uuid": "bb1c6655-a3fc-4d43-8e1b-50f5e418c1aa" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-8", "label": "Effectiveness of protection technologies is shared with appropriate parties", "uuid": "ac4be007-d8cb-4da5-9a84-118c2841a6f5" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-9", "label": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed", "uuid": "4fe097cd-e0c0-4698-a209-43ffb553a279" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-10", "label": "Response and recovery plans are tested", "uuid": "e4f85702-5874-4361-beec-45d00b379c5b" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-11", "label": "Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)", "uuid": "4279b240-b560-4632-a557-9af1322930fd" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2_PR.IP-12", "label": "A vulnerability management plan is developed and implemented", "uuid": "48d2b0ff-ebc0-445b-8f20-3ae47d43242c" }, { "category": "Maintenance (PR.MA)", "code": "2_PR.MA-1", "label": "Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools", "uuid": "6da92eea-2f74-458f-a643-361df7ea9f2f" }, { "category": "Maintenance (PR.MA)", "code": "2_PR.MA-2", "label": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access", "uuid": "831f20de-eadb-44a7-82f3-fcb116d8cb69" }, { "category": "Protective Technology (PR.PT)", "code": "2_PR.PT-1", "label": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy", "uuid": "3dcdd5d1-48e8-4b66-8567-65e0f0c8be4a" }, { "category": "Protective Technology (PR.PT)", "code": "2_PR.PT-2", "label": "Removable media is protected and its use restricted according to policy", "uuid": "0f278ef8-3a97-4e0e-bc30-66d530bdea47" }, { "category": "Protective Technology (PR.PT)", "code": "2_PR.PT-3", "label": "Access to systems and assets is controlled, incorporating the principle of least functionality", "uuid": "02cc6244-c9d8-4db1-aeb3-a05933207c9d" }, { "category": "Protective Technology (PR.PT)", "code": "2_PR.PT-4", "label": "Communications and control networks are protected", "uuid": "6b2a7cc7-c35a-4020-92d8-5935e1229676" }, { "category": "Protective Technology (PR.PT)", "code": "2_PR.PT-5", "label": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations", "uuid": "3e3e542a-67b2-4a77-b09b-9dc9b977cd8e" }, { "category": "Anomalies and Events (DE.AE)", "code": "3_DE.AE-1", "label": "A baseline of network operations and expected data flows for users and systems is established and managed", "uuid": "24ac8920-3747-45bb-b9d1-1ca0d1d84d3f" }, { "category": "Anomalies and Events (DE.AE)", "code": "3_DE.AE-2", "label": "Detected events are analyzed to understand attack targets and methods", "uuid": "69f50c12-9eab-4305-be4f-97a2002ccc0c" }, { "category": "Anomalies and Events (DE.AE)", "code": "3_DE.AE-3", "label": "Event data are aggregated and correlated from multiple sources and sensors", "uuid": "31dc508e-664e-4173-8757-00ec985115c8" }, { "category": "Anomalies and Events (DE.AE)", "code": "3_DE.AE-4", "label": "Impact of events is determined", "uuid": "3f6e72ed-2984-452d-badd-5563acbf0450" }, { "category": "Anomalies and Events (DE.AE)", "code": "3_DE.AE-5", "label": "Incident alert thresholds are established", "uuid": "52d551ef-7334-45a3-9dd7-0b8d239ba1f6" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-1", "label": "The network is monitored to detect potential cybersecurity events", "uuid": "9b355a55-73ce-4d55-8016-d93e3c555a55" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-2", "label": "The physical environment is monitored to detect potential cybersecurity events", "uuid": "dec6cf8c-1714-45f4-bfd2-23a049fb9b35" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-3", "label": "Personnel activity is monitored to detect potential cybersecurity events", "uuid": "a8f83595-0327-4e24-9557-0e8d9b82856f" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-4", "label": "Malicious code is detected", "uuid": "70e202bf-2270-4daf-8fb5-4f6fb10de979" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-5", "label": "Unauthorized mobile code is detected", "uuid": "54eeaae4-2b82-43ce-9a61-40d453116d8d" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-6", "label": "External service provider activity is monitored to detect potential cybersecurity events", "uuid": "bbb99e89-ee33-46fc-bc03-1582631210c4" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-7", "label": "Monitoring for unauthorized personnel, connections, devices, and software is performed", "uuid": "e4f36efd-2e64-4ee8-9fd1-af2bec0b68d0" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3_DE.CM-8", "label": "Vulnerability scans are performed", "uuid": "ebc0b0f8-4403-481f-be4a-7f35ae3cb6be" }, { "category": "Detection Processes (DE.DP)", "code": "3_DE.DP-1", "label": "Roles and responsibilities for detection are well defined to ensure accountability", "uuid": "48a13f85-a811-43fa-a0e8-89f67fb2743f" }, { "category": "Detection Processes (DE.DP)", "code": "3_DE.DP-2", "label": "Detection activities comply with all applicable requirements", "uuid": "f9d1a926-5d39-4123-8b83-a94c21ff18e5" }, { "category": "Detection Processes (DE.DP)", "code": "3_DE.DP-3", "label": "Detection processes are tested", "uuid": "23e4c883-c358-4b64-8d7e-249c67b7f1f2" }, { "category": "Detection Processes (DE.DP)", "code": "3_DE.DP-4", "label": "Event detection information is communicated to appropriate parties", "uuid": "025611cb-8431-4a9c-a88c-039141472418" }, { "category": "Detection Processes (DE.DP)", "code": "3_DE.DP-5", "label": "Detection processes are continuously improved", "uuid": "ad0458f2-c836-4c7d-9d8f-6333fc6af2e9" }, { "category": "Response Planning (RS.RP)", "code": "4_RS.RP-1", "label": "Response plan is executed during or after an event", "uuid": "b237b4b1-a21a-4122-b4c8-e068ad58ef21" }, { "category": "Communications (RS.CO)", "code": "4_RS.CO-1", "label": "Personnel know their roles and order of operations when a response is needed", "uuid": "cce52cf2-aa85-4f33-8cb8-b0508f452c25" }, { "category": "Communications (RS.CO)", "code": "4_RS.CO-2", "label": "Events are reported consistent with established criteria", "uuid": "30ff804b-d8e2-44da-a49e-bb1a39e5f81a" }, { "category": "Communications (RS.CO)", "code": "4_RS.CO-3", "label": "Information is shared consistent with response plans", "uuid": "2d88bd60-ff72-40cc-a2b4-ae7c9cbd2a68" }, { "category": "Communications (RS.CO)", "code": "4_RS.CO-4", "label": "Coordination with stakeholders occurs consistent with response plans", "uuid": "34a2e449-b69d-4f75-a548-8c5faee598b5" }, { "category": "Communications (RS.CO)", "code": "4_RS.CO-5", "label": "Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness", "uuid": "bb37f7e5-ff5d-4b9a-a621-dfb26f3fccaf" }, { "category": "Analysis (RS.AN)", "code": "4_RS.AN-1", "label": "Notifications from detection systems are investigated", "uuid": "e6ab0d96-2ced-445d-a19f-97710b2cc346" }, { "category": "Analysis (RS.AN)", "code": "4_RS.AN-2", "label": "The impact of the incident is understood", "uuid": "0c7c3558-9c78-4bcc-816b-9123c899b653" }, { "category": "Analysis (RS.AN)", "code": "4_RS.AN-3", "label": "Forensics are performed", "uuid": "cf3d3d41-f0d5-4eb9-b6c5-537d72ea645a" }, { "category": "Analysis (RS.AN)", "code": "4_RS.AN-4", "label": "Incidents are categorized consistent with response plans", "uuid": "1ea30a61-92f4-4ae0-a349-3f947bf0dc94" }, { "category": "Analysis (RS.AN)", "code": "4_RS.AN-5", "label": "Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)", "uuid": "83c3ab70-566c-4bbe-a3b8-940d9fbb5ad7" }, { "category": "Mitigation (RS.MI)", "code": "4_RS.MI-1", "label": "Incidents are contained", "uuid": "2736e702-38ef-439d-9e8b-989ef56f8735" }, { "category": "Mitigation (RS.MI)", "code": "4_RS.MI-2", "label": "Incidents are mitigated", "uuid": "e94941eb-31da-40e0-b944-07c43233e7c0" }, { "category": "Mitigation (RS.MI)", "code": "4_RS.MI-3", "label": "Newly identified vulnerabilities are mitigated or documented as accepted risks", "uuid": "0de24c0a-53cb-4481-9b8d-fccc252e4f03" }, { "category": "Improvements (RS.IM)", "code": "4_RS.IM-1", "label": "Response plans incorporate lessons learned", "uuid": "01314572-becc-4780-945f-9ed3a40af900" }, { "category": "Improvements (RS.IM)", "code": "4_RS.IM-2", "label": "Response strategies are updated", "uuid": "f0753789-bcc3-4f66-9bb5-b6179bb367de" }, { "category": "Recovery Planning (RC.RP)", "code": "5_RC.RP-1", "label": "Recovery plan is executed during or after an event", "uuid": "0d124100-372e-429b-9e2f-d12211f005e1" }, { "category": "Improvements (RC.IM)", "code": "5_RC.IM-1", "label": "Recovery plans incorporate lessons learned", "uuid": "52ab8937-c260-4cf3-a807-ce1381afa4c9" }, { "category": "Improvements (RC.IM)", "code": "5_RC.IM-2", "label": "Recovery strategies are updated", "uuid": "421b5608-0f1d-4de5-b646-ff9538f8493f" }, { "category": "Communications (RC.CO)", "code": "5_RC.CO-1", "label": "Public relations are managed", "uuid": "771e3059-9eb4-4313-94b4-f0e8fa102498" }, { "category": "Communications (RC.CO)", "code": "5_RC.CO-2", "label": "Reputation after an event is repaired", "uuid": "ecde2384-2cdb-46cc-9a15-37ea9ee175ee" }, { "category": "Communications (RC.CO)", "code": "5_RC.CO-3", "label": "Recovery activities are communicated to internal stakeholders and executive and management teams", "uuid": "c8de5e1f-7893-42b3-852d-fa4f79bc68fa" } ], "version": 1, "version_ext": "1.1" }, { "authors": [ "Jeremy Dannenmuller" ], "label": "ISO/IEC 27701 [2019]", "language": "EN", "refs": "https://www.iso.org/standard/71670.html", "uuid": "f65b378c-ab20-4651-825b-4da34944b519", "values": [ { "category": "Information security aspects of business continuity management", "code": "6.14.2.1", "label": "Availability of information processing facilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "00cb20cc-21a0-417a-9782-ed6587f1d6f5" }, { "category": "Information security policies", "code": "6.2.1.1", "label": "Policies for information security", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0225b44b-be7a-4cce-a4db-1d804e4d47c8" }, { "category": "Improvement", "code": "5.8.2", "label": "Continual improvement", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "029a9fae-c6a4-4b3c-8487-2ed20996a951" }, { "category": "Communication security", "code": "6.10.2.3", "label": "Electronic messaging", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0320a79e-6c9f-45e3-90a0-c360e8f57b45" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.8", "label": "Change of subcontractor to process PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0637458d-cb4d-47aa-9553-d3e86757aaaa" }, { "category": "Physical and environment security", "code": "6.8.1.3", "label": "Securing offices rooms and facilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "066dee47-1f12-4243-94bd-a89fbde7fd31" }, { "category": "Conditions for collection and processing", "code": "A.7.2.3", "label": "Determine when and how consent is to be obtained", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "06c65ef3-fc74-4e9f-b923-bc4b8da06454" }, { "category": "Asset Management", "code": "6.5.1.2", "label": "Ownership of Assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "06eed3d5-8e62-42ff-a727-aee4d27a21a3" }, { "category": "Access control", "code": "6.6.2.2", "label": "User access provisionning", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0769cff8-adbc-4d3a-921d-622fbce40473" }, { "category": "Organisation of information security", "code": "6.3.1.2", "label": "Segregation of duties", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "085873ce-e760-40cd-80a4-6f402785696f" }, { "category": "Obligations to PII principals", "code": "A.7.3.2", "label": "Determining information for PII principals", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "087dde64-823a-495c-92ec-8a282577821f" }, { "category": "Context of the organization", "code": "5.2.4", "label": "Information security management system", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0af7c1ab-dad9-4aa2-aefb-4e5dbf4805c7" }, { "category": "Access control", "code": "6.6.4.2", "label": "Secure log-on procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0d503be4-a66d-4f49-b960-a987f6aface6" }, { "category": "Organisation of information security", "code": "6.3.1.5", "label": "Information security in project management", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0e6f5f89-2755-4448-8183-da973df45b83" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.1", "label": "Basis for PII transfer between jurisdictions", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0f6b0b0e-403e-4695-9c32-8bdd4ad17718" }, { "category": "Asset Management", "code": "6.5.1.1", "label": "Inventory of Assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "0fd4927b-596a-42f6-b155-052785edbfc5" }, { "category": "Operations security", "code": "6.9.1.3", "label": "Capacity management", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "103a6955-e9f8-4b66-91ba-bf2cc0e0e8fe" }, { "category": "Compliance", "code": "6.15.1.2", "label": "Intellectual property rights", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1285dd9e-108d-4ecf-bccf-8a3f4807963a" }, { "category": "Privacy by design and privacy by default", "code": "B.8.4.3", "label": "PII transmission controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1416da16-528c-45f4-b1b9-6a305ae1c81f" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.6", "label": "Secure Development Environment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "16b30180-3754-43da-8bdb-9528fc5e6cde" }, { "category": "Asset Management", "code": "6.5.1.4", "label": "Return of Assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "18c97f9e-20c9-48a4-b1db-b3ba08a6fd4a" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.8", "label": "System security testing", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "190024e1-afae-4346-b094-9f84f6d2e759" }, { "category": "Human resources security", "code": "6.4.1.2", "label": "Terms and conditions of employment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "19e032bb-b8b3-40a1-b976-4ac29f8ef613" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.6", "label": "Temporary files", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1ad68deb-f72a-4f4c-816b-fb755544777e" }, { "category": "Compliance", "code": "6.15.2.2", "label": "Compliance with security policies and standards", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1bdbc783-3069-42f5-a4f7-745c0290be02" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.2", "label": "System change control procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1d0c7281-35c6-403c-9c9b-40e9826e73e3" }, { "category": "Compliance", "code": "6.15.1.5", "label": "Regulation of cryptographic controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1d6c8b29-418c-4a68-89e8-55ce63bed691" }, { "category": "Access control", "code": "6.6.2.1", "label": "User registration and de-registration", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1ee8390e-ebeb-4253-ae87-49358ff8730f" }, { "category": "Conditions for collection and processing", "code": "A.7.2.4", "label": "Obtain and record consent", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1f597457-a336-4e09-b660-2a680154b8b0" }, { "category": "Support", "code": "5.5.1", "label": "Resources", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "1fc549c9-c0dd-407a-9648-c3fe0869bc67" }, { "category": "Access control", "code": "6.6.4.5", "label": "Access control to program source code", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "203fb144-2604-4162-b5c9-f40d22ba2fee" }, { "category": "Information security incident management", "code": "6.13.1.7", "label": "Collection of evidence", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "238e2cbd-9c07-4f08-b2f5-1f43df4a4c11" }, { "category": "Improvement", "code": "5.8.1", "label": "Nonconformity and corrective action", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "256ae75a-a97f-46c8-b022-e4525a52c177" }, { "category": "Access control", "code": "6.6.2.4", "label": "Management of secret authentication information of users", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "27b2e55d-2709-4a74-b75f-89ffa80b0096" }, { "category": "Actions to address risks and opportunities", "code": "5.4.1.2", "label": "Information Security Risk Assessment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "28849802-7b7e-46dd-b720-b2bc4db6a67b" }, { "category": "Organisation of information security", "code": "6.3.1.4", "label": "Contact with special interest groups", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "2a8bce28-154e-4d0d-b829-fee0cd93f861" }, { "category": "Information security aspects of business continuity management", "code": "6.14.1.3", "label": "Verify review and evaluate information security continuity", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "2a93cf52-ffa5-4da5-85b2-ad39d456cb0d" }, { "category": "Information security policies", "code": "6.2.1.2", "label": "Review of the policies for information security", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "2abce681-3b58-4c4f-ae56-03eba536e201" }, { "category": "Physical and environment security", "code": "6.8.1.4", "label": "Protecting against external and environmental threats", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "2c979e09-e057-4cb5-b6b7-800842783110" }, { "category": "Compliance", "code": "6.15.2.1", "label": "Independent review of information security", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "2f712e97-a7bc-40cb-9552-216fd30ef148" }, { "category": "Privacy by design and privacy by default", "code": "B.8.4.2", "label": "Return transfer or disposal of PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "30525d18-fe33-4813-9519-7816bce5723f" }, { "category": "Information security incident management", "code": "6.13.1.1", "label": "Responsibilities and procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "30817081-369d-410d-8db7-25f43a1abd43" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.1.2", "label": "Securing application services on public networks", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "35ef0801-fa39-478f-94a4-cffaf3f2107c" }, { "category": "Context of the organization", "code": "5.2.3", "label": "Determining the scope of the information security management system", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "36ebd0b0-ab2d-4a7e-b98a-aa048fb6c84e" }, { "category": "Communication security", "code": "6.10.1.3", "label": "Segregation in networks", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "37d74fdf-8f6d-4197-a298-a30c646a5f53" }, { "category": "Operations security", "code": "6.9.1.2", "label": "Change management", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "389d1443-d248-4f66-b980-bbdcb50e6c15" }, { "category": "Human resources security", "code": "6.4.2.2", "label": "Information security awareness education and training", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "3a003a78-d047-4ac0-941c-7ad67491d421" }, { "category": "Conditions for collection and processing", "code": "A.7.2.6", "label": "Contracts with PII processors", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "3bbc82c8-7c23-4e11-9c3d-c8a8c19dd08c" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.2", "label": "Limit processing", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "3dafed59-ef7c-43fc-814c-a17c832b319f" }, { "category": "Physical and environment security", "code": "6.8.1.2", "label": "Physical entry controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "3f68a76b-6c1d-4fcb-952e-c2e9de3d9363" }, { "category": "Support", "code": "5.5.2", "label": "Competence", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "3fa8deba-8222-473b-b966-dff98dd64a3e" }, { "category": "Human resources security", "code": "6.4.1.1", "label": "Screening", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "40d912e5-c0d5-44c6-90eb-bdd3a9f7d5c4" }, { "category": "Obligations to PII principals", "code": "A.7.3.8", "label": "Providing copy of PII processed", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "442e6409-082e-4613-b000-49d141240fc5" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.3", "label": "Technical review of applications after operating platform changes", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "4607f451-23b6-40ed-89f2-71cb91a4d282" }, { "category": "Support", "code": "5.5.5.2", "label": "Creating and updating", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "4630e54e-2bfb-462e-b88d-4392efe7f276" }, { "category": "Support", "code": "5.5.3", "label": "Awareness", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "466033e1-6c60-4db2-bf61-ebcae6645a0b" }, { "category": "Operation", "code": "5.6.2", "label": "Information security risk assessment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "4c9f0ab8-778b-4c94-aea9-68921b5ad148" }, { "category": "Communication security", "code": "6.10.2.2", "label": "Agreements on information transfer", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "4cfd17b6-5841-4fa7-8d3b-227af4d3b652" }, { "category": "Context of the organization", "code": "5.2.1", "label": "Understanding the organization and its context", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "514811fc-ca1a-49be-89cc-57f0042a77aa" }, { "category": "Cryptography", "code": "6.7.1.1", "label": "Policy on the use of cryptographic controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "53e91bf7-76ed-4cb8-b308-21f1dbd52aa3" }, { "category": "Information security incident management", "code": "6.13.1.2", "label": "Reporting information security events", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "54d38b77-2e5c-4c4e-b47b-b936518e8094" }, { "category": "Access control", "code": "6.6.3.1", "label": "Use of secret authentication information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "55f0123d-1c82-4352-8700-03a66e9d72fc" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.5", "label": "PII de-identification and deletion at the end of processing", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "56844655-7f50-46ec-bfc1-6d40fa74b31b" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.5", "label": "Legally binding PII disclosures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "56dc629e-506a-4502-b42d-a49e72ed7ec9" }, { "category": "Physical and environment security", "code": "6.8.1.5", "label": "Working in secure areas", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "58c52280-09b2-4c91-ab59-eb995f5688fd" }, { "category": "Access control", "code": "6.6.1.1", "label": "Access control policy", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "5cdeff98-2016-4d39-858e-3fc915185b52" }, { "category": "Organisation of information security", "code": "6.3.1.1", "label": "Information security roles and responsibilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "64cdbec6-e81c-4baf-92bf-1ce53cf3d8b2" }, { "category": "Support", "code": "5.5.5.1", "label": "General", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "65f112a9-3b20-4f18-950b-085d0be3f114" }, { "category": "Operations security", "code": "6.9.6.2", "label": "Restrictions on software installation", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "66d4273e-98cd-4d08-9acb-08ba787db13a" }, { "category": "Support", "code": "5.5.5.3", "label": "Control of documented information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6780dda7-2c33-496b-81e3-9d868f47b61d" }, { "category": "Physical and environment security", "code": "6.8.2.9", "label": "Clear desk and clear screen policy", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "67d95c58-fdf0-439d-8ce6-277238136141" }, { "category": "Operations security", "code": "6.9.5.1", "label": "Installation of software on operational systems", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6a78d184-cc44-461e-af3d-3ebc8380b78f" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.7", "label": "Outsourced development", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6ac5a193-c021-4df4-abd1-bb0aed4af36a" }, { "category": "Information security incident management", "code": "6.13.1.4", "label": "Assessment of and decision on information security events", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6c50d8a4-6793-479b-84af-f3cf94fe4102" }, { "category": "Information security incident management", "code": "6.13.1.3", "label": "Reporting information security weaknesses", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6dd7fb16-a5f8-4722-9197-bf198327ed8b" }, { "category": "Human resources security", "code": "6.4.2.1", "label": "Management responsibilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6ddcd365-eeca-473d-b9ad-03726ae858d8" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.3", "label": "Accuracy and quality", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "6ee51d2e-83fe-4198-8118-dc7db98515b1" }, { "category": "Operations security", "code": "6.9.1.1", "label": "Documented operating procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "70a53056-137e-429a-9483-0a2e92a24fac" }, { "category": "Asset Management", "code": "6.5.3.3", "label": "Physical media transfer", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "71761dbc-aea1-4d01-b09d-abe2e67c4f1a" }, { "category": "Access control", "code": "6.6.4.4", "label": "Use of privileged utility programs", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "719158a7-c965-46e2-bed9-d273925a3fdd" }, { "category": "Operations security", "code": "6.9.4.3", "label": "Administrator and operator logs", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "7405dca3-2282-47e2-ac19-1992ff0a0228" }, { "category": "Operations security", "code": "6.9.1.4", "label": "Separation of development testing and operational environments", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "777d9c77-1093-4a4f-9c1f-ff9db9aa96c1" }, { "category": "Physical and environment security", "code": "6.8.2.4", "label": "Equipment maintenance", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "77d78b64-a53d-4a62-9b00-7bc4c6df5d99" }, { "category": "Performance Evaluation", "code": "5.7.1", "label": "Monitoring measurement analysis and evaluation", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "78bae82d-72d6-4b22-abc1-d49747a6dbad" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.1.1", "label": "Information security requirements analysis and specification", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "7b804877-23cc-4f04-9979-8b6f985d04b9" }, { "category": "Performance Evaluation", "code": "5.7.2", "label": "Internal audit", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "7b8aa5d2-9afa-4e76-a038-1bb4f169fc23" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.1", "label": "Limit collection", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "7bc37de2-8b17-4965-980c-94260e7c84c9" }, { "category": "Communication security", "code": "6.10.2.4", "label": "Confidentiality or non-disclosure agreements", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "7fab270e-33dc-4df8-853b-770b47ed8b67" }, { "category": "Information security incident management", "code": "6.13.1.6", "label": "Learning from information security incidents", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "805044a1-7f8c-40b4-9a29-5a9724624a69" }, { "category": "Asset Management", "code": "6.5.3.2", "label": "Disposal of media", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8247018f-5966-4fa1-86ed-74f89a17752d" }, { "category": "Access control", "code": "6.6.4.1", "label": "Information access restriction", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "84f2f3dc-54c0-4b96-8d27-8f2ae47a2964" }, { "category": "Compliance", "code": "6.15.2.3", "label": "Technical compliance review", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "853373dc-8dc4-451e-b100-55d42aee4ffe" }, { "category": "Asset Management", "code": "6.5.1.3", "label": "Acceptable Use of Assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "85b65a44-6cca-498f-ab76-1079d0bdfadc" }, { "category": "Conditions for collection and processing", "code": "B.8.2.3", "label": "Marketing and advertising use", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8862ca92-f431-48c6-b565-fd5fb9aa46d8" }, { "category": "Organisation of information security", "code": "6.3.2.2", "label": "Teleworking", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8bb579d1-e9c6-4883-92a9-185cb3987b66" }, { "category": "Leadership", "code": "5.3.1", "label": "Leadership and commitment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8d3a8ce7-3c35-4aed-8143-32f5d2279054" }, { "category": "Leadership", "code": "5.3.2", "label": "Policy", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8d6462fd-5a10-4847-92d1-da2585439e5e" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.4", "label": "PII minimization objectives", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8e26c999-8f20-4cfc-8682-3d14c4d8315d" }, { "category": "Conditions for collection and processing", "code": "A.7.2.8", "label": "Records related to processing PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8e697e5d-c974-44eb-b973-d6c8ba916725" }, { "category": "Asset Management", "code": "6.5.2.3", "label": "Handling of Assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8f246d95-7e65-4fdf-a9bd-a567e537843e" }, { "category": "Context of the organization", "code": "5.2.2", "label": "Understanding the needs and expectations of interested parties", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8f6ef571-4efe-4df1-bca5-92af7e966240" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.1", "label": "Secure development policy", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "8fa447dd-b5e2-4be0-9784-4386ba03abf5" }, { "category": "Asset Management", "code": "6.5.2.1", "label": "Classification of information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "91bd3542-b178-4c2e-a62e-ba5d37360ca4" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.1.3", "label": "Protecting application services transactions", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "92cc1326-12da-4199-b805-9dfb5a6f5870" }, { "category": "Supplier relationships", "code": "6.12.2.2", "label": "Managing changes to supplier services", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "94aa96fa-a2fa-4507-bec5-05fe0db41b9f" }, { "category": "Information security objectives and planning to achieve them", "code": "5.4.2", "label": "Information security objectives and planning to achieve them", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9a30e1ba-93d3-4e96-b8d9-663f2720e90a" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.3", "label": "Records of PII disclosure to third parties", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9b1c4774-db02-4e14-9b1b-c4fc81438413" }, { "category": "Access control", "code": "6.6.2.3", "label": "Management of privileged access rights", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9bb3a441-d077-49a3-a20f-c91f431104e3" }, { "category": "PII sharing transfer and disclosure", "code": "A.7.5.2", "label": "Countries and international organizations to which PII can be transferred", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9cc453f9-ec65-4091-b72f-c4411023de64" }, { "category": "Supplier relationships", "code": "6.12.1.3", "label": "Information and communication technology supply chain", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9d3cc972-695b-4700-b0ad-a53891329322" }, { "category": "Cryptography", "code": "6.7.1.2", "label": "Key management", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9eac1198-8099-4b6c-931c-f59fbc2ec30e" }, { "category": "Human resources security", "code": "6.4.2.3", "label": "Disciplinary procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "9f509e16-fd65-4121-8144-c2403c924dfb" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.6", "label": "Disclosure of subcontractors used to process PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a0091b82-4864-49dc-a885-a27cd933d4aa" }, { "category": "Operations security", "code": "6.9.2.1", "label": "Controls against malware", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a0494662-1835-44f8-b600-df2d2bcdaf7f" }, { "category": "Obligations to PII principals", "code": "A.7.3.6", "label": "Access correction and/or erasure", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a1141b2f-868c-4c8c-bb32-911732b9adf9" }, { "category": "Leadership", "code": "5.3.3", "label": "Organizational roles responsibilities and authorities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a3a2049e-f29c-4bae-9c23-d791feba7e0e" }, { "category": "Support", "code": "5.5.4", "label": "Communication", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a3d0ca70-89d8-4e54-9ced-20159cf4e3bd" }, { "category": "Compliance", "code": "6.15.1.3", "label": "Protection of records", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a66fa2a1-6237-4552-abd5-be6df3856d09" }, { "category": "Access control", "code": "6.6.4.3", "label": "Password management system", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a681fb35-04d6-4adc-bde8-b044a26c970d" }, { "category": "Compliance", "code": "6.15.1.4", "label": "Privacy and protection of personally identifiable information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a77afead-e763-41a6-a803-af6b3d0a2cb2" }, { "category": "Supplier relationships", "code": "6.12.1.2", "label": "Addressing security within supplier agreements", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a793e4bc-6bd9-49a4-8c4b-4933dc7d2238" }, { "category": "Information security aspects of business continuity management", "code": "6.14.1.2", "label": "Implementing information security continuity", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a86710e7-c5bf-4fa7-a311-8757ab2b801b" }, { "category": "Operations security", "code": "6.9.4.1", "label": "Event logging", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a87901f1-5d34-46af-afc7-0375e59721f6" }, { "category": "Supplier relationships", "code": "6.12.1.1", "label": "Information security policy for supplier relationships", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a943f47f-6996-4490-b45d-9c427942c0a7" }, { "category": "Conditions for collection and processing", "code": "B.8.2.2", "label": "Organization's purposes", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "a9d08b54-382a-4116-93a0-39d34495c711" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.5", "label": "Secure systems engineering principles", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "af4c64b8-fc6e-4bd7-8679-3cc0d3c31480" }, { "category": "Obligations to PII principals", "code": "A.7.3.9", "label": "Handling requests", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b00f4fa5-5643-4b69-8d58-377007ed3696" }, { "category": "Conditions for collection and processing", "code": "B.8.2.4", "label": "Infringing instruction", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b1bfc4bc-db05-4d94-9273-382562faefcd" }, { "category": "Obligations to PII principals", "code": "A.7.3.7", "label": "PII controllers' obligations to inform third parties", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b40b6f97-5f9b-4f0e-ae6f-317172cd942b" }, { "category": "Operations security", "code": "6.9.3.1", "label": "Information backup", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b44c628f-e837-44d0-8392-8f936f8e86e4" }, { "category": "Obligations to PII principals", "code": "A.7.3.3", "label": "Providing information to PII principals", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b455a728-91ac-4a9e-bb29-ecd4505fa37b" }, { "category": "Conditions for collection and processing", "code": "A.7.2.5", "label": "Privacy impactassessment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b476a2b4-7eee-4e79-8910-d9e309d8c759" }, { "category": "Physical and environment security", "code": "6.8.1.6", "label": "Delivery and loading areas", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b570b846-c1fb-4a9d-8f79-5dac6e4e5d87" }, { "category": "Operations security", "code": "6.9.6.1", "label": "Management of technical vulnerabilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "b5c16404-bcfc-4756-8e42-8ba590803215" }, { "category": "Obligations to PII principals", "code": "A.7.3.1", "label": "Determining and fulfilling obligations to PII principals", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "bca25a95-8ac6-4b8f-857a-e7ceb72101dd" }, { "category": "Performance Evaluation", "code": "5.7.3", "label": "Management review", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "bd47b036-1585-4f1f-a648-66f681971779" }, { "category": "Access control", "code": "6.6.2.5", "label": "Review of user access rights", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "bef5cb25-c14c-473a-b987-1faad4c6be6e" }, { "category": "Obligations to PII principals", "code": "A.7.3.4", "label": "Providing mechanism to modify or withdraw consent", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c0b08efb-ff1b-4c47-8cb6-c78860818c90" }, { "category": "Obligations to PII principals", "code": "A.7.3.10", "label": "Automated decision making", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c1301d3d-096c-412b-9fc4-80bf6bd2ce4c" }, { "category": "PII sharing transfer and disclosure", "code": "A.7.5.1", "label": "Identify basis for PII transfer between jurisdictions", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c1975c78-d5c7-4294-b794-7bf70c443cdf" }, { "category": "Supplier relationships", "code": "6.12.2.1", "label": "Monitoring and review of supplier services", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c293ea96-ba7c-4c2c-b8f2-34b2fd13c6b7" }, { "category": "Conditions for collection and processing", "code": "A.7.2.2", "label": "Identify lawful basis", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c4709dc0-24a8-4e1d-962c-2fafb958de37" }, { "category": "Actions to address risks and opportunities", "code": "5.4.1.1", "label": "Actions to address risks and opportunities - General", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c4d6e81f-91e4-4c90-afa2-433afaad05f4" }, { "category": "Organisation of information security", "code": "6.3.2.1", "label": "Mobile device policy", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c690cf3c-e020-450d-865e-32fdc36a609f" }, { "category": "Physical and environment security", "code": "6.8.2.7", "label": "Secure disposal or re-use of equipment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c6923895-042d-4e83-bd6e-9195e74e3188" }, { "category": "Physical and environment security", "code": "6.8.1.1", "label": "Physical security perimeter", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c7790c91-5a58-4d1f-9df1-942d4a3ef273" }, { "category": "Operations security", "code": "6.9.7.1", "label": "Information systems audit controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c8ec4174-841c-4de4-9685-342e1933351c" }, { "category": "PII sharing transfer and disclosure", "code": "A.7.5.3", "label": "Records of transfer of PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "c8feff26-b7e6-4fc0-8067-978ab64f096e" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.9", "label": "PII transmission controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "cc79433d-bd1b-40eb-9960-5fae6ee09216" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.2", "label": "Countries and international organizations to which PII can be transferred", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "cca8434a-1f0f-48ec-9358-2f3ee5a712da" }, { "category": "Conditions for collection and processing", "code": "A.7.2.1", "label": "Identify and document purpose", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "cd1267a3-0a09-402c-ada9-85c9291aac26" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.3.1", "label": "Protection of test data", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "cdb15fe9-9808-4749-8747-c284018cccf0" }, { "category": "Information security aspects of business continuity management", "code": "6.14.1.1", "label": "Planning information security continuity", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "cfec872a-4fb3-4364-91dc-475236cc2f93" }, { "category": "Privacy by design and privacy by default", "code": "B.8.4.1", "label": "Temporary files", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d16fc0f9-ab36-49b6-a4ad-4d8d0120f0a1" }, { "category": "Operations security", "code": "6.9.4.2", "label": "Protection of log information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d21603d6-f97e-4b20-bdf6-7bf5248277cb" }, { "category": "Conditions for collection and processing", "code": "B.8.2.5", "label": "Customer obligations", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d2b79e78-5e9b-4a6d-94f7-855274b7831f" }, { "category": "Asset Management", "code": "6.5.2.2", "label": "Labelling of information", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d313624f-8213-4f20-b536-b859e8b8c429" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.9", "label": "System acceptance testing", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d3f5b543-cd6b-4645-8395-e9d00cfdbeb6" }, { "category": "Obligations to PII principals", "code": "A.7.3.5", "label": "Providing mechanism to object to PIIprocessing", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d462468f-b212-4c90-aed2-18dc60db95ce" }, { "category": "Conditions for collection and processing", "code": "B.8.2.1", "label": "Customer agreement", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d5cde1bc-d630-4a7e-b7c0-04dbae6bff30" }, { "category": "Communication security", "code": "6.10.2.1", "label": "Information transfer policies and procedures", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d649f805-1142-4fcf-a119-ae76f392708a" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.4", "label": "Notification of PII disclosure requests", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d9273c35-a712-46b9-9754-b96cb49d2332" }, { "category": "Conditions for collection and processing", "code": "B.8.2.6", "label": "Records related to processing PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d9a470ad-a071-4ace-9662-8dc18a96b361" }, { "category": "Operations security", "code": "6.9.4.4", "label": "Clock synchronisation", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d9e0e545-7b42-4899-8e56-7f9fc6fce85f" }, { "category": "Physical and environment security", "code": "6.8.2.8", "label": "Unattended user equipment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "d9e2a570-4155-4970-88d7-809179ac7f31" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.8", "label": "Disposal", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "db2c9e1b-aac1-418c-911e-00eb01cdef6c" }, { "category": "PII sharing transfer and disclosure", "code": "B.8.5.7", "label": "Engagement of a subcontractor to process PII", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "dccd6bfd-aff7-4b01-8004-4d7eb3348484" }, { "category": "Physical and environment security", "code": "6.8.2.1", "label": "Equipment siting and protection", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "dcf6c663-23fc-450b-8d46-be3c48bc049a" }, { "category": "Information security incident management", "code": "6.13.1.5", "label": "Response to information security incidents", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "dd2c4b83-0077-4f70-99b1-74127969c19b" }, { "category": "Human resources security", "code": "6.4.3.1", "label": "Termination or change of employment responsibilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "dd48169a-e980-4e58-804b-fb283786415c" }, { "category": "Communication security", "code": "6.10.1.1", "label": "Network controls", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "de3adccd-edfe-4379-9b4a-f8243baa6afc" }, { "category": "PII sharing transfer and disclosure", "code": "A.7.5.4", "label": "Records of PII disclosure to third parties", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "df68917b-f26e-4511-92c1-3b77be11df0f" }, { "category": "Privacy by design and privacy by default", "code": "A.7.4.7", "label": "Retention", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "e1ea896d-cf46-4a7a-a1ad-a4c3ea188866" }, { "category": "Obligations to PII principals", "code": "B.8.3.1", "label": "Obligations to PII principals", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "e7247cf7-a80b-4f1d-a32b-9ddd79a84371" }, { "category": "Physical and environment security", "code": "6.8.2.3", "label": "Cabling security", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "e7f6a752-9122-47cd-a52b-6c6ee7e182f5" }, { "category": "Actions to address risks and opportunities", "code": "5.4.1.3", "label": "Information Security Risk Treatment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "e9ba3458-e01f-43e0-9883-7b53a2c8b1a3" }, { "category": "Access control", "code": "6.6.2.6", "label": "Removal or adjustment of access rights", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "ea2ec9a6-269a-4e38-a90c-381528893d06" }, { "category": "Organisation of information security", "code": "6.3.1.3", "label": "Contact with authorities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "ea53cbc7-bec8-472b-9468-6389ea53e786" }, { "category": "Operation", "code": "5.6.3", "label": "Information security risk treatment", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "ec5da672-3770-4120-a041-b61b09b84757" }, { "category": "Physical and environment security", "code": "6.8.2.6", "label": "Security of equipment and assets off-premises", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "edebd5a7-ebb3-4942-8b72-60293b1ec524" }, { "category": "Operation", "code": "5.6.1", "label": "Operational planning and control", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "ee177f90-a062-4d24-aea7-a7e1098ad3e4" }, { "category": "Physical and environment security", "code": "6.8.2.2", "label": "Supporting utilities", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "f08bfc02-4466-4378-ac24-73247e695667" }, { "category": "Systems acquisition development and maintenance", "code": "6.11.2.4", "label": "Restrictions on changes to software packages", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "f1645c93-2336-4729-9c68-dc77341e7112" }, { "category": "Compliance", "code": "6.15.1.1", "label": "Identification of applicable legislation and contractual requirements", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "f3db84e6-5546-48db-bd12-86b56490ace5" }, { "category": "Access control", "code": "6.6.1.2", "label": "Access to networks and network services", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "f943a311-075b-4282-bf24-cf36b7aff54d" }, { "category": "Physical and environment security", "code": "6.8.2.5", "label": "Removal of assets", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "f98a71be-5dd2-4124-82d5-1a533516c8a3" }, { "category": "Communication security", "code": "6.10.1.2", "label": "Security of network services", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "fae6cccf-0765-4894-9914-5983325e39e1" }, { "category": "Conditions for collection and processing", "code": "A.7.2.7", "label": "Joint PII controller", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "fcd65733-75b3-4c48-b066-783a2766fa71" }, { "category": "Asset Management", "code": "6.5.3.1", "label": "Management of removable media", "referential": "f65b378c-ab20-4651-825b-4da34944b519", "referential_label": "ISO 27701", "uuid": "fe333449-ff0e-46ff-845a-deace938868b" } ], "version": 1, "version_ext": "2019" }, { "authors": [ "L\u00e9on TREFF" ], "label": "ILNAS 107", "language": "FR", "refs": "https://ilnas.services-publics.lu/ecnor/displayStandard.action?id=222513", "uuid": "c81cfb5e-0786-4778-95c7-44c33b5177de", "values": [ { "category": "Mesures", "code": "L.5.2.2", "label": "R\u00f4les et responsabilit\u00e9s", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "00dfdbd6-6ff9-4763-b39d-e4195843a582" }, { "category": "Mesures", "code": "L.5.2.8", "label": "Protection des donn\u00e9es", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "4658beef-31ed-4529-92f4-763c7ea699c8" }, { "category": "Mesures", "code": "L.5.2.1", "label": "Disponibilit\u00e9 et int\u00e9grit\u00e9 de la documentation relative aux actifs de support", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "4ed219b4-aa8f-4196-a2f9-b5eab0f2252c" }, { "category": "Mesures", "code": "L.5.2.6", "label": "Conditions environnementales", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "798e1bcb-159b-4808-ac29-4abcf32405d2" }, { "category": "Mesures", "code": "L.5.2.9", "label": "Transfert de l'information", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "7f9deeca-75c3-4012-ab81-4254ca6cc0ce" }, { "category": "Mesures", "code": "L.5.2.10", "label": "Continuit\u00e9 des activit\u00e9s", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "9a14a2a0-5855-4ca2-84b9-9af909f0083a" }, { "category": "Mesures", "code": "L.5.2.7", "label": "Stockage des actifs de support", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "9bb10d1d-ad23-48da-837e-ccea19ae6533" }, { "category": "Mesures", "code": "L.5.2.5", "label": "Sauvegarde des actifs de support", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "9e43828d-61d7-4ab7-a606-0b79619a832d" }, { "category": "Mesures", "code": "L.5.2.11", "label": "Conformit\u00e9 des fournisseurs", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "c53a1246-3c60-4470-94df-b17c27058e82" }, { "category": "Mesures", "code": "L.5.2.3", "label": "Gestion des changements", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "ecd468f3-9de5-4123-86ef-2c6d92fdad39" }, { "category": "Mesures", "code": "L.5.2.4", "label": "Gestion des acc\u00e8s", "referential": "c81cfb5e-0786-4778-95c7-44c33b5177de", "referential_label": "ILNAS 107", "uuid": "f22c39eb-7a90-4e01-945d-a9c9ad2b148a" } ], "version": 1, "version_ext": "2020" }, { "label": "TKG-SiKa2.0", "language": "DE", "uuid": "3547ca1d-abbf-42e3-8a43-b5afbee19595", "values": [ { "category": "2.1 Routing und Protokolle", "code": "SK2.1x", "label": "Es ist immer von verschiedenen Optionen immer die am sichersten einzusch\u00e4tzende L\u00f6sung von Standards und Protokollen zu implementieren", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e100", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12500" }, { "category": "2.1.1 Verschl\u00fcsselungstechnik", "code": "SK2.1.1.1x", "label": "Der TK-Anbieter muss an sicherheitsrelevanten Stellen eine Verschl\u00fcsselung von Daten nach Stand der Technik vornehmen oder des Transportweges (z.B. \u00fcber TLS). -> technische Richtlinie TR-02102", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e101", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12501" }, { "category": "2.1.1 Verschl\u00fcsselungstechnik", "code": "SK2.1.1.2x", "label": "Passw\u00f6rter m\u00fcssen nach aktuellem Stand der Technik zumindest gehasht und mit einem Salt versehen und gespeichert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e102", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12502" }, { "category": "2.1.2 Schutz vor DoS/DDoS-Angriffen", "code": "SK2.1.2x", "label": "Der TK-Anbieter Ma\u00dfnahmen zur Abwehr (Mitigation) von DoS/DDoS-Angriffen zu treffen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e103", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12503" }, { "category": "2.1.2.1 Resilienz der Infrastruktur gegen DoS- / DDoS-Angriffe", "code": "SK2.1.2.1x", "label": "Die Kapazit\u00e4ten von Systemen, die im Fokus von DDoS-Angriffen stehen k\u00f6nnten, m\u00fcssen so ausgelegt werden, dass ihre Funktionsf\u00e4higkeit auch bei einer mittelschweren Attacke ohne weitere Ma\u00dfnahmen weiterhin gew\u00e4hrleistet ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e104", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12504" }, { "category": "2.1.2.2 Schutz vor IP-Spoofing", "code": "SK2.1.2.2x", "label": "Das F\u00e4lschen von Absenderadressen muss verhindert oder erschwert werden. Die Anforderungen aus den IETF-RFCs RFC2827 und RFC3704 sind umzusetzen (Ingress filter/BCP38) .", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e105", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12505" }, { "category": "2.1.2.3 Deaktivieren nicht genutzter Dienste - eigene Systeme", "code": "SK2.1.2.3.1", "label": "Eigene Server sollten gegen Missbrauch absichert werden, indem z.B. nicht ben\u00f6tigte Dienste deaktiviert werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e106", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12506" }, { "category": "2.1.2.3 Deaktivieren nicht genutzter Dienste - Kunden", "code": "SK2.1.2.3.2", "label": "Kunden sollten auf offene Ports und erreichbare Dienste (selbst ermittelt oder auf Basis externer Quellen), von denen Gefahr ausgeht, hingewiesen werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e107", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12507" }, { "category": "2.1.2.4 Schutz betrieblich erforderlicher Dienste", "code": "SK2.1.2.4x", "label": "F\u00fcr den Netzbetrieb erforderliche Dienste m\u00fcssen durch geeignete Ma\u00dfnahmen (z.B. ACLs) und Komponenten (z.B. Paketfilter) vor DoS-/DDoS-Angriffen gesch\u00fctzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e108", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12508" }, { "category": "2.1.2.5 Detektion von Botnetzen", "code": "SK2.1.2.5x", "label": "Man muss unter Beachtung der Ma\u00dfgaben in \u00a7 100 Abs. 1 TKG (Nutzung von Steuerdaten,Verkehrdaten), eine geeignete Sensorik betreiben, um Botnetze zu detektieren. Datenschutzrechtliche Schutzvorschriften wie die unverz\u00fcgliche L\u00f6schung aufgezeichneter Daten und die Information des betrieblichen Datenschutzbeauftragten sind zu beachten, vgl. \u00a7 100 Abs. 2 TKG.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e109", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12509" }, { "category": "2.1.3 Gleichbehandlungsgrundsatz", "code": "SK2.1.3.1x", "label": "Datenpakete von und an Kunden muss der TK-Anbieter unver\u00e4ndert und gleichberechtigt \u00fcbertragen, unabh\u00e4ngig davon, woher diese stammen oder welche Anwendungen die Pakete generiert haben. Ausgenommen hiervon ist der VOIP-Dienst.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e110", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12510" }, { "category": "2.1.4 Inter-Domain-Routing", "code": "SK2.1.4.1x", "label": " Ma\u00dfnahmen zur Verhinderung der Manipulation von BGP-Routen sind zu treffen, beispielsweise die Verwendung von RPKI ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e111", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12511" }, { "category": "2.2 Beobachtung, Berichterstattung und Kooperation", "code": "SK2.2.1", "label": "Verkehrsdaten sollten im Rahmen der gesetzlichen M\u00f6glichkeiten (DSGVO, TKG100 Abs1 und \u00a7 109a Abs. 4 - 6 TKG) und soweit dies f\u00fcr die Erbringung des jeweiligen Dienstes erforderlich ist, regelm\u00e4\u00dfig auf Auff\u00e4lligkeiten hin beobachtet werden. Bei festgestellten Unregelm\u00e4\u00dfigkeiten sind geeignete Ma\u00dfnahmen zum Schutz zu ergreifen (z.B. Netzverkehr unterbinden, Verkehr zu St\u00f6rern einschr\u00e4nken oder unterbinden).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e112", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12512" }, { "category": "2.2.1 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.1x", "label": "Eine geeignete Monitoring Infrastruktur (MI) muss vorgehalten werden. Diese sollte dazu in der Lage sein, fortw\u00e4hrend Bedrohungen zu identifizieren und zu vermeiden. Die MI muss alle f\u00fcr den Betrieb des Netzwerkes wesentlichen Komponenten erfassen sowie auch Komponenten, die personenbezogene Daten (z.B. Nutzerkennungen) an externe Vertragspartner \u00fcbermitteln, etwa im Kontext von netzwerk\u00fcbergreifender Signalisierung. Als f\u00fcr das Sicherheitsmonitoring geeignete Datenquellen kommen u.a. m\u00f6glicherweise BGP-Router, Server f\u00fcr DNS, E-Mail, HTTP(S), SIP(S), SSH, IPsec in Betracht.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e113", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12513" }, { "category": "2.2.1 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.2x", "label": "Eine geeignete MI muss ferner f\u00fcr eingetretene St\u00f6rungen geeignete Beseitigungsma\u00dfnahmen vorsehen. Die vorgesehenen Ma\u00dfnahmen sollten tats\u00e4chlich und ggf. auch unter Zeitdruck umsetzbar sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e114", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12514" }, { "category": "2.2.1.2 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.2.1x", "label": "Die f\u00fcr ein Monitoring eingesetzten Tools m\u00fcssen geeignete Parameter bzw. Merkmale aus dem laufenden Betrieb kontinuierlich und automatisch erfassen und auswerten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e115", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12515" }, { "category": "2.2.1.2 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.2.2", "label": "Die Arbeitsweise, das Zusammenspiel der Monitoring Tools und eine ggf. vorgenommene Verarbeitung der Daten sollte im Sicherheitskonzept dokumentiert werden. Ebenfalls dokumentiert werden sollten Schwellwerte und \u00e4hnliche Parameter, die zur Justierung der MI (z.B. H\u00e4ufigkeit von Einzelereignissen bis ein Alarm ausgel\u00f6st wird, Justierung des Verh\u00e4ltnisses von True Positives zu False Negatives) genutzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e116", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12516" }, { "category": "2.2.1.2 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.2.3x", "label": "Es ist ferner zu dokumentieren, wie mit erkannten Auff\u00e4lligkeiten umgegangen wird. Es ist zu kennzeichnen, welche Ma\u00dfnahmen von der MI automatisch eingeleitet werden, und welche einen Alarm ausl\u00f6sen, der eine manuelle Intervention nach sich zieht.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e117", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12517" }, { "category": "2.2.1.2 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.2.4", "label": "Die MI sollte daneben eine einzelfallunabh\u00e4ngige Statistik generieren, welche eine Identifizierung eines bestimmten Gefahrenbildes oder Modus Operandi erm\u00f6glicht. Kommen bin\u00e4re Klassifikatoren zum Einsatz, so sollten diese mittels einer gemeinsamen Betrachtung der Eckdaten (TPR, FPR, TNR, FNR) und einer geeigneten Darstellung (z.B. ROC-Kurve) bewertet werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e118", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12518" }, { "category": "2.2.1 Implementierung einer Monitoring-Infrastruktur", "code": "SK2.2.1.3x", "label": "Signifikante Abweichungen vom normalen Netzbetrieb (z.B. ungew\u00f6hnliche Datenfl\u00fcsse, untypische Datenpakete auf bestimmten Ports, auff\u00e4lliges Verhalten kritischer Netzkomponenten usw.) m\u00fcssen permanent registriert, analysiert und dokumentiert werden. Dabei ist darauf zu achten, dass die Daten nur f\u00fcr den erforderlichen Zeitraum gespeichert werden. Sofern keine konkreten Anhaltspunkte f\u00fcr Angriffe oder Fehler vorliegen, sind die Daten nach sp\u00e4testens 7 Tagen zu anonymisieren (z.B. durch Erstellen von statistischen Auswertungen) oder zu l\u00f6schen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e119", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12519" }, { "category": "2.2.1.3 Weiterentwicklung MI", "code": "SK2.2.1.3.1", "label": "Die von der MI generierten Daten sollten zur Optimierung des Verh\u00e4ltnisses von True Positives und False Negatives regelm\u00e4\u00dfig einem Review unterworfen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e120", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12520" }, { "category": "2.2.1.3 Weiterentwicklung MI", "code": "SK2.2.1.3.2", "label": "Zur Identifizierung von False Negatives sollten erg\u00e4nzend externe Datenquellen verwandt werden. Auch in diesen F\u00e4llen sollten die zur Optimierung ergriffenen Ma\u00dfnahmen (z.B. Justierung von Schwellwerten; die Erfassung weiterer Parameter; der Einsatz weiterer oder die Abschaltung von nicht mehr zielf\u00fchrenden Monitoring Tools) und etwaige \u00c4nderungen der MI dokumentiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e121", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12521" }, { "category": "2.2.1.3 Weiterentwicklung MI", "code": "SK2.2.1.3.3x", "label": "Eine MI muss rechtlich zul\u00e4ssig und datenschutzkonform sein. Aus telekommunikationsrechtlicher Sicht orientiert sich die rechtliche Zul\u00e4ssigkeit einer MI an \u00a7 100 Abs. 1 und 2 TKG", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e122", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12522" }, { "category": "2.2 Beobachtung, Berichterstattung und Kooperation", "code": "SK2.2.2", "label": "Es sollten Ma\u00dfnahmen umgesetzt werden, um ungew\u00fcnschte Ver\u00e4nderungen durch Hersteller, Management-Dienstleister oder staatliche Akteure (z.B. aus den Herstellerl\u00e4ndern) detektieren bzw. ausschlie\u00dfen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e123", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12523" }, { "category": "2.2.2 Aufzeichnung / Protokollierung von Management-Aktivit\u00e4ten", "code": "SK2.2.2.1x", "label": "S\u00e4mtliche Management-Aktivit\u00e4ten an Netzkomponenten m\u00fcssen protokolliert und entsprechend ihrer Bedeutung f\u00fcr die Sicherheit der Gesamtinfrastruktur \u00fcber einen hinreichend langen Zeitraum archiviert werden, um m\u00f6gliche Sicherheitsvorf\u00e4lle auch im Nachhinein rekonstruieren zu k\u00f6nnen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e124", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12524" }, { "category": "2.2.3 Protokollierung der Konfigurationsdateien", "code": "SK2.2.3.1", "label": "Die Soll-Konfiguration einer jeden Netzkomponente sollten dokumentiert und gegen unbefugten Zugriff gesch\u00fctzt abgespeichert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e125", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12525" }, { "category": "2.2.4 Soll- / Ist-Abgleich der Komponenten", "code": "SK2.2.4.1", "label": "Hinreichend h\u00e4ufig sollten Revisionen der Netzinfrastruktur durchgef\u00fchrt werden, die u.a. einen Soll-Ist-Abgleich der aktuellen Konfigurationsdateien s\u00e4mtlicher Netzkomponenten mit den gem\u00e4\u00df 2.2.3 archivierten Referenzdateien umfassen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e126", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12526" }, { "category": "2.2.5 Verhaltenspr\u00fcfung der Komponenten", "code": "SK2.2.5.1", "label": "\u00dcber den Soll-Ist-Vergleich der Konfigurationsdateien hinaus sollte regelm\u00e4\u00dfig ein Vergleich des tats\u00e4chlichen mit dem vorgesehen Verhalten einzelner Komponenten durchgef\u00fchrt werden. Dazu sollen Test Cases definiert werden, in denen das konforme Verhalten beschrieben ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e127", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12527" }, { "category": "2.2.6 Identifizierung infizierter Systeme und Aufkl\u00e4rung des Kunden \u00fcber Bedrohungen bei erkannter Infektion", "code": "SK2.2.6.1", "label": "Zus\u00e4tzlich zu den genannten Vorkehrungen zum eigenen Schutz sollten TK-Anbieter das Netz auch im Hinblick auf infizierte Systeme von Kunden beobachten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e128", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12528" }, { "category": "2.2.6 Identifizierung infizierter Systeme und Aufkl\u00e4rung des Kunden \u00fcber Bedrohungen bei erkannter Infektion", "code": "SK2.2.6.2x", "label": "Werden dem TK-Anbieter St\u00f6rungen bekannt, die von Datenverarbeitungssystemen der Nutzer ausgehen, ist er nach TKG \u00a7109a Abs. 4 zur unverz\u00fcglichen Benachrichtigung der Nutzer verpflichtet, soweit dies technisch m\u00f6glich und zumutbar ist. Auch hat er in diesem Fall die Nutzer auf angemessene, wirksame und zug\u00e4ngliche technische Mittel hinzuweisen, mit denen sie diese St\u00f6rungen erkennen und beseitigen k\u00f6nnen. Die gesetzlichen Meldepflichten (siehe Katalog Kap. 3.5.3) sind zu beachten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e129", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12529" }, { "category": "2.2.7 Kooperationen bei TK-anbieter\u00fcbergreifenden St\u00f6rungen", "code": "SK2.2.7.1", "label": "Treten St\u00f6rungen auf, von denen mehrere TK-Anbieter betroffen sein k\u00f6nnten, beispielsweise aufgrund von DDoS-Angriffen (siehe hierzu auch 2.1.2.), ist eine TK-Anbieter \u00fcbergreifende Zusammenarbeit notwendig. Diese sollte auch einen provider\u00fcbergreifenden Austausch zu infizierten Ger\u00e4ten umfassen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e130", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12530" }, { "category": "2.2.7 Kooperationen bei TK-anbieter\u00fcbergreifenden St\u00f6rungen", "code": "SK2.2.7.2x", "label": "Hierzu m\u00fcssen Ansprechpartner und Vorgehensweisen im Vorfeld untereinander abgestimmt werden. Dazu z\u00e4hlt auch die Benennung eines mindestens zu den B\u00fcro-Arbeitszeiten reaktionsf\u00e4higen Abuse-Kontaktes, \u00fcber den eingehende Meldungen (ggf. automatisiert) bearbeitet werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e131", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12531" }, { "category": "2.2.7 Kooperationen bei TK-anbieter\u00fcbergreifenden St\u00f6rungen", "code": "SK2.2.7.3x", "label": "Es liegt in der Verantwortung des TK-Anbieters, vernetzte Anbieter zu kontaktieren, um die entsprechenden Kontaktpersonen zu ermitteln. Letztere haben den ersten TK-Anbieter im Gegenzug unverz\u00fcglich \u00fcber \u00c4nderungen zu informieren. Es muss stets sichergestellt sein, dass im Notfall ein direkter und unverz\u00fcglicher Kontakt unter den TK-Anbietern m\u00f6glich ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e132", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12532" }, { "category": "2.2.8 Kooperation mit Anti-Malware-Herstellern", "code": "SK2.2.8.1", "label": "Mithilfe der umgehenden Weiterleitung von Malware-Samples an AV-Hersteller sollten diese bei der zeitnahen Verbesserung von Detektionsma\u00dfnahmen unterst\u00fctzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e133", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12533" }, { "category": "3.1 Allgemeine Sicherheitsvorkehrungen", "code": "SK3.1", "label": "Neben der Authentisierung mit Hilfe von Benutzername und Passwort sollten, wenn technisch m\u00f6glich, den Kunden st\u00e4rkere Authentifizierungsverfahren wie beispielsweise kryptographische Authentifizierungsverfahren oder Verfahren der Zwei-FaktorAuthentifizierung (Besitz und Wissen) angeboten werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e134", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12534" }, { "category": "3.1.1 Organisations- und Risikomanagement ", "code": "SK3.1.1.1x", "label": "verbindliches Verfahren, um Risiken f\u00fcr Netzwerke, Dienste und die Verarbeitung personenbezogener Daten zu erkennen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e135", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12535" }, { "category": "3.1.1 Organisations- und Risikomanagement ", "code": "SK3.1.1.2x", "label": "Dokumentation der Risiken und Kontrolle der Restrisiken", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e136", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12536" }, { "category": "3.1.2 Sicherheitsrollen und Verantwortlichkeiten", "code": "SK3.1.2.1x", "label": "Benennung des Sicherheitsbeauftragten nach \u00a7 109 Abs. 4 TKG.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e137", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12537" }, { "category": "3.1.2 Sicherheitsrollen und Verantwortlichkeiten", "code": "SK3.1.2.2x", "label": "F\u00fcr die Sicherheit von Informationen, Gesch\u00e4ftsprozessen, Anwendungen, Aufgaben und Regelungen ist eine personelle Verantwortlichkeit festzulegen. Bei der Vergabe der jeweiligen Sicherheitsrollen kann ein Ernennungsakt Klarheit, Transparenz und \u00d6ffentlichkeit verschaffen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e138", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12538" }, { "category": "3.1.2 Sicherheitsrollen und Verantwortlichkeiten", "code": "SK3.1.2.3x", "label": "Es sind alle Mitarbeiter \u00fcber diese Verantwortlichkeiten in geeigneter Weise zu informieren", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e139", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12539" }, { "category": "3.1.2 Sicherheitsrollen und Verantwortlichkeiten", "code": "SK3.1.2.4x", "label": " Die f\u00fcr Sicherheitsvorf\u00e4lle zust\u00e4ndigen Personen m\u00fcssen in der Wahrnehmung ihrer Rollen erreichbar sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e140", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12540" }, { "category": "3.1.2 Sicherheitsrollen und Verantwortlichkeiten", "code": "SK3.1.2.5", "label": "regelm\u00e4\u00dfige Schulung des benannten Personals", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e141", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12541" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.1x", "label": "initiale und regelm\u00e4ssige Pr\u00fcfung und Bewertung der Zuverl\u00e4ssigkeit, Vertrauensw\u00fcrdigkeit und Qualit\u00e4t des Erf\u00fcllungsgehilfen oder Lieferanten", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e142", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12542" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.2x", "label": "Abh\u00e4ngigkeiten von Dritten darf die Sicherheit von Netzwerken oder Dienstleistungen sowie personenbezogener Daten nicht beeintr\u00e4chtigen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e143", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12543" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.3x", "label": "Sicherheitsanforderungen m\u00fcssen in die vertragliche Grundlage mit Anbietern aufgenommen werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e144", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12544" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.4x", "label": "Das datenschutzrechtlich konforme Handeln der Dritten ist sicherzustellen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e145", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12545" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.5x", "label": "Bei Auftragsverarbeitung sind au\u00dferdem die Regelungen des Art. 28 DSGVO zu beachten", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e146", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12546" }, { "category": "3.1.3 Lieferantenmanagement", "code": "SK3.1.3.6x", "label": "Sicherheitsanforderungen m\u00fcssen nicht nur festgelegt und aktualisiert, sondern auch deren Einhaltung regelm\u00e4\u00dfig (ADV) \u00fcberpr\u00fcft werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e147", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12547" }, { "category": "3.2.1 Neukundeninformation", "code": "SK3.2.1.1", "label": "Neukunden sollten schriftlich mit Informationen zu Risiken im Internet, bestehenden Schutzm\u00f6glichkeiten sowie Hinweisen zu Entfernungsm\u00f6glichkeiten von Schadsoftware versorgt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e148", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12548" }, { "category": "3.2.1 Sicherheits\u00fcberpr\u00fcfung (Personal intern und extern)", "code": "SK3.2.1.2", "label": "angemessene Sicherheits\u00fcberpr\u00fcfung und Dokumentation der eingesetzten Pr\u00fcfungsmodalit\u00e4t (vor Personaleinsatz)", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e149", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12549" }, { "category": "3.2.1 Sicherheits\u00fcberpr\u00fcfung (Personal intern und extern)", "code": "SK3.2.1.3x", "label": "Vorlage des Personalausweis, beglaubigte Zeugniskopien, Personenzertifikate, amtlichen F\u00fchrungszeugnis", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e150", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12550" }, { "category": "3.2.2 Information des Kunden bei Verdacht einer Schadsoftware-Infektion", "code": "SK3.2.2.1", "label": "Bei vorliegendem Verdacht auf eine Schadsoftware-Infektion eines Kunden-Endger\u00e4ts sollte der Kunde benachrichtigt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e151", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12551" }, { "category": "3.2.2 Sicherheitswissen und Sensibilisierung (Personal intern und extern)", "code": "SK3.2.2.2x", "label": "Personal muss relevante Schulungen (Sicherheit und Umgang mit sensiblen Daten) besucht haben", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e152", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12552" }, { "category": "3.2.2 Sicherheitswissen und Sensibilisierung (Personal intern und extern)", "code": "SK3.2.2.3x", "label": "Personal muss Material zu Sicherheitsfragen zur Verf\u00fcgung gestellt werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e153", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12553" }, { "category": "3.2.2 Sicherheitswissen und Sensibilisierung (Personal intern und extern)", "code": "SK3.2.2.4", "label": "regelm\u00e4\u00dfige Schulungsma\u00dfnahmen und Sensibilisierungssitzungen (z.B. Datenschutz, Fernmeldegeheimnis)", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e154", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12554" }, { "category": "3.2.2 Sicherheitswissen und Sensibilisierung (Personal intern und extern)", "code": "SK3.2.2.5x", "label": "Der Besuch der Schulungen ist zu dokumentieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e155", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12555" }, { "category": "3.2.3 Personelle Ver\u00e4nderungen (Personal intern und extern)", "code": "SK3.2.3.1x", "label": "Es sind Regelungen f\u00fcr die Verwaltung von Personalver\u00e4nderungen oder \u00c4nderungen von Zust\u00e4ndigkeiten und Verantwortlichkeiten zu wahren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e156", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12556" }, { "category": "3.2.3 Personelle Ver\u00e4nderungen (Personal intern und extern)", "code": "SK3.2.3.2x", "label": "Nach einem Personal- oder Beauftragtenwechsel sind Zugriffs, Zutritts- und Zugangsrechte zu entsprechenden Systemen, Geb\u00e4uden oder Anlagen unverz\u00fcglich anzupassen bzw. zu sperren. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e157", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12557" }, { "category": "3.2.3 Personelle Ver\u00e4nderungen (Personal intern und extern)", "code": "SK3.2.3.3x", "label": "Ausgegebene Passw\u00f6rter sind nach dem Stand der Technik zu verwalten. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e158", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12558" }, { "category": "3.2.3 Personelle Ver\u00e4nderungen (Personal intern und extern)", "code": "SK3.2.3.4x", "label": "Neues Personal muss \u00fcber geltende Richtlinien und Verfahren informiert und sensibilisiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e159", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12559" }, { "category": "3.2.4 Umgang mit Verst\u00f6\u00dfen (Personal intern)", "code": "SK3.2.4.1", "label": "verbindliche Regelungen f\u00fcr Sicherheitsverletzungen aufgrund von Verst\u00f6\u00dfen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e160", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12560" }, { "category": "3.3.1 Bandbreite, Erreichbarkeit von Notrufnummern", "code": "SK3.3.1.1", "label": "Der TK-Anbieter sollte einen Teil der zur Verf\u00fcgung stehenden Bandbreite f\u00fcr die VOIPKommunikation reservieren. Vor allem die Erreichbarkeit von Notrufnummern muss sichergestellt sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e161", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12561" }, { "category": "3.3.1 Sicherer Umgang mit sensiblen Daten und Informationen", "code": "SK3.3.1.2x", "label": "Sensible Akten oder Dokumente m\u00fcssen unter Verschluss verwahrt werden. Abschlie\u00dfbare Aktenschr\u00e4nke, verschlossene B\u00fcror\u00e4ume sollten als m\u00f6gliche Ma\u00dfnahmen ber\u00fccksichtigt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e162", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12562" }, { "category": "3.3.1 Sicherer Umgang mit sensiblen Daten und Informationen", "code": "SK3.3.1.3", "label": "Mobile Endger\u00e4te oder Wechseldatentr\u00e4ger sollten mit geeigneten Verschl\u00fcsselungstechnologien gesch\u00fctzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e163", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12563" }, { "category": "3.3.1 Sicherer Umgang mit sensiblen Daten und Informationen", "code": "SK3.3.1.4", "label": "Es sollte ein (MDM) Mobile Device Management genutzt werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e164", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12564" }, { "category": "3.3.1 Sicherer Umgang mit sensiblen Daten und Informationen", "code": "SK3.3.1.5", "label": "Es sollten Regelungen zur sicheren Entsorgung von Wechseldatentr\u00e4gern, die nicht mehr ben\u00f6tigt werden oder defekt sind, getroffen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e165", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12565" }, { "category": "3.3.1 Sicherer Umgang mit sensiblen Daten und Informationen", "code": "SK3.3.1.6x", "label": "Festplatten mit sensiblen Daten m\u00fcssen so entsorgt werden, dass eine Wiederherstellung der Daten nicht mehr m\u00f6glich ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e166", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12566" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.1x", "label": "Es sind physische Sicherheitselemente festzulegen, die den unbefugten Zutritt, die Besch\u00e4digung und die Beeintr\u00e4chtigung von Informationen und informationsverarbeitenden Einrichtungen verhindern (z.B. Sicherheitsschl\u00f6sser, Bewegungsmelder, Einbruchmeldeanlagen oder Video\u00fcberwachung). ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e167", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12567" }, { "category": "3.3.2 Vertraulichkeit der Kommunikation", "code": "SK3.3.2.2", "label": "Erg\u00e4nzend zu Abschnitt 2.1.1 sollten im Rahmen des technisch m\u00f6glichen und wirtschaftlich vertretbaren VoIP-Daten sowohl bei der \u00dcbertragung zwischen Provider-Netzen als auch \u2013 sofern das CPE des Kunden die technischen Voraussetzungen daf\u00fcr bietet \u2013 zwischen Kunden-CPE und SBC des Providers verschl\u00fcsselt \u00fcbertragen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e168", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12568" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.3", "label": "Der Einsatz von Feuer-, Gas- und Rauchmeldern oder L\u00f6schanlagen sollte der Gr\u00f6\u00dfe der R\u00e4umlichkeiten angemessen vorhanden sein und regelm\u00e4\u00dfig gewartet werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e169", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12569" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.4x", "label": "Die Einhaltung der Brandschutzordnung muss regelm\u00e4\u00dfig \u00fcberpr\u00fcft werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e170", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12570" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.5", "label": "Sicherheitsbereiche sollten durch eine angemessene Zutrittssteuerung gesch\u00fctzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e171", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12571" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.6x", "label": "Ger\u00e4te und Betriebsmittel sind in regelm\u00e4\u00dfigen oder durch den Hersteller empfohlenen Intervallen zu warten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e172", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12572" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.7x", "label": "Telekommunikationsverkabelung und Stromverkabelung sind vor Unterbrechung, St\u00f6rung und Besch\u00e4digung angemessen zu sch\u00fctzen und in empfohlenen Intervallen zu warten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e173", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12573" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.8x", "label": "Redundante Leitungen sind voneinander getrennt zu verlegen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e174", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12574" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.9", "label": "Kabel sollten unterirdisch verlegt werden und durch Rohre und verschlossene R\u00e4ume und Schr\u00e4nke gesch\u00fctzt werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e175", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12575" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.10", "label": "Wasserf\u00fchrende Leitungen sollten in Serverr\u00e4umen vermieden werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e176", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12576" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.11x", "label": "Ma\u00dfnahmen zum Schutz vor Naturkatastrophen und Unf\u00e4llen sind zu ergreifen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e177", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12577" }, { "category": "3.3.2 Physische und elementare Schutzanforderungen", "code": "SK3.3.2.12x", "label": "Es ist eine regelm\u00e4\u00dfige Bewertung der Wirksamkeit von physischen und umgebungsbezogenen Schutzma\u00dfnahmen vorzunehmen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e178", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12578" }, { "category": "3.3.3 \u00dcbermittlung der Rufnummer", "code": "SK3.3.3.1x", "label": "Die Signalisierung f\u00fcr CLIP/CLIR muss bei abgehenden Verbindungen korrekt eingestellt werden und bei ankommenden Verbindungen korrekt ber\u00fccksichtigt werden. Weiterhin sind Katalog der Sicherheitsanforderungen gem\u00e4\u00df 109 Absatz 6 TKG Anlage 1 die netzseitige (network provided number) und die kundenspezifische Rufnummer (user provided number) korrekt zu \u00fcbermitteln.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e179", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12579" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.2x", "label": "Ger\u00e4te und Betriebsmittel vor Stromausf\u00e4llen und anderen St\u00f6rungen sch\u00fctzen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e180", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12580" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.3", "label": "redundante Leitungen \u00fcber unterschiedliche Zuleitungswege", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e181", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12581" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.4x", "label": "ausreichende Dimensionierung der Klimatisierung und Stromversorgung ist festzulegen und regelm\u00e4\u00dfig zu \u00fcberwachen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e182", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12582" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.5x", "label": "Schaltanlagen, Notstromgeneratoren, Batterien, etc. m\u00fcssen regelm\u00e4\u00dfig kontrolliert und falls m\u00f6glich getestet", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e183", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12583" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.6x", "label": "Ein Verfahren zur Umsetzung f\u00fcr die Sicherheit kritischer Versorgungsg\u00fcter, Versorgungseinrichtungen und unterst\u00fctzenden Einrichtungen ist zu erstellen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e184", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12584" }, { "category": "3.3.3 Versorgungssicherheit (Verf\u00fcgbarkeit des Gesamtsystems)", "code": "SK3.3.3.7x", "label": "Ma\u00dfnahmen zum Schutz der Lieferung und Bereitstellung der Versorgungseinrichtungen sind zu implementieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e185", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12585" }, { "category": "3.3.4 Schutz vor TDOS", "code": "SK3.3.4.1", "label": "Soweit technisch m\u00f6glich und wirtschaftlich angemessen, sollten TK-Anbieter \u2013 z.B. durch ein entsprechendes Monitoring am SBC \u2013 automatisierte Massenanrufe an einem Anschluss zum Zwecke, diesen lahmzulegen (sog. TDOS-Attacken), erkennen und unterbinden k\u00f6nnen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e186", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12586" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.2x", "label": "Nutzer haben eindeutige Kennungen und werden authentifiziert, bevor sie auf Dienste oder Systeme zugreifen d\u00fcrfen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e187", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12587" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.3x", "label": "Passw\u00f6rter d\u00fcrfen nur verschl\u00fcsselt gespeichert werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e188", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12588" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.4x", "label": "Rollen, Rechte, Verantwortlichkeiten und Verfahren zum Zuweisen und Widerrufen von Zugriffsrechten sind festzulegen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e189", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12589" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.5x", "label": "Zugriffe auf Netzwerk- und Informationssysteme m\u00fcssen protokolliert werden. Abweichungen von dieser Verfahrensweise m\u00fcssen hinterlegt und protokolliert werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e190", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12590" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.6x", "label": "Fernwartungszug\u00e4nge m\u00fcssen ausreichend gesichert werden (eigene VPN- Zug\u00e4nge).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e191", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12591" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.7x", "label": "Fremde Personen d\u00fcrfen sich nur in Begleitung oder nach geeigneter Sicherheits\u00fcberpr\u00fcfung und Einweisung in gesicherten Bereichen aufhalten. Fremde Personen sind hierbei Personen von externen Firmen z.B. bei Wartungsarbeiten, Umbauten oder auch Reinigungsarbeiten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e192", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12592" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.8x", "label": "Die Zugangskontrollmechanismen werden regelm\u00e4\u00dfig \u00fcberpr\u00fcft und bei Bedarf angepasst. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e193", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12593" }, { "category": "3.3.4 Zugriffs- und Zugangskontrolle auf Netzwerk- und Informationssystemen", "code": "SK3.3.4.9x", "label": "F\u00fcr gesicherte technische Anlagen muss sichergestellt sein, dass nur Personen mit Befugnis Zugriff haben. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e194", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12594" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.1x", "label": "keine unberechtigten Manipulationen oder \u00c4nderungen", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e195", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12595" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.10", "label": "Mitarbeiter sollten durch Schulungsma\u00dfnahmen bef\u00e4higt sein, verd\u00e4chtige E-Mails oder Links zu erkennen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e196", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12596" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.2", "label": "\u00c4nderungen sollten dokumentiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e197", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12597" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.3x", "label": "Unberechtigte Zugriffe m\u00fcssen detektiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e198", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12598" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.4", "label": "Systeme und Anwendungen sollten immer die aktuellen Sicherheitsupdates erhalten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e199", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12599" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.5x", "label": "Es m\u00fcssen geeignete Ma\u00dfnahmen zur Erkennung von Schadsoftware umgesetzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e200", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12600" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.6", "label": "Ma\u00dfnahmen zur Sensibilisierung der Mitarbeiter sollen bestehen und umgesetzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e201", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12601" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.7x", "label": "Es ist sicherzustellen, dass sicherheitskritische Daten (wie Passw\u00f6rter, gemeinsame geheime Schl\u00fcssel, private Schl\u00fcssel usw.) nicht offengelegt oder manipuliert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e202", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12602" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.8", "label": "Die Wirksamkeit der Ma\u00dfnahmen zum Schutz der Integrit\u00e4t von Systemen sollte \u00fcberpr\u00fcft und bewertet werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e203", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12603" }, { "category": "3.3.5 Integrit\u00e4t und Verf\u00fcgbarkeit von Netzwerk- und Informationssystemen", "code": "SK3.3.5.9", "label": "Passw\u00f6rter sollten sicher authentifiziert und bei Bedarf ge\u00e4ndert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e204", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12604" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.1", "label": "geeignete Verschl\u00fcsselungsverfahren sollten eingesetzt werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e205", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12605" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.2x", "label": "geeignete Authentifizierungsmechanismen f\u00fcr Kunden- und Dienstleistungsnetzwerke sind zu implementieren", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e206", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12606" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.3", "label": "Die Nutzung von Netzwerken und Diensten sollte fortw\u00e4hrend in geeigneter Form auf Anomalien sondiert werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e207", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12607" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.4", "label": "Es sollten standardisierte \u00dcbertragungsverfahren und -ma\u00dfnahmen verwendet werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e208", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12608" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.5x", "label": "Sicherheitskritische Daten von Kunden sind besonders zu sch\u00fctzen (z.B. Daten der SIM-Karten, IMEI-Nummer, Passw\u00f6rter). ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e209", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12609" }, { "category": "3.3.6 Vertraulichkeit und Integrit\u00e4t von Kommunikationsinhalten und Metadaten ", "code": "SK3.3.6.6", "label": "Auch die Wirksamkeit von Methoden zum Schutz der Vertraulichkeit von Kommunikationsinhalten und -metadaten sollte stetig in geeigneter Form bewertet werden. Standortdaten unterliegen zus\u00e4tzlichen Anforderungen (siehe Abschnitt 4.2.4). Eine geeignete Bewertung kann die Ausf\u00fchrung einer Gegenpr\u00fcfung (Cross-Checks) oder die Durchf\u00fchrung eines (Stress)Tests sein. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e210", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12610" }, { "category": "3.4 DNS-Dienste", "code": "SK3.4x", "label": "Erreichbarkeit auf den eigenen Kundenkreis beschr\u00e4nkt", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e211", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12611" }, { "category": "3.4.1 Betriebsverfahren", "code": "SK3.4.1.1x", "label": "Durch geeignete Betriebsverfahren ist sicherzustellen, dass die Informations- und Kommunikationstechnologie ordnungsgem\u00e4\u00df, sicher und kontinuierlich funktioniert. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e212", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12612" }, { "category": "3.4.1 Schutz vor Spoofing und Erschweren von Reflection/Amplification-Angriffen", "code": "SK3.4.1.2x", "label": "Ein permanentes Monitoring der DNS-Server muss gew\u00e4hrleistet sein und sollte es erm\u00f6glichen, Reflection/Amplification-Angriffe fr\u00fchzeitig zu erkennen. Hinweise ergeben sich z.B. bei einer H\u00e4ufung von Anfragen aus bestimmten Quellen, bez\u00fcglich bestimmter Resource-Records, unerlaubter rekursiver Anfragen u.\u00e4.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e213", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12613" }, { "category": "3.4.1 Schutz vor Spoofing und Erschweren von Reflection/Amplification-Angriffen", "code": "SK3.4.1.3x", "label": "In diesen F\u00e4llen m\u00fcssen Gegenma\u00dfnahmen, wie die Einschr\u00e4nkung und Filterung von Anfragen, getroffen werden. Dies gilt ebenso f\u00fcr Dienste wie NTP, SSDP usw. die gleichfalls immer h\u00e4ufiger f\u00fcr Reflection-Angriffe missbraucht werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e214", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12614" }, { "category": "3.4.1 Betriebsverfahren", "code": "SK3.4.1.4x", "label": "Im Mindestma\u00df muss der Betriebsablauf festgelegt und dokumentiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e215", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12615" }, { "category": "3.4.1 Betriebsverfahren", "code": "SK3.4.1.5x", "label": "Verantwortlichkeiten f\u00fcr den Betrieb kritischer Systeme m\u00fcssen einer zust\u00e4ndigen Stelle zugewiesen sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e216", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12616" }, { "category": "3.4.1 Betriebsverfahren", "code": "SK3.4.1.6x", "label": "Verf\u00fcgbare und notwendige Ressourcen m\u00fcssen bekannt sein. Ressourcen in diesem Sinn umfassen u.a. das notwendige und tats\u00e4chliche Personal, Systeme, Anwendungen und R\u00e4umlichkeiten. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e217", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12617" }, { "category": "3.4.1 Betriebsverfahren", "code": "SK3.4.1.7x", "label": "Verf\u00fcgbare und notwendige Ressourcen m\u00fcssen stetig \u00fcberpr\u00fcft und ggf. in geeigneter Form gesteuert werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e218", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12618" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.1", "label": "Zur Vermeidung von St\u00f6rungen oder Sicherheitsvorf\u00e4llen sollten \u00c4nderungen an Netzwerk- und Informationssystemen, Infrastruktur, Dokumentationen, Prozessen, Verfahren und Betriebsabl\u00e4ufen geplant, kontrolliert, gesteuert und nach Abschluss \u00fcberpr\u00fcft werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e219", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12619" }, { "category": "3.4.2 Schutz vor DNS-Cache Poisoning", "code": "SK3.4.2.2", "label": "Es sollte die Port-Randomisierung aktiviert sein", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e220", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12620" }, { "category": "3.4.2 Schutz vor DNS-Cache Poisoning", "code": "SK3.4.2.3", "label": "Die Verkehrsmenge sollte regelm\u00e4\u00dfig beobachtet werden, um Cache-Poisoning Angriffe fr\u00fchzeitig zu entdecken. Insbesondere bei breitbandig angebundenen DNS-Resolvern ist eine Cache-Poisoning Attacke trotz aktivierter Port-Randomisierung weiterhin m\u00f6glich.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e221", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12621" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.4", "label": "\u00c4nderungen an kritischen Systemen sollen auf der Grundlage von vordefinierten und in geeigneter Form dokumentierten Verfahren erfolgen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e222", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12622" }, { "category": "3.4.2 Schutz vor DNS-Cache Poisoning", "code": "SK3.4.2.5", "label": "Zur Risikoreduzierung sollten au\u00dferdem Obergrenzen f\u00fcr die Haltezeit von zwischengepufferten Daten im DNS-Cache festgelegt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e223", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12623" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.6", "label": "Es sollte eine Einsch\u00e4tzung aller potenziellen direkten und indirekten Auswirkungen vorgenommen werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e224", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12624" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.7", "label": "Wesentliche tats\u00e4chliche \u00c4nderungen sollten in geeigneter Form protokolliert werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e225", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12625" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.8", "label": "Ma\u00dfnahmen der pr\u00e4ventiven Kontrolle, z. B. das 4-Augenprinzip.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e226", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12626" }, { "category": "3.4.2 \u00c4nderungsmanagement", "code": "SK3.4.2.9", "label": "Die Funktionalit\u00e4t der TK-Systeme sollte nach \u00c4nderungen in geeigneter Form \u00fcberpr\u00fcft werden. Alle betroffenen Personen sollten \u00fcber die erforderlichen \u00c4nderungsdetails informiert werden. Identifizierte Auff\u00e4lligkeiten sollten sofort der vorher festgelegten Stelle angezeigt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e227", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12627" }, { "category": "3.4.3 Asset Management", "code": "SK3.4.3.1", "label": "Sicherheit erfordert Kenntnis. Zumindest die wesentlichen Anlagen, Systeme und Einrichtungen, welche f\u00fcr den jeweiligen Netzbetrieb oder das Diensteangebot erforderlich sind, sollten eindeutig identifizierbar sein. Eine entsprechende Inventarisierung und Verwaltung von Anlagen und Systemen kann dies im Einzelfall sicherstellen. Die Verwaltung sollte auch die Konfigurationssteuerung der wesentlichen Netzwerk- und Kommunikationssysteme einschlie\u00dfen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e228", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12628" }, { "category": "3.4.3 Einsatz von DNSSEC", "code": "SK3.4.3.2x", "label": "Innerhalb der DNS-Infrastruktur eines Netzbetreibers muss eine Validierung von DNSSEC-Signaturen fl\u00e4chendeckend erfolgen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e229", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12629" }, { "category": "3.4.3 Einsatz von DNSSEC", "code": "SK3.4.3.3", "label": "Der TK-Anbieter sollte seine Kunden \u00fcber die Vorteile von DNSSEC aufkl\u00e4ren sowie diese zu einer Nutzung anhalten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e230", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12630" }, { "category": "3.5.1 Erkennen von Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.1.1x", "label": "Es muss ein Verfahren zum Erkennen von Sicherheitsvorf\u00e4llen und St\u00f6rungen eingerichtet und regelm\u00e4\u00dfig kontrolliert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e231", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12631" }, { "category": "3.5.1 Erkennen von Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.1.2x", "label": "Es sind z.B. vordefinierte Betriebsparameter wie Klima, Strom, Datenaufkommen im TK-Verkehr zu \u00fcberwachen und im Sicherheitsvorfall oder bei St\u00f6rungen zu alarmieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e232", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12632" }, { "category": "3.5.1 Erkennen von Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.1.3", "label": "Nach Bekanntwerden von St\u00f6rungen und/oder Vorf\u00e4llen sollten betroffene Systeme so angepasst und/oder verbessert werden, dass zuk\u00fcnftig diese Problematik verhindert wird.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e233", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12633" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.1x", "label": "Unternehmen haben ein Verfahren zur Definition und zum Umgang mit jedweder Art von Sicherheitsvorfall, einschlie\u00dflich dessen Meldung an zust\u00e4ndige Personen und Beh\u00f6rden zu implementieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e234", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12634" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.2", "label": "Es sollte regelm\u00e4\u00dfig \u00fcberpr\u00fcft werden, ob das festgelegte Verfahren den aktuellen Umst\u00e4nden entspricht und die tats\u00e4chliche Umsetzung planungskonform erfolgt.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e235", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12635" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.3x", "label": "F\u00fcr Sicherheitsvorf\u00e4lle hat geeignetes Personal verf\u00fcgbar und benannt zu sein. Im Falle einer Sicherheitsverletzung kann es notwendig sein, unter Zeitdruck oder atypischen Umst\u00e4nden Sicherheitshandlungen durchzuf\u00fchren oder sicherheitsrelevante Entscheidungen zu treffen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e236", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12636" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.4x", "label": "Die Kritikalit\u00e4t der jeweiligen St\u00f6rung oder Sicherheitsverletzung muss in geeigneter Form bewertet werden. Der f\u00fcr das Bewertungsergebnis vorgegebene Meldeweg muss sodann umgesetzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e237", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12637" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.5x", "label": "Kritische Sicherheitsvorf\u00e4lle m\u00fcssen grunds\u00e4tzlich untersucht werden. Untersuchung und Ergebnis muss in einem Bericht dokumentiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e238", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12638" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.6", "label": "Aus dem Bericht sollte hervorgehen, welche Ma\u00dfnahmen getroffen oder geplant sind, um gleichgelagerte Sicherheitsvorf\u00e4lle und deren Auswirkungen zuk\u00fcnftig zu vermeiden oder das Sicherheitsrisiko zu minimieren. Die in dieser Hinsicht getroffenen oder geplanten Ma\u00dfnahmen sollten begr\u00fcndet werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e239", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12639" }, { "category": "3.5.2 Umgang mit Sicherheitsvorf\u00e4llen und St\u00f6rungen", "code": "SK3.5.2.7x", "label": "betr\u00e4chtliche Sicherheitsverletzungen gem\u00e4\u00df \u00a7 109 Abs. 5 TKG, sind diese unverz\u00fcglich der Bundesnetzagentur und dem Bundesamt f\u00fcr Sicherheit in der Informationstechnik mitzuteilen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e240", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12640" }, { "category": "3.5.3 Kommunikation und Meldung von Sicherheitsvorf\u00e4llen", "code": "SK3.5.3.1x", "label": "Ein Sicherheitsvorfall kann eine gesetzliche Meldepflicht (z. B. \u00a7\u00a7109 Abs. 5, 109a Abs. 1 TKG oder Art. 33 DSGVO) ausl\u00f6sen. Falls erforderlich sind daher Meldungen \u00fcber aktuelle oder zur\u00fcckliegende Sicherheitsereignisse an Dritte, Kunden und/ oder Beh\u00f6rden durchzuf\u00fchren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e241", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12641" }, { "category": "3.5.3 Kommunikation und Meldung von Sicherheitsvorf\u00e4llen", "code": "SK3.5.3.2", "label": "Zur Sicherstellung etwaiger Meldepflichten sowie der Kommunikation und Berichterstattung von Sicherheitsvorf\u00e4llen sollten geeignete Regelungen in die unternehmerischen Betriebsabl\u00e4ufe implementiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e242", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12642" }, { "category": "3.5.3 Kommunikation und Meldung von Sicherheitsvorf\u00e4llen", "code": "SK3.5.3.3x", "label": "Bei einem Angriff auf Passw\u00f6rter sind betroffene Kunden schnellstm\u00f6glich zu informieren. Zur Sicherstellung sollte ein geeignetes Meldeverfahren festgelegt werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e243", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12643" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.1x", "label": "Eine geeignete Pr\u00e4ventionsstrategie vor St\u00f6rungen Sicherheitsvorf\u00e4llen darf nicht nicht nur die technischen Aspekte f\u00fcr die Aufrechterhaltung der Dienste zu regeln. Auch organisatorische Ma\u00dfnahmen sind im Vorfeld zu planen, festzulegen und fortw\u00e4hrend zu \u00fcberpr\u00fcfen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e244", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12644" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.10", "label": "Es sollte regelm\u00e4\u00dfig eine Evaluierung dieser Pl\u00e4ne erfolgen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e245", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12645" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.11x", "label": "Ein geeigneter Notfallbeauftragter ist zu benennen. Dieser sollte alle Aktivit\u00e4ten des Notfallmanagements kennen und steuern.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e246", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12646" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.2x", "label": "Regelungen zur Aufrechterhaltung der Infrastrukturen und Dienste haben allgemeine Handlungsanweisungen und m\u00f6glichst auch konkrete, auf den Einzelfall angepasste Notallma\u00dfnahmen zu enthalten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e247", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12647" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.3", "label": "Relevante Kontaktinformationen sollten in einem Notfallhandbuch beschrieben und stets aktuell sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e248", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12648" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.4", "label": "Der Zugriff auf diese Regelungen und Informationen sollte sichergestellt sein. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e249", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12649" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.5x", "label": "Im Vorfeld ist die Verf\u00fcgbarkeit angemessener Redundanzen auf System- und Dienstebene sicherzustellen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e250", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12650" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.6x", "label": "Diese Redundanzen sind in regelm\u00e4\u00dfigen Abst\u00e4nden zu testen bzw. umzuschalten, sofern dies unterbrechungsfrei m\u00f6glich ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e251", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12651" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.7x", "label": "Es sind regelm\u00e4\u00dfige Backups von kritischen Systemen und Daten zu erstellen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e252", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12652" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.8x", "label": "Auf die gesetzlich vorgegebenen L\u00f6sch- und Speicherfristen ist hierbei zu achten, insbesondere sollte die Speicherdauer der Backups in einem angemessenen Verh\u00e4ltnis zur Speicherdauer der personenbezogenen Daten stehen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e253", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12653" }, { "category": "3.6.1 Aufrechterhaltung von Telekommunikationsinfrastrukturen und Diensten (Business Continuity Management)", "code": "SK3.6.1.9x", "label": "Es sind angepasste Notfallpl\u00e4ne zum Betrieb kritischer Systeme auszuarbeiten, festzulegen und zu implementieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e254", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12654" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.1x", "label": "Ausfallzeiten bis zur Wiederherstellung der Funktionsf\u00e4higkeit von Netzwerk und Kommunikationsdiensten m\u00fcssen dennoch mit angemessenen Mitteln so gering wie m\u00f6glich gehalten werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e255", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12655" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.2x", "label": "Es sind geeignete Richtlinien und Verfahren zur schnellstm\u00f6glichen Wiederherstellung wichtiger Netzwerk- und Kommunikationsdienste zu entwickeln und festzulegen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e256", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12656" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.3", "label": "Diese Richtlinien und Verfahren sollten in regelm\u00e4\u00dfigen Abst\u00e4nden evaluiert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e257", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12657" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.4", "label": "Die wichtigsten Gesch\u00e4ftsprozesse f\u00fcr den Wiederanlauf sollten priorisiert werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e258", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12658" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.5", "label": "Im Vorfeld sollten Lieferantenvertr\u00e4ge auf eine Ersatzbereitstellung gepr\u00fcft werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e259", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12659" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.6", "label": "Eine geeignete Schutzma\u00dfnahme kann die Vorhaltung geeigneter Ersatzger\u00e4te f\u00fcr Infrastruktur und TK-Systeme sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e260", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12660" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.7", "label": "Eine geeignete Schutzma\u00dfnahme kann im Einzelfall auch die Vorhaltung geeigneter, mobiler Netzersatzanlagen sein", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e261", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12661" }, { "category": "3.6.2 Wiederanlauf nach Ausf\u00e4llen (Disaster Recovery Management)", "code": "SK3.6.2.8", "label": "Zur Aufrechterhaltung von Dienstleistungen kann die pr\u00e4ventive Einrichtung von Notfallarbeitspl\u00e4tzen f\u00fcr Mitarbeiter sinnvoll sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e262", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12662" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.1x", "label": "Alle sicherheitsrelevanten Ereignisse sind zu protokollieren und in einer auswertbaren Form abzuspeichern.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e263", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12663" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.2x", "label": "Werden Daten f\u00fcr diese Zwecke nicht mehr ben\u00f6tigt, so sind sie unverz\u00fcglich zu l\u00f6schen. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e264", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12664" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.3", "label": "Es sollte ein auf den Einzelfall angepasstes Regelwerk f\u00fcr die \u00dcberwachung und Protokollierung betriebsrelevanter Systeme eingef\u00fchrt und umgesetzt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e265", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12665" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.4", "label": "Das Regelwerk sollte regelm\u00e4\u00dfig evaluiert werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e266", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12666" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.5", "label": "Durch die automatische \u00dcberwachung und Protokollierung betriebsrelevanter Systeme k\u00f6nnen im Einzelfall m\u00f6glicherweise weitere, zur Auswertung geeignete Informationen gewonnen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e267", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12667" }, { "category": "3.7.1 \u00dcberwachungs- und Protokollierungsma\u00dfnahmen", "code": "SK3.7.1.6", "label": "Administrative T\u00e4tigkeiten oder Arbeiten an betriebsrelevanten Systemen sollten protokolliert werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e268", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12668" }, { "category": "3.7.2 Notfall\u00fcbungen", "code": "SK3.7.2.1", "label": "Es sollten regelm\u00e4\u00dfig Notfall\u00fcbungen durchgef\u00fchrt werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e269", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12669" }, { "category": "3.7.2 Notfall\u00fcbungen", "code": "SK3.7.2.2", "label": "Eine Vorgehensweise zum Testen und \u00fcben von Notfallpl\u00e4nen zur Aufrechterhaltung und Wiederherstellung kritischer Dienste und Infrastrukturen festlegt werden. Falls m\u00f6glich und notwendig, sollte dies auch in Zusammenarbeit mit Dritten erfolgen. Es sollen m\u00f6glichst realistische und unterschiedliche Szenarien ber\u00fccksichtigt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e270", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12670" }, { "category": "3.7.2 Notfall\u00fcbungen", "code": "SK3.7.2.3", "label": "Dabei soll festgestellt werden ob geplante Ausfallzeiten nicht \u00fcberschritten werden und ob die bestimmte Krisenleitung in der Praxis ihre Aufgaben erf\u00fcllt. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e271", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12671" }, { "category": "3.7.3 Testen von Netzwerk- und IT-Systemen", "code": "SK3.7.3.1", "label": "Es sollten daher schon im Vorfeld Regelungen zur Freigabe und zum Testen von Netzwerk- und IT-Systemen festgelegt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e272", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12672" }, { "category": "3.7.3 Testen von Netzwerk- und IT-Systemen", "code": "SK3.7.3.2", "label": "Netzwerk- oder IT-Systeme sollten auf gesonderten Testumgebungen getestet werden, bevor sie verwendet oder mit vorhandenen Systemen verbunden werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e273", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12673" }, { "category": "3.7.3 Testen von Netzwerk- und IT-Systemen", "code": "SK3.7.3.3", "label": "Gleiches sollte auch bei Anpassungen oder z.B. nach Updates geschehen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e274", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12674" }, { "category": "3.7.3 Testen von Netzwerk- und IT-Systemen", "code": "SK3.7.3.4", "label": "Betriebsrelevante Systeme sollten regelm\u00e4\u00dfigen Sicherheitstests unterzogen werden. Dies gilt insbesondere dann, wenn neue Systeme eingef\u00fchrt und \u00c4nderungen vorgenommen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e275", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12675" }, { "category": "3.7.3 Testen von Netzwerk- und IT-Systemen", "code": "SK3.7.3.5x", "label": "Es muss sichergestellt sein, dass Tests keine Auswirkungen auf die Sicherheit von Netzwerken und Diensten haben. Die Verwendung von sensiblen Daten muss vermieden werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e276", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12676" }, { "category": "3.8 Beurteilung der Sicherheitsma\u00dfnahmen", "code": "SK3.8.1x", "label": "Alle Sicherheitsma\u00dfnahmen m\u00fcssen den Stand der Technik ber\u00fccksichtigen. Vor diesem Hintergrund m\u00fcssen auch die getroffenen Sicherheitsma\u00dfnahmen regelm\u00e4\u00dfig neu vom pflichtigen Unternehmen beurteilt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e277", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12677" }, { "category": "3.8 Beurteilung der Sicherheitsma\u00dfnahmen", "code": "SK3.8.2", "label": "Daher sollte eine angemessene Strategie zur Beurteilung der im Einzelfall getroffenen Sicherheitsma\u00dfnahmen erstellt werden. ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e278", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12678" }, { "category": "3.8 Beurteilung der Sicherheitsma\u00dfnahmen", "code": "SK3.8.3", "label": "Es sollten im Mindestma\u00df Regelungen zur Beurteilung der getroffenen Schutzma\u00dfnahmen erstellt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e279", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12679" }, { "category": "3.8 Beurteilung der Sicherheitsma\u00dfnahmen", "code": "SK3.8.4", "label": "Regelm\u00e4\u00dfig durchgef\u00fchrte Risikoanalysen sowie Erhebungen festgelegter Kennzahlen (z.B. St\u00f6rungs- und Ausfallzeiten als Indikator) k\u00f6nnen f\u00fcr die Beurteilung der Sicherheitsma\u00dfnahmen herangezogen werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e280", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12680" }, { "category": "3.8 Beurteilung der Sicherheitsma\u00dfnahmen", "code": "SK3.8.5", "label": "Durch regelm\u00e4\u00dfige und realistische Stresstests k\u00f6nnen m\u00f6glicherweise neue Risikofaktoren identifiziert werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e281", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12681" }, { "category": "3.9 Einhaltung gesetzlicher Anforderungen", "code": "SK3.9.1x", "label": "Die Einhaltung gesetzlicher, vertraglicher oder freiwilliger Regeln ist sicherzustellen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e282", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12682" }, { "category": "3.9 Einhaltung gesetzlicher Anforderungen", "code": "SK3.9.2", "label": " Hierzu sollte ein \u00dcberwachungssystem in die Betriebsabl\u00e4ufe implementiert werden", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e283", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12683" }, { "category": "3.9 Einhaltung gesetzlicher Anforderungen", "code": "SK3.9.3", "label": " Hierzu sollte eine zust\u00e4ndige Stelle benannt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e284", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12684" }, { "category": "3.9 Einhaltung gesetzlicher Anforderungen", "code": "SK3.9.4", "label": "Die Rechtsentwicklung sollte kontinuierlich und in geeigneter Form sondiert und deren Anwendung auf den Einzelfall gepr\u00fcft werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e285", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12685" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.1x", "label": "Gesch\u00fctzt durch Art. 10 GG ist die Vertraulichkeit der Nutzung des zur Nachrichten\u00fcbermittlung eingesetzten technischen Mediums. Werden kommunikative Daten ohne Einwilligung zur Kenntnis genommen, aufgezeichnet, verwertet oder weitergegeben, so stellt dies ein Grundrechtseingriff dar. Zur Wahrung des Fernmeldegeheimnisses ist jeder Diensteanbieter verpflichtet. Die Pflicht zur Geheimhaltung besteht auch nach dem Ende der T\u00e4tigkeit fort.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e286", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12686" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.2x", "label": "Es ist zu verhindern, dass Diensteanbieter sich oder anderen \u00fcber das f\u00fcr die gesch\u00e4ftsm\u00e4\u00dfige Erbringung der Telekommunikationsdienste einschlie\u00dflich des Schutzes ihrer technischen Systeme erforderliche Ma\u00df hinaus Kenntnis vom Inhalt oder den n\u00e4heren Umst\u00e4nden der Telekommunikation verschaffen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e287", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12687" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.3x", "label": "Gleicherma\u00dfen ist zu verhindern, dass sich unbefugte Dritte Kenntnisse \u00fcber den Inhalt oder die n\u00e4heren Umst\u00e4nde der Telekommunikation verschaffen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e288", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12688" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.4x", "label": "Zu ber\u00fccksichtigen sind hierbei technische Einrichtungen zur mittelbaren und unmittelbaren \u00dcbertragung von Nachrichteninhalten, ferner auch Einrichtungen zur Erhebung, Verarbeitung und Nutzung von Verkehrsdaten (z.B. Teilnehmeranschluss, Netzabschlusspunkt, Vermittlungs- und Leitwegeinrichtungen, Verbindungsnetz sowie Billing- oder Fraud- Systeme).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e289", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12689" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.5x", "label": "Im Bereich der Verwaltung und Verwahrung von Akten, welche dem Fernmeldegeheimnis unterliegen, sind f\u00fcr den Datenschutz hinreichend gen\u00fcgende Aufbewahrungsbeh\u00e4ltnisse zu verwenden sowie entsprechende R\u00e4ume mit Zutrittskontrolle sinnvoll einzusetzen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e290", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12690" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.6x", "label": "Es d\u00fcrfen nur Personen Zugriff und Zugang haben, welche eine ausreichende Belehrung \u00fcber die Sensibilit\u00e4t dieser Daten erhalten haben.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e291", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12691" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.7x", "label": "Es muss sichergestellt werden, dass bei Nachrichten\u00fcbermittlungssystemen mit Zwischenspeicherung ausschlie\u00dflich der Teilnehmer durch seine Einwilligung Inhalt, Umfang und Art der Verarbeitung bestimmt. Schutzma\u00dfnahmen, die lediglich dem Teilnehmer selbst gestatten zu entscheiden, wer Nachrichteninhalte eingeben und darauf zugreifen darf, k\u00f6nnen durch entsprechende Zugangscodes und Kennw\u00f6rter erf\u00fcllt werden. Diese werden nur dem Teilnehmer vertraulich \u00fcbermittelt und sollen von diesem selbst\u00e4ndig nach Erhalt ver\u00e4ndert werden. Es liegt in der Einwilligungsfreiheit des Teilnehmers, an welche Person er die Zugangskennungen weitergibt.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e292", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12692" }, { "category": "4.1 Sicherheitsanforderungen zum Schutz des Fernmeldegeheimnisses (\u00a7 88 TKG)", "code": "SK4.1.8", "label": "Schutzma\u00dfnahme gegen eine ungerechtfertigte, entgegen dem Vertragsverh\u00e4ltnis vereinbarte L\u00f6schung von Nachrichteninhalten durch den Diensteanbieter kann beispielsweise das Anlegen von Backupsystemen sein.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e293", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12693" }, { "category": "4.2 Sicherheitsanforderungen zum Schutz der personenbezogenen Daten (\u00a7\u00a7 91 ff. TKG)", "code": "SK4.2x", "label": "Die Erhebung, Verarbeitung und Nutzung von Bestands- und Verkehrsdaten der pflichtigen Telekommunikationsunternehmen kann u. a. in \u201eCustomer Care and Billing- Systemen\u201c, in \u201eFraud- Systemen (\u00a7 100 Abs. 3 TKG)\u201c, in \u201eSystemen zur Mitteilung ankommender Verbindungen (\u00a7 101 TKG)\u201c oder in \u201eSystemen zur Aufnahme in \u00f6ffentliche Telefonverzeichnisse\u201c (\u00a7 45m TKG) erfolgen. Im Hinblick auf die Wahrung datenschutzrechtlicher Informationspflichten sind Art. 13 DSGVO und \u00a7 93 TKG zu beachten. I", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e294", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12694" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.1", "label": "Es wird empfohlen, die Mitarbeiter durch geeignete Unterrichtsma\u00dfnahmen f\u00fcr die Belange des Datenschutzes zu sensibilisieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e295", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12695" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.2", "label": "Es sollte daneben eine vertragliche Verpflichtungserkl\u00e4rung zur Wahrung des Datenschutzes von allen tangierten Mitarbeitern abgegeben werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e296", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12696" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.3x", "label": "Den Teilnehmern sind bei Vertragsabschluss Name und Kontaktdaten des f\u00fcr die Verarbeitung Verantwortlichen mitzuteilen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e297", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12697" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.4x", "label": "Die Teilnehmer sind allgemein dar\u00fcber zu unterrichten, welche Art von Daten zu welchen Zwecken und auf welcher Rechtsgrundlage verarbeitet werden sollen. Auch sind die Empf\u00e4nger oder Kategorien von Empf\u00e4nger zu nennen, an die die personenbezogenen Daten der Teilnehmer \u00fcbermittelt werden. Ist eine \u00dcbermittlung in ein Drittland, also ein Land au\u00dferhalb der EU und des Europ\u00e4ischen Wirtschaftsraumes, beabsichtigt, so muss dies ebenfalls gegen\u00fcber den Teilnehmern angegeben werden. Damit Betroffene wissen, wer der korrekte Ansprechpartner im Unternehmen f\u00fcr datenschutzbezogene Anliegen ist, m\u00fcssen auch die Kontaktdaten des betrieblichen Datenschutzbeauftragten mitgeteilt werden.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e298", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12698" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.5x", "label": "Ferner muss auf bestehende Betroffenenrechte \u2013 etwa das Recht auf Berichtigung oder L\u00f6schung \u2013 hingewiesen werden sowie das Recht auf Beschwerde bei der zust\u00e4ndigen Datenschutzbeh\u00f6rde.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e299", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12699" }, { "category": "4.2.1 Informationspflichten (\u00a7 93 TKG)", "code": "SK4.2.1.6x", "label": "Die Teilnehmer sind \u00fcber die ggf. besonderen Risiken der Verletzung der Netzsicherheit aufzukl\u00e4ren und ggf. auch \u00fcber m\u00f6gliche Abhilfen zu informieren.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e300", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12700" }, { "category": "4.2.2 Verkehrsdaten (\u00a7 96 TKG)", "code": "SK4.2.2.1x", "label": "Das Erheben von Verkehrsdaten kann nur zul\u00e4ssig sein, soweit dies f\u00fcr einen der in Abschnitt 2 von Teil 7 des TKG genannten Zwecke erforderlich ist.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e301", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12701" }, { "category": "4.2.2 Verkehrsdaten (\u00a7 96 TKG)", "code": "SK4.2.2.2x", "label": "Unter bestimmten weiteren Bedingungen kann die Ermittlung von Kommunikationsprofilen einzelner Teilnehmer und die Analyse von Verkehrsstr\u00f6men zul\u00e4ssig sein, \u00a7 96 Abs. 3 S. 1 TKG", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e302", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12702" }, { "category": "4.2.2 Verkehrsdaten (\u00a7 96 TKG)", "code": "SK4.2.2.3x", "label": "Die Verkehrsdaten sind i.d.R. vom Diensteanbieter nach Beendigung der Verbindung unverz\u00fcglich zu l\u00f6schen, \u00a7 96 Abs. 1 S. 3 TKG. Auf den Leitfaden des/der BfDI und der BNetzA f\u00fcr eine datenschutzgerechte Speicherung von Verkehrsdaten (Stand 19.12.2012) wird verwiesen (abrufbar unter www.bundesnetzagentur.de/vds).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e303", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12703" }, { "category": "4.2.3 Entgeltermittlung und Entgeltabrechnung (\u00a7 97 TKG)", "code": "SK4.2.3.1x", "label": "Sind bei der Erstellung von Telekommunikationsrechnungen oder der Erbringung von Telekommunikationsdienstleistungen Dritte eingebunden (z. B. durch Diensteanbieter ohne eigene Netzinfrastruktur), dann sind technische und organisatorische Schnittstellen-Beziehungen zwischen Auftraggeber (Diensteanbieter) und Auftragnehmer (Erf\u00fcllungsgehilfe) eindeutig zu regeln.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e304", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12704" }, { "category": "4.2.3 Entgeltermittlung und Entgeltabrechnung (\u00a7 97 TKG)", "code": "SK4.2.3.2x", "label": "Nicht ben\u00f6tigte Daten nach \u00a7 97 Abs. 3 TKG sind unverz\u00fcglich zu l\u00f6schen.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e305", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12705" }, { "category": "4.2.4 Standortdaten (\u00a7 98 TKG)", "code": "SK4.2.4.1", "label": "tbd", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e306", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12706" }, { "category": "4.2.5 Einzelverbindungsnachweis (\u00a7 99 TKG)", "code": "SK4.2.5.1", "label": "tbd", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e307", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12707" }, { "category": "4.2.6 Mitteilen ankommender Verbindungen (\u00a7 101 TKG)", "code": "SK4.2.6.1", "label": "tbd", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e308", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12708" }, { "category": "4.2.7 Automatische Anrufweiterschaltung (\u00a7 103 TKG)", "code": "SK4.2.7.1", "label": "tbd", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e309", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12709" }, { "category": "4.2.8 Nachrichten\u00fcbermittlungssysteme mit Zwischenspeicherung (\u00a7 107 TKG)", "code": "SK4.2.8.1", "label": "tbd", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e310", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12710" }, { "category": "4.3.1 St\u00f6rungen von Telekommunikationsanlagen und Missbrauch von Telekommunikationsdiensten (\u00a7 100 TKG)", "code": "SK4.3.1.1x", "label": "Zum Erkennen, Eingrenzen oder Beseitigen von St\u00f6rungen darf der Diensteanbieter im erforderlichen Umfang Bestands-, Verkehrs- und Steuerdaten erheben und verwenden. Dies ist mit mit einer Berichtspflicht verkn\u00fcpft. Allgemeine Hinweise zur Berichtspflicht nach \u00a7 100 Abs. 1 TKG und deren Geltung sind unter www.bundesnetzagentur.de/TKG100 abrufbar.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e311", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12711" }, { "category": "4.3.1 St\u00f6rungen von Telekommunikationsanlagen und Missbrauch von Telekommunikationsdiensten (\u00a7 100 TKG)", "code": "SK4.3.1.2x", "label": "Zum Erkennen und Eingrenzen von St\u00f6rungen ist dem Betreiber einer Telekommunikationsanlage unter engen Voraussetzungen auch das Aufschalten auf bestehende Verbindungen gestattet. Eventuell entstandene Aufzeichnungen sind jedoch unverz\u00fcglich zu l\u00f6schen. Mit diesem datenschutzrechtlichen Eingriff ist eine Informationspflicht gegen\u00fcber dem betrieblichen Datenschutzbeauftragten verbunden (vgl. insgesamt \u00a7 100 Abs. 2 TKG).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e312", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12712" }, { "category": "4.3.1 St\u00f6rungen von Telekommunikationsanlagen und Missbrauch von Telekommunikationsdiensten (\u00a7 100 TKG)", "code": "SK4.3.1.3x", "label": "Liegen Anhaltspunkte f\u00fcr Leistungserschleichung oder Betrug vor, so kann der Diensteanbieter zur Sicherung seines Anspruches unter bestimmten Voraussetzungen Bestands- und Verkehrsdaten verwenden. In diesem Zusammenhang sind Informationspflichten gegen\u00fcber der Bundesnetzagentur und dem/der Bundesbeauftragten f\u00fcr den Datenschutz zu beachten.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e313", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12713" }, { "category": "4.3.2 Betr\u00e4chtliche Sicherheitsverletzungen (\u00a7 109 Abs. 5 TKG)", "code": "SK4.3.2.1x", "label": "Netzbetreiber und Diensteerbringer haben sowohl tats\u00e4chlich eingetretene als auch m\u00f6gliche betr\u00e4chtliche Sicherheitsverletzungen unverz\u00fcglich der Bundesnetzagentur und dem Bundesamt f\u00fcr Sicherheit in der Informationstechnik mitzuteilen. Auf das aktuell g\u00fcltige Umsetzungskonzept zur Meldung von Vorf\u00e4llen wird verwiesen (Stand: 10.11.2017, Version: 4.0, ABl. BNetzA Nr. 22 v. 22.11.2017).", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e314", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12714" }, { "category": "4.3.3 Daten- und Informationssicherheit (\u00a7 109a TKG)", "code": "SK4.3.3.1", "label": "Informationspflichten im Falle einer Verletzung des Schutzes personenbezogener Daten (\u201eDatenschutzpanne\u201c oder \u201eSecurity Breach\u201c). Dem pflichtigen Unternehmen obliegen in diesem Zusammenhang bestimmte Benachrichtigungspflichten gegen\u00fcber dem Betroffenen, aber auch gegen\u00fcber der Bundesnetzagentur und dem/der Bundesbeauftragten f\u00fcr den Datenschutz und die Informationsfreiheit. Auf die Hinweise der Bundesnetzagentur, abrufbar unter www.bundesnetzagentur.de/109a.", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e315", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12715" }, { "category": "5.1 Umsetzung von Sicherheitsanforderungen (\u00a7 109 Abs. 4 TKG )", "code": "SK5.1.1", "label": "Erstellungs-, Benennungs- und Vorlagenpflichten, sowie Erkl\u00e4rungspflicht", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e316", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12716" }, { "category": "5.1.10 Sicherheitskonzept an Ver\u00e4nderungen anpassen", "code": "SK5.1.10", "label": "Es ist zu gew\u00e4hrleisten, dass in regelm\u00e4\u00dfigen Abst\u00e4nden die Wirksamkeit der umgesetzten Sicherheitsma\u00dfnahmen festgestellt", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e317", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12717" }, { "category": "5.1 Umsetzung von Sicherheitsanforderungen (\u00a7 109 Abs. 4 TKG )", "code": "SK5.1.2", "label": "sicherheitskonzeptionellen Pflichten nach \u00a7 109 Abs. 4 TKG zur Strukturierung geeigneter und angemessener Ma\u00dfnahmen zum Schutz von Fernmeldegeheimnis, Datenschutz und Funktionsf\u00e4higkeit von Netzen und Diensten mit Pr\u00fcfung Konzept und Umsetzung durch BNetzA", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e318", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12718" }, { "category": "5.1 Umsetzung von Sicherheitsanforderungen (\u00a7 109 Abs. 4 TKG )", "code": "SK5.1.3", "label": "\u00dcberpr\u00fcfung der Erf\u00fcllung der Sicherheitsanforderungen aus \u00a7 109 Abs. 1 bis 3 TKG durch eine qualifizierte unabh\u00e4ngige Stelle nach \u00a7 109 Abs. 7 TKG ", "referential": "ca9262c7-08a5-4817-8693-c2ec6bf0e319", "referential_label": "", "uuid": "9fdde5e2-0246-49fe-ace8-f7697da12719" } ], "version": 1 }, { "label": "ISO/IEC 27002 [2013]", "language": "EN", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "98ca84fb-db87-11e8-ac77-0800279aaa2b", "values": [ { "category": "Information security policies", "code": "5.1.1", "label": "Policies for information security", "uuid": "267fc596-f705-11e8-b555-0800279aaa2b" }, { "category": "Information security policies", "code": "5.1.2", "label": "Review of the policies for information security", "uuid": "267fc6a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.1.1", "label": "Information security roles and responsibilities", "uuid": "267fc73c-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.1.2", "label": "Segregation of duties", "uuid": "267fd0b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.1.3", "label": "Contact with authorities", "uuid": "267fc7c0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.1.4", "label": "Contact with special interest groups", "uuid": "267fc80f-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.1.5", "label": "Information Security in Project Management", "uuid": "267fe6b9-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.2.1", "label": "Mobile device policy", "uuid": "267fd9d0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organization of information security", "code": "6.2.2", "label": "Teleworking", "uuid": "267fda0e-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.1.1", "label": "Screening", "uuid": "267fca6b-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.1.2", "label": "Terms and conditions of employment", "uuid": "267fcaad-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.2.1", "label": "Management responsibilities", "uuid": "267fc6f7-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.2.2", "label": "Information security awareness, education and training", "uuid": "267fcaeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.2.3", "label": "Disciplinary process", "uuid": "267fcb29-f705-11e8-b555-0800279aaa2b" }, { "category": "Human resource security", "code": "7.3.1", "label": "Termination or change of employment responsibilities", "uuid": "267fcb79-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.1.1", "label": "Inventory of Assets", "uuid": "267fc90c-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.1.2", "label": "Ownership of assets", "uuid": "267fc94c-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.1.3", "label": "Acceptable use of assets", "uuid": "267fc989-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.1.4", "label": "Return of assets", "uuid": "267fcbce-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.2.1", "label": "Classification guidelines", "uuid": "267fc9c9-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.2.2", "label": "Labelling of information", "uuid": "267fca19-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.2.3", "label": "Handling of assets", "uuid": "267fe71a-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.3.1", "label": "Management of removeable media", "uuid": "267fd32a-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.3.2", "label": "Disposal of media", "uuid": "267fd369-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset management", "code": "8.3.3", "label": "Physical Media transfer", "uuid": "267fd421-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.1.1", "label": "Access control policy", "uuid": "267fd659-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.1.2", "label": "Access to networks and network services", "uuid": "267fd81b-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.1", "label": "User registration and deregistration", "uuid": "267fd899-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.2", "label": "User access provisioning", "uuid": "267fe782-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.3", "label": "Management of privileged access rights", "uuid": "267fd69f-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.4", "label": "Management of secret authentication information of users", "uuid": "267fd6e4-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.5", "label": "Review of user access rights", "uuid": "267fd723-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.2.6", "label": "Removal or adjustment of access rights", "uuid": "267fcc3c-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.3.1", "label": "Use of secret authentication information", "uuid": "267fd761-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.4.1", "label": "Information access restriction", "uuid": "267fd993-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.4.2", "label": "Secure log-on procedures", "uuid": "267fd954-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.4.3", "label": "Password management system", "uuid": "267fd8d8-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.4.4", "label": "Use of privileged utility programs", "uuid": "267fd917-f705-11e8-b555-0800279aaa2b" }, { "category": "Access control", "code": "9.4.5", "label": "Access control to program source code", "uuid": "267fdbf1-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptography", "code": "10.1.1", "label": "Policy on the use of cryptographic controls", "uuid": "267fda8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptography", "code": "10.1.2", "label": "Key management", "uuid": "267fdacc-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.1", "label": "Physical security perimeter", "uuid": "267fcca4-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.2", "label": "Physical entry controls", "uuid": "267fcce9-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.3", "label": "Securing offices, rooms and facilities", "uuid": "267fcd30-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.4", "label": "Protecting against external and environmental attacks", "uuid": "267fcd6f-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.5", "label": "Working in secure areas", "uuid": "267fcdac-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.1.6", "label": "Delivery and loading areas", "uuid": "267fcdec-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.1", "label": "Equipment siting and protection", "uuid": "267fce44-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.2", "label": "Supporting utilities", "uuid": "267fce8a-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.3", "label": "Cabling Security", "uuid": "267fcecb-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.4", "label": "Equipment maintenance", "uuid": "267fcf0a-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.5", "label": "Security of equipment off-premises", "uuid": "267fcfdf-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.6", "label": "Security of equipment and assets off-premises", "uuid": "267fcf4f-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.7", "label": "Secure disposal or re-use of equipment", "uuid": "267fcf90-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.8", "label": "Unattended user equipment", "uuid": "267fd7a0-f705-11e8-b555-0800279aaa2b" }, { "category": "Physical and environmental security", "code": "11.2.9", "label": "Clear desk and clear screen policy", "uuid": "267fd7dd-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.1.1", "label": "Documented operating procedures", "uuid": "267fd029-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.1.2", "label": "Change management", "uuid": "267fd073-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.1.3", "label": "Capacity management", "uuid": "267fd1a8-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.1.4", "label": "Separation of development, testing and operational environments", "uuid": "267fd0ef-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.2.1", "label": "Controls against malicious code", "uuid": "267fd22e-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.3.1", "label": "Information Backup", "uuid": "267fd272-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.4.1", "label": "Event logging", "uuid": "267fd529-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.4.2", "label": "Protection of log information", "uuid": "267fd567-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.4.3", "label": "Administrator and operator logs", "uuid": "267fd5ae-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.4.4", "label": "Clock synchronisation", "uuid": "267fd610-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.5.1", "label": "Installation of software on operational systems", "uuid": "267fdb18-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.6.1", "label": "Management of technical vulnerabilities", "uuid": "267fdda3-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.6.2", "label": "Restrictions on software installation", "uuid": "267fe8fe-f705-11e8-b555-0800279aaa2b" }, { "category": "Operations security", "code": "12.7.1", "label": "Information systems audit controls", "uuid": "267fe660-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.1.1", "label": "Network controls", "uuid": "267fd2b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.1.2", "label": "Security of network services", "uuid": "267fd2ee-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.1.3", "label": "Segregation in networks", "uuid": "267fd85b-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.2.1", "label": "Information transfer policies and procedures", "uuid": "267fd3a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.2.2", "label": "Agreements on information transfer", "uuid": "267fd3e3-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.2.3", "label": "Electronic messaging", "uuid": "267fd462-f705-11e8-b555-0800279aaa2b" }, { "category": "Communications security", "code": "13.2.4", "label": "Confidentiality or non-disclosure agreements", "uuid": "267fc77e-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.1.1", "label": "Information security requirements analysis and specification", "uuid": "267fda50-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.1.2", "label": "Securing application services on public networks", "uuid": "267fd4ac-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.1.3", "label": "Protecting application services transactions", "uuid": "267fd4ed-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.1", "label": "Secure development policy", "uuid": "267fe8a1-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.2", "label": "System change control procedures", "uuid": "267fdc38-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.3", "label": "Technical review of applications after operating platform changes", "uuid": "267fdc8c-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.4", "label": "Restrictions on changes to software packages", "uuid": "267fdcf3-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.5", "label": "Secure system engineering principles", "uuid": "267fdf36-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.6", "label": "Secure development environment", "uuid": "267fe847-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.7", "label": "Outsourced software development", "uuid": "267fdd55-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.8", "label": "System security testing", "uuid": "267fe7e9-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.2.9", "label": "System acceptance testing", "uuid": "267fd1ea-f705-11e8-b555-0800279aaa2b" }, { "category": "System acquisition, development and maintenance", "code": "14.3.1", "label": "Protection of test data", "uuid": "267fdb78-f705-11e8-b555-0800279aaa2b" }, { "category": "Supplier relationships", "code": "15.1.1", "label": "Information security policy for supplier relationships", "uuid": "267fc88e-f705-11e8-b555-0800279aaa2b" }, { "category": "Supplier relationships", "code": "15.1.2", "label": "Addressing security within supplier agreements", "uuid": "267fc8cc-f705-11e8-b555-0800279aaa2b" }, { "category": "Supplier relationships", "code": "15.1.3", "label": "Informaiton and communication technology supply chain", "uuid": "267fe959-f705-11e8-b555-0800279aaa2b" }, { "category": "Supplier relationships", "code": "15.2.1", "label": "Monitoring and review of supplier services", "uuid": "267fd12f-f705-11e8-b555-0800279aaa2b" }, { "category": "Supplier relationships", "code": "15.2.2", "label": "Managing changes to supplier services", "uuid": "267fd16b-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.1", "label": "Responsibilities and procedures", "uuid": "267fde78-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.2", "label": "Reporting information security events", "uuid": "267fddeb-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.3", "label": "Reporting information security weaknesses", "uuid": "267fde31-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.4", "label": "Assessment of and decision on information security events", "uuid": "267fe9b4-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.5", "label": "Response in information security incidents", "uuid": "267fea11-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.6", "label": "Learning from information security incidents", "uuid": "267fdeb8-f705-11e8-b555-0800279aaa2b" }, { "category": "information security incident management", "code": "16.1.7", "label": "Collection of evidence", "uuid": "267fdef6-f705-11e8-b555-0800279aaa2b" }, { "category": "Information security aspects of business continuity management", "code": "17.1.1", "label": "Planning information security continuity", "uuid": "267fdf76-f705-11e8-b555-0800279aaa2b" }, { "category": "Information security aspects of business continuity management", "code": "17.1.2", "label": "Implementing information security continuity", "uuid": "267fdfbe-f705-11e8-b555-0800279aaa2b" }, { "category": "Information security aspects of business continuity management", "code": "17.1.3", "label": "Verify, review and evaluate information security continuity", "uuid": "267fe022-f705-11e8-b555-0800279aaa2b" }, { "category": "Information security aspects of business continuity management", "code": "17.2.1", "label": "Availability of information processing facilities", "uuid": "267fea72-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.1.1", "label": "Identification of applicable legislation", "uuid": "267fe08b-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.1.2", "label": "Intellectual Property Rights", "uuid": "267fe307-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.1.3", "label": "Protection of records", "uuid": "267fe37d-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.1.4", "label": "Privacy and protection of personally identifiable information", "uuid": "267fe3de-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.1.5", "label": "Regulation of cryptographic controls", "uuid": "267fe510-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.2.1", "label": "Independent review of information security", "uuid": "267fc84f-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.2.2", "label": "Compliance with security policies and standards", "uuid": "267fe58f-f705-11e8-b555-0800279aaa2b" }, { "category": "Compliance", "code": "18.2.3", "label": "Technical compliance review", "uuid": "267fe600-f705-11e8-b555-0800279aaa2b" } ], "version": 1, "version_ext": "ISO/IEC 27002:2013" }, { "authors": [ "The MONARC project" ], "label": "ISO/IEC 27002 [2013]", "language": "DE", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "98ca84fb-db87-11e8-ac77-0800279aaa2b", "values": [ { "category": "Informationssicherheitspolitik", "code": "5.1.1", "label": "Informationssicherheitsrichtlinien", "uuid": "267fc596-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheitspolitik", "code": "5.1.2", "label": "\u00dcberpr\u00fcfung der Informationssicherheitsrichtlinien", "uuid": "267fc6a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.2.1", "label": "Verantwortlichkeiten der Leitung", "uuid": "267fc6f7-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.1.1", "label": "Informationssicherheitsrollen und -verantwortlichkeiten", "uuid": "267fc73c-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.2.4", "label": "Vertraulichkeits- oder Geheimhaltungsvereinbarungen", "uuid": "267fc77e-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.1.3", "label": "Kontakt mit Beh\u00f6rden", "uuid": "267fc7c0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.1.4", "label": "Kontakt mit speziellen Interessensgruppen", "uuid": "267fc80f-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.2.1", "label": "Unabh\u00e4ngige \u00dcberpr\u00fcfung der Informationssicherheit", "uuid": "267fc84f-f705-11e8-b555-0800279aaa2b" }, { "category": "Lieferantenbeziehungen", "code": "15.1.1", "label": "Informationssicherheitsrichtlinie f\u00fcr Lieferantenbeziehungen", "uuid": "267fc88e-f705-11e8-b555-0800279aaa2b" }, { "category": "Lieferantenbeziehungen", "code": "15.1.2", "label": "Behandlung von Sicherheit in Lieferantenvereinbarungen", "uuid": "267fc8cc-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.1.1", "label": "Inventarisierung der Werte", "uuid": "267fc90c-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.1.2", "label": "Zust\u00e4ndigkeit f\u00fcr Werte", "uuid": "267fc94c-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.1.3", "label": "Zul\u00e4ssiger Gebrauch von Werten", "uuid": "267fc989-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.2.1", "label": "Klassifizierung von Information", "uuid": "267fc9c9-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.2.2", "label": "Kennzeichnung von Information", "uuid": "267fca19-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.1.1", "label": "Sicherheits\u00fcberpr\u00fcfung", "uuid": "267fca6b-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.1.2", "label": "Besch\u00e4ftigungs- und Vertragsbedingungen", "uuid": "267fcaad-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.2.2", "label": "Informationssicherheitsbewusstsein, -ausbildung und -schulung", "uuid": "267fcaeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.2.3", "label": "Ma\u00dfregelungsprozess", "uuid": "267fcb29-f705-11e8-b555-0800279aaa2b" }, { "category": "Personalsicherheit", "code": "7.3.1", "label": "Verantwortlichkeiten bei Beendigung oder \u00c4nderung der Besch\u00e4ftigung", "uuid": "267fcb79-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.1.4", "label": "R\u00fcckgabe von Werten", "uuid": "267fcbce-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.6", "label": "Entzug oder Anpassung von Zugangsrechten", "uuid": "267fcc3c-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.1", "label": "Physische Sicherheitsperimeter", "uuid": "267fcca4-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.2", "label": "Physische Zutrittssteuerung", "uuid": "267fcce9-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.3", "label": "Sichern von B\u00fcros, R\u00e4umen und Einrichtungen", "uuid": "267fcd30-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.4", "label": "Schutz vor externen und umweltbedingten Bedrohungen", "uuid": "267fcd6f-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.5", "label": "Arbeiten in Sicherheitsbereichen", "uuid": "267fcdac-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.1.6", "label": "Anlieferungs- und Ladebereiche", "uuid": "267fcdec-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.1", "label": "Platzierung und Schutz von Ger\u00e4ten und Betriebsmitteln", "uuid": "267fce44-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.2", "label": "Versorgungseinrichtungen", "uuid": "267fce8a-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.3", "label": "Sicherheit der Verkabelung", "uuid": "267fcecb-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.4", "label": "Instandhaltung von Ger\u00e4ten und Betriebsmitteln", "uuid": "267fcf0a-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.6", "label": "Sicherheit von Ger\u00e4ten, Betriebsmitteln und Werten au\u00dferhalb der R\u00e4umlichkeiten", "uuid": "267fcf4f-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.7", "label": "Sichere Entsorgung oder Wiederverwendung von Ger\u00e4ten und Betriebsmitteln", "uuid": "267fcf90-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.5", "label": "Entfernen von Werten", "uuid": "267fcfdf-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.1.1", "label": "Dokumentierte Betriebsabl\u00e4ufe", "uuid": "267fd029-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.1.2", "label": "\u00c4nderungssteuerung", "uuid": "267fd073-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.1.2", "label": "Aufgabentrennung", "uuid": "267fd0b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.1.4", "label": "Trennung von Entwicklungs-, Test- und Betriebsumgebungen", "uuid": "267fd0ef-f705-11e8-b555-0800279aaa2b" }, { "category": "Lieferantenbeziehungen", "code": "15.2.1", "label": "\u00dcberwachung und \u00dcberpr\u00fcfung von Lieferantendienstleistungen", "uuid": "267fd12f-f705-11e8-b555-0800279aaa2b" }, { "category": "Lieferantenbeziehungen", "code": "15.2.2", "label": "Handhabung der \u00c4nderungen von Lieferantendienstleistungen", "uuid": "267fd16b-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.1.3", "label": "Kapazit\u00e4tssteuerung", "uuid": "267fd1a8-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.9", "label": "Systemabnahmetest", "uuid": "267fd1ea-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.2.1", "label": "Ma\u00dfnahmen gegen Schadsoftware", "uuid": "267fd22e-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.3.1", "label": "Sicherung von Information", "uuid": "267fd272-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.1.1", "label": "Netzwerksteuerungsma\u00dfnahmen", "uuid": "267fd2b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.1.2", "label": "Sicherheit von Netzwerkdiensten", "uuid": "267fd2ee-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.3.1", "label": "Handhabung von Wechseldatentr\u00e4gern", "uuid": "267fd32a-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.3.2", "label": "Entsorgung von Datentr\u00e4gern", "uuid": "267fd369-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.2.1", "label": "Richtlinien und Verfahren f\u00fcr die Informations\u00fcbertragung", "uuid": "267fd3a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.2.2", "label": "Vereinbarungen zur Informations\u00fcbertragung", "uuid": "267fd3e3-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.3.3", "label": "Transport von Datentr\u00e4gern", "uuid": "267fd421-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.2.3", "label": "Elektronische Nachrichten\u00fcbermittlung", "uuid": "267fd462-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.1.2", "label": "Sicherung von Anwendungsdiensten in \u00f6ffentlichen Netzwerken", "uuid": "267fd4ac-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.1.3", "label": "Schutz der Transaktionen bei Anwendungsdiensten", "uuid": "267fd4ed-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.4.1", "label": "Ereignisprotokollierung", "uuid": "267fd529-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.4.2", "label": "Schutz der Protokollinformation", "uuid": "267fd567-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.4.3", "label": "Administratoren- und Bedienerprotokolle", "uuid": "267fd5ae-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.4.4", "label": "Uhrensynchronisation", "uuid": "267fd610-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.1.1", "label": "Zugangssteuerungsrichtlinie", "uuid": "267fd659-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.3", "label": "Verwaltung privilegierter Zugangsrechte", "uuid": "267fd69f-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.4", "label": "Verwaltung geheimer Authentisierungsinformation von Benutzern", "uuid": "267fd6e4-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.5", "label": "\u00dcberpr\u00fcfung von Benutzerzugangsrechten", "uuid": "267fd723-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.3.1", "label": "Gebrauch geheimer Authentisierungsinformation", "uuid": "267fd761-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.8", "label": "Unbeaufsichtigte Benutzerger\u00e4te", "uuid": "267fd7a0-f705-11e8-b555-0800279aaa2b" }, { "category": "Physische und Umgebungssicherheit", "code": "11.2.9", "label": "Richtlinien f\u00fcr eine aufger\u00e4umte Arbeitsumgebung und Bildschirmsperren", "uuid": "267fd7dd-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.1.2", "label": "Zugang zu Netzwerken und Netzwerkdiensten", "uuid": "267fd81b-f705-11e8-b555-0800279aaa2b" }, { "category": "Kommunikationssicherheit", "code": "13.1.3", "label": "Trennung in Netzwerken", "uuid": "267fd85b-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.1", "label": "Registrierung und Deregistrierung von Benutzern", "uuid": "267fd899-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.4.3", "label": "System zur Verwaltung von Kennw\u00f6rtern", "uuid": "267fd8d8-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.4.4", "label": "Gebrauch von Hilfsprogrammen mit privilegierten Rechten", "uuid": "267fd917-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.4.2", "label": "Sichere Anmeldeverfahren", "uuid": "267fd954-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.4.1", "label": "Informationszugangsbeschr\u00e4nkung", "uuid": "267fd993-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.2.1", "label": "Richtlinie zu Mobilger\u00e4ten", "uuid": "267fd9d0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.2.2", "label": "Telearbeit", "uuid": "267fda0e-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.1.1", "label": "Analyse und Spezifikation von Informationssicherheitsanforderungen", "uuid": "267fda50-f705-11e8-b555-0800279aaa2b" }, { "category": "Kryptografie", "code": "10.1.1", "label": "Richtlinie zum Gebrauch von kryptographischen Ma\u00dfnahmen", "uuid": "267fda8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Kryptografie", "code": "10.1.2", "label": "Schl\u00fcsselverwaltung", "uuid": "267fdacc-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.5.1", "label": "Installation von Software auf Systemen im Betrieb", "uuid": "267fdb18-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.3.1", "label": "Schutz von Testdaten", "uuid": "267fdb78-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.4.5", "label": "Zugangssteuerung f\u00fcr Quellcode von Programmen", "uuid": "267fdbf1-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.2", "label": "Verfahren zur Verwaltung von System\u00e4nderungen", "uuid": "267fdc38-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.3", "label": "Technische \u00dcberpr\u00fcfung von Anwendungen nach \u00c4nderungen an der Betriebsplattform", "uuid": "267fdc8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.4", "label": "Beschr\u00e4nkung von \u00c4nderungen an Softwarepaketen", "uuid": "267fdcf3-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.7", "label": "Ausgegliederte Entwicklung", "uuid": "267fdd55-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.6.1", "label": "Handhabung von technischen Schwachstellen", "uuid": "267fdda3-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.2", "label": "Meldung von Informationssicherheitsereignissen", "uuid": "267fddeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.3", "label": "Meldung von Schw\u00e4chen in der Informationssicherheit", "uuid": "267fde31-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.1", "label": "Verantwortlichkeiten und Verfahren", "uuid": "267fde78-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.6", "label": "Erkenntnisse aus Informationssicherheitsvorf\u00e4llen", "uuid": "267fdeb8-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.7", "label": "Sammeln von Beweismaterial", "uuid": "267fdef6-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.5", "label": "Grunds\u00e4tze f\u00fcr die Analyse, Entwicklung und Pflege sicherer Systeme", "uuid": "267fdf36-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheitsaspekte des betrieblichen Kontinuit\u00e4tsmanagement", "code": "17.1.1", "label": "Planung zur Aufrechterhaltung der Informationssicherheit", "uuid": "267fdf76-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheitsaspekte des betrieblichen Kontinuit\u00e4tsmanagement", "code": "17.1.2", "label": "Umsetzung der Aufrechterhaltung der Informationssicherheit", "uuid": "267fdfbe-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheitsaspekte des betrieblichen Kontinuit\u00e4tsmanagement", "code": "17.1.3", "label": "\u00dcberpr\u00fcfen und Bewerten der Aufrechterhaltung der Informationssicherheit", "uuid": "267fe022-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.1.1", "label": "Bestimmung der anwendbaren Gesetzgebung und der vertraglichen Anforderungen", "uuid": "267fe08b-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.1.2", "label": "Geistige Eigentumsrechte", "uuid": "267fe307-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.1.3", "label": "Schutz von Aufzeichnungen", "uuid": "267fe37d-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.1.4", "label": "Privatsph\u00e4re und Schutz von personenbezogener Information", "uuid": "267fe3de-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.1.5", "label": "Regelungen bez\u00fcglich kryptographischer Ma\u00dfnahmen", "uuid": "267fe510-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.2.2", "label": "Einhaltung von Sicherheitsrichtlinien und -standards", "uuid": "267fe58f-f705-11e8-b555-0800279aaa2b" }, { "category": "Konformit\u00e4t", "code": "18.2.3", "label": "\u00dcberpr\u00fcfung der Einhaltung von technischen Vorgaben", "uuid": "267fe600-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.7.1", "label": "Ma\u00dfnahmen f\u00fcr Audits von Informationssystemen", "uuid": "267fe660-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation der Informationssicherheit", "code": "6.1.5", "label": "Informationssicherheit im Projektmanagement", "uuid": "267fe6b9-f705-11e8-b555-0800279aaa2b" }, { "category": "Asset Management", "code": "8.2.3", "label": "Handhabung von Werten", "uuid": "267fe71a-f705-11e8-b555-0800279aaa2b" }, { "category": "Zugriffskontrolle", "code": "9.2.2", "label": "Zuteilung von Benutzerzug\u00e4ngen", "uuid": "267fe782-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.8", "label": "Testen der Systemsicherheit", "uuid": "267fe7e9-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.6", "label": "Sichere Entwicklungsumgebung", "uuid": "267fe847-f705-11e8-b555-0800279aaa2b" }, { "category": "Systemerwerb, Entwicklung und Wartung", "code": "14.2.1", "label": "Richtlinie f\u00fcr sichere Entwicklung", "uuid": "267fe8a1-f705-11e8-b555-0800279aaa2b" }, { "category": "Betriebssicherheit", "code": "12.6.2", "label": "Einschr\u00e4nkungen von Softwareinstallation", "uuid": "267fe8fe-f705-11e8-b555-0800279aaa2b" }, { "category": "Lieferantenbeziehungen", "code": "15.1.3", "label": "Lieferkette f\u00fcr Informations- und Kommunikationstechnologie", "uuid": "267fe959-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.4", "label": "Beurteilung von und Entscheidung \u00fcber Informationssicherheitsereignisse", "uuid": "267fe9b4-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheits-St\u00f6rfallmanagement", "code": "16.1.5", "label": "Reaktion auf Informationssicherheitsvorf\u00e4lle", "uuid": "267fea11-f705-11e8-b555-0800279aaa2b" }, { "category": "Informationssicherheitsaspekte des betrieblichen Kontinuit\u00e4tsmanagement", "code": "17.2.1", "label": "Verf\u00fcgbarkeit von informationsverarbeitenden Einrichtungen", "uuid": "267fea72-f705-11e8-b555-0800279aaa2b" } ], "version": 1, "version_ext": "ISO/IEC 27002:2013" }, { "authors": [ "The MONARC project" ], "label": "ISO/IEC 27002 [2013]", "language": "FR", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "98ca84fb-db87-11e8-ac77-0800279aaa2b", "values": [ { "category": "Politiques de s\u00e9curit\u00e9 de l'information", "code": "5.1.1", "label": "Politiques de s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fc596-f705-11e8-b555-0800279aaa2b" }, { "category": "Politiques de s\u00e9curit\u00e9 de l'information", "code": "5.1.2", "label": "Revue des politiques de s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fc6a6-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.2.1", "label": "Responsabilit\u00e9s de la direction", "uuid": "267fc6f7-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.1.1", "label": "Fonctions et responsabilit\u00e9s li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fc73c-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.2.4", "label": "Engagements de confidentialit\u00e9 ou de non-divulgation", "uuid": "267fc77e-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.1.3", "label": "Relations avec les autorit\u00e9s", "uuid": "267fc7c0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.1.4", "label": "Relations avec des groupes de travail sp\u00e9cialis\u00e9s", "uuid": "267fc80f-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.2.1", "label": "Revue ind\u00e9pendante de la s\u00e9curit\u00e9 de l'information", "uuid": "267fc84f-f705-11e8-b555-0800279aaa2b" }, { "category": "Relations avec le fournisseurs", "code": "15.1.1", "label": "Politique de s\u00e9curit\u00e9 de l\u2019information dans les relations avec les fournisseurs", "uuid": "267fc88e-f705-11e8-b555-0800279aaa2b" }, { "category": "Relations avec le fournisseurs", "code": "15.1.2", "label": "La s\u00e9curit\u00e9 dans les accords conclus avec les fournisseurs", "uuid": "267fc8cc-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.1.1", "label": "Inventaire des actifs", "uuid": "267fc90c-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.1.2", "label": "Propri\u00e9t\u00e9 des actifs", "uuid": "267fc94c-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.1.3", "label": "Utilisation correcte des actifs", "uuid": "267fc989-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.2.1", "label": "Classification des informations", "uuid": "267fc9c9-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.2.2", "label": "Marquage des informations", "uuid": "267fca19-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.1.1", "label": "S\u00e9lection des candidats", "uuid": "267fca6b-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.1.2", "label": "Termes et conditions d'embauche", "uuid": "267fcaad-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.2.2", "label": "Sensibilisation, qualification et formations en mati\u00e8re de s\u00e9curit\u00e9 de l'information", "uuid": "267fcaeb-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.2.3", "label": "Processus disciplinaire", "uuid": "267fcb29-f705-11e8-b555-0800279aaa2b" }, { "category": "La s\u00e9curit\u00e9 des ressources humaines", "code": "7.3.1", "label": "Ach\u00e8vement ou modification des responsabilit\u00e9s associ\u00e9es au contrat de travail", "uuid": "267fcb79-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.1.4", "label": "Restitution des actifs", "uuid": "267fcbce-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.6", "label": "Suppression ou adaptation des droits d\u2019acc\u00e8s", "uuid": "267fcc3c-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.1", "label": "P\u00e9rim\u00e8tre de s\u00e9curit\u00e9 physique", "uuid": "267fcca4-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.2", "label": "Contr\u00f4les physiques des acc\u00e8s", "uuid": "267fcce9-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.3", "label": "S\u00e9curisation des bureaux, des salles et des \u00e9quipements", "uuid": "267fcd30-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.4", "label": "Protection contre les menaces ext\u00e9rieures et environnementales", "uuid": "267fcd6f-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.5", "label": "Travail dans les zones s\u00e9curis\u00e9es", "uuid": "267fcdac-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.1.6", "label": "Zones de livraison et de chargement", "uuid": "267fcdec-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.1", "label": "Emplacement et protection du mat\u00e9riel", "uuid": "267fce44-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.2", "label": "Services g\u00e9n\u00e9raux", "uuid": "267fce8a-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.3", "label": "S\u00e9curit\u00e9 du c\u00e2blage", "uuid": "267fcecb-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.4", "label": "Maintenance du mat\u00e9riel", "uuid": "267fcf0a-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.6", "label": "S\u00e9curit\u00e9 du mat\u00e9riel et des actifs hors des locaux", "uuid": "267fcf4f-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.7", "label": "Mise au rebut ou recyclage s\u00e9curis\u00e9(e) du mat\u00e9riel", "uuid": "267fcf90-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.5", "label": "Sortie des actifs", "uuid": "267fcfdf-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.1.1", "label": "Proc\u00e9dures d\u2019exploitation document\u00e9es", "uuid": "267fd029-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.1.2", "label": "Gestion des changements", "uuid": "267fd073-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.1.2", "label": "S\u00e9paration des t\u00e2ches", "uuid": "267fd0b1-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.1.4", "label": "S\u00e9paration des environnements de d\u00e9veloppement, de test et d\u2019exploitation", "uuid": "267fd0ef-f705-11e8-b555-0800279aaa2b" }, { "category": "Relations avec le fournisseurs", "code": "15.2.1", "label": "Surveillance et revue des services des fournisseurs", "uuid": "267fd12f-f705-11e8-b555-0800279aaa2b" }, { "category": "Relations avec le fournisseurs", "code": "15.2.2", "label": "Gestion des changements apport\u00e9s dans les services des fournisseurs", "uuid": "267fd16b-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.1.3", "label": "Dimensionnement", "uuid": "267fd1a8-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.9", "label": "Test de conformit\u00e9 du syst\u00e8me", "uuid": "267fd1ea-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.2.1", "label": "Mesures contre les logiciels malveillants", "uuid": "267fd22e-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.3.1", "label": "Sauvegarde des informations", "uuid": "267fd272-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.1.1", "label": "Contr\u00f4le des r\u00e9seaux", "uuid": "267fd2b1-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.1.2", "label": "S\u00e9curit\u00e9 des services de r\u00e9seau", "uuid": "267fd2ee-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.3.1", "label": "Gestion des supports amovibles", "uuid": "267fd32a-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.3.2", "label": "Mise au rebut des supports", "uuid": "267fd369-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.2.1", "label": "Politiques et proc\u00e9dures de transfert de l\u2019information", "uuid": "267fd3a6-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.2.2", "label": "Accords en mati\u00e8re de transfert d\u2019information", "uuid": "267fd3e3-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.3.3", "label": "Transfert physique des supports", "uuid": "267fd421-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.2.3", "label": "Messagerie \u00e9lectronique", "uuid": "267fd462-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.1.2", "label": "S\u00e9curisation des services d\u2019application sur les r\u00e9seaux publics", "uuid": "267fd4ac-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.1.3", "label": "Protection des transactions li\u00e9es aux services d\u2019application", "uuid": "267fd4ed-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.1", "label": "Journalisation des \u00e9v\u00e9nements", "uuid": "267fd529-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.2", "label": "Protection de l\u2019information journalis\u00e9e", "uuid": "267fd567-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.3", "label": "Journaux administrateur et op\u00e9rateur", "uuid": "267fd5ae-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.4.4", "label": "Synchronisation des horloges", "uuid": "267fd610-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.1.1", "label": "Politique de contr\u00f4le d\u2019acc\u00e8s", "uuid": "267fd659-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.3", "label": "Gestion des privil\u00e8ges d\u2019acc\u00e8s", "uuid": "267fd69f-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.4", "label": "Gestion des informations secr\u00e8tes d\u2019authentification des utilisateurs", "uuid": "267fd6e4-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.5", "label": "Revue des droits d\u2019acc\u00e8s utilisateur", "uuid": "267fd723-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.3.1", "label": "Utilisation d\u2019informations secr\u00e8tes d\u2019authentification", "uuid": "267fd761-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.8", "label": "Mat\u00e9riel utilisateur laiss\u00e9 sans surveillance", "uuid": "267fd7a0-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 physique et environnementale", "code": "11.2.9", "label": "Politique du bureau propre et de l\u2019\u00e9cran vide", "uuid": "267fd7dd-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.1.2", "label": "Acc\u00e8s aux r\u00e9seaux et aux services en r\u00e9seau", "uuid": "267fd81b-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 des communications", "code": "13.1.3", "label": "Cloisonnement des r\u00e9seaux", "uuid": "267fd85b-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.1", "label": "Enregistrement et d\u00e9sinscription des utilisateurs", "uuid": "267fd899-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.4.3", "label": "Syst\u00e8me de gestion des mots de passe", "uuid": "267fd8d8-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.4.4", "label": "Utilisation de programmes utilitaires \u00e0 privil\u00e8ges", "uuid": "267fd917-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.4.2", "label": "S\u00e9curiser les proc\u00e9dures de connexion", "uuid": "267fd954-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.4.1", "label": "Restriction d\u2019acc\u00e8s \u00e0 l\u2019information", "uuid": "267fd993-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.2.1", "label": "Politique en mati\u00e8re d'appareils mobiles", "uuid": "267fd9d0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.2.2", "label": "T\u00e9l\u00e9travail", "uuid": "267fda0e-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.1.1", "label": "Analyse et sp\u00e9cification des exigences de s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fda50-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptographie", "code": "10.1.1", "label": "Politique d\u2019utilisation des mesures cryptographiques", "uuid": "267fda8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptographie", "code": "10.1.2", "label": "Gestion des cl\u00e9s", "uuid": "267fdacc-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.5.1", "label": "Installation de logiciels sur des syst\u00e8mes en exploitation", "uuid": "267fdb18-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.3.1", "label": "Protection des donn\u00e9es de test", "uuid": "267fdb78-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.4.5", "label": "Contr\u00f4le d\u2019acc\u00e8s au code source des programmes", "uuid": "267fdbf1-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.2", "label": "Proc\u00e9dures de contr\u00f4le des changements apport\u00e9s au syst\u00e8me", "uuid": "267fdc38-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.3", "label": "Revue technique des applications apr\u00e8s changement apport\u00e9 \u00e0 la plateforme d\u2019exploitation", "uuid": "267fdc8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.4", "label": "Restrictions relatives aux changements apport\u00e9s aux progiciels", "uuid": "267fdcf3-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.7", "label": "D\u00e9veloppement externalis\u00e9", "uuid": "267fdd55-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.6.1", "label": "Gestion des vuln\u00e9rabilit\u00e9s techniques", "uuid": "267fdda3-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.2", "label": "Signalement des \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fddeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.3", "label": "Signalement des failles li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fde31-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.1", "label": "Responsabilit\u00e9s et proc\u00e9dures", "uuid": "267fde78-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.6", "label": "Tirer des enseignements des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fdeb8-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.7", "label": "Recueil de preuves", "uuid": "267fdef6-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.5", "label": "Principes d\u2019ing\u00e9nierie de la s\u00e9curit\u00e9 des syst\u00e8mes", "uuid": "267fdf36-f705-11e8-b555-0800279aaa2b" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.1.1", "label": "Organisation de la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fdf76-f705-11e8-b555-0800279aaa2b" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.1.2", "label": "Mise en oeuvre de la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fdfbe-f705-11e8-b555-0800279aaa2b" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.1.3", "label": "V\u00e9rifier, revoir et \u00e9valuer la continuit\u00e9 de la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fe022-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.1.1", "label": "Identification de la l\u00e9gislation et des exigences contractuelles applicables", "uuid": "267fe08b-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.1.2", "label": "Droits de propri\u00e9t\u00e9 intellectuelle", "uuid": "267fe307-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.1.3", "label": "Protection des enregistrements", "uuid": "267fe37d-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.1.4", "label": "Protection de la vie priv\u00e9e et protection des donn\u00e9es \u00e0 caract\u00e8re personnel", "uuid": "267fe3de-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.1.5", "label": "R\u00e9glementation relative aux mesures cryptographiques", "uuid": "267fe510-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.2.2", "label": "Conformit\u00e9 avec les politiques et les normes de s\u00e9curit\u00e9", "uuid": "267fe58f-f705-11e8-b555-0800279aaa2b" }, { "category": "Conformit\u00e9", "code": "18.2.3", "label": "Examen de la conformit\u00e9 technique", "uuid": "267fe600-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.7.1", "label": "Mesures relatives \u00e0 l\u2019audit des syst\u00e8mes d\u2019information", "uuid": "267fe660-f705-11e8-b555-0800279aaa2b" }, { "category": "Organisation de la s\u00e9curit\u00e9 de l'information", "code": "6.1.5", "label": "La s\u00e9curit\u00e9 de l\u2019information dans la gestion de projet", "uuid": "267fe6b9-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des actifs", "code": "8.2.3", "label": "Manipulation des actifs", "uuid": "267fe71a-f705-11e8-b555-0800279aaa2b" }, { "category": "Contr\u00f4le d'acc\u00e8s", "code": "9.2.2", "label": "Ma\u00eetrise de la gestion des acc\u00e8s utilisateur", "uuid": "267fe782-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.8", "label": "Phase de test de la s\u00e9curit\u00e9 du syst\u00e8me", "uuid": "267fe7e9-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.6", "label": "Environnement de d\u00e9veloppement s\u00e9curis\u00e9", "uuid": "267fe847-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisition, d\u00e9veloppement et maintenance des syst\u00e8mes d'information", "code": "14.2.1", "label": "Politique de d\u00e9veloppement s\u00e9curis\u00e9", "uuid": "267fe8a1-f705-11e8-b555-0800279aaa2b" }, { "category": "S\u00e9curit\u00e9 li\u00e9e \u00e0 l'exploitation", "code": "12.6.2", "label": "Restrictions li\u00e9es \u00e0 l\u2019installation de logiciels", "uuid": "267fe8fe-f705-11e8-b555-0800279aaa2b" }, { "category": "Relations avec le fournisseurs", "code": "15.1.3", "label": "Chaine d\u2019approvisionnement informatique", "uuid": "267fe959-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.4", "label": "Appr\u00e9ciation des \u00e9v\u00e9nements li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information et prise de d\u00e9cision", "uuid": "267fe9b4-f705-11e8-b555-0800279aaa2b" }, { "category": "Gestion des incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l'information", "code": "16.1.5", "label": "R\u00e9ponse aux incidents li\u00e9s \u00e0 la s\u00e9curit\u00e9 de l\u2019information", "uuid": "267fea11-f705-11e8-b555-0800279aaa2b" }, { "category": "Aspects de la s\u00e9curit\u00e9 de l'information dans la gestion de la continuit\u00e9 de l'activit\u00e9", "code": "17.2.1", "label": "Disponibilit\u00e9 des moyens de traitement de l\u2019information", "uuid": "267fea72-f705-11e8-b555-0800279aaa2b" } ], "version": 1, "version_ext": "ISO/IEC 27002:2013" }, { "authors": [ "The MONARC project" ], "label": "ISO/IEC 27002 [2013]", "language": "NL", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "98ca84fb-db87-11e8-ac77-0800279aaa2b", "values": [ { "category": "Informatiebeveiligingsbeleid", "code": "5.1.1", "label": "Informatiebeveiligingsbeleidslijnen", "uuid": "267fc596-f705-11e8-b555-0800279aaa2b" }, { "category": "Informatiebeveiligingsbeleid", "code": "5.1.2", "label": "Beoordeling van de informatiebeveiligingsbeleidslijnen", "uuid": "267fc6a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.2.1", "label": "Verantwoordelijkheden van de directie", "uuid": "267fc6f7-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.1.1", "label": "Functies en verantwoordelijkheden i.v.m. informatiebeveiliging", "uuid": "267fc73c-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.2.4", "label": "Verplichtingen inzake vertrouwelijkheid en niet-verspreiding", "uuid": "267fc77e-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.1.3", "label": "Relaties met de overheden", "uuid": "267fc7c0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.1.4", "label": "Relaties met gespecialiseerde werkgroepen", "uuid": "267fc80f-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.2.1", "label": "Onafhankelijke beoordeling van de informatiebeveiligingsbeleidslijnen", "uuid": "267fc84f-f705-11e8-b555-0800279aaa2b" }, { "category": "Leveranciersrelaties", "code": "15.1.1", "label": "Informatiebeveiligingsbeleid in de relaties met leveranciers", "uuid": "267fc88e-f705-11e8-b555-0800279aaa2b" }, { "category": "Leveranciersrelaties", "code": "15.1.2", "label": "Veiligheid in de met leveranciers gesloten akkoorden", "uuid": "267fc8cc-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.1.1", "label": "Inventaris van de activa", "uuid": "267fc90c-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.1.2", "label": "Eigendom van de activa", "uuid": "267fc94c-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.1.3", "label": "Correct gebruik van de activa", "uuid": "267fc989-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.2.1", "label": "Classificatie van de informatie", "uuid": "267fc9c9-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.2.2", "label": "Markering van de informatie", "uuid": "267fca19-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.1.1", "label": "Selectie van de kandidaten", "uuid": "267fca6b-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.1.2", "label": "Rekruteringsvoorwaarden", "uuid": "267fcaad-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.2.2", "label": "Sensibilisering, kwalificatie en opleidingen inzake informatiebeveiliging", "uuid": "267fcaeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.2.3", "label": "Disciplinair proces", "uuid": "267fcb29-f705-11e8-b555-0800279aaa2b" }, { "category": "Veilig personeel", "code": "7.3.1", "label": "Voltooiing of wijziging van de verantwoordelijkheden die samenhangen met het arbeidscontract", "uuid": "267fcb79-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.1.4", "label": "Teruggave van de activa", "uuid": "267fcbce-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.6", "label": "Opheffing of aanpassing van de toegangsrechten", "uuid": "267fcc3c-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.1", "label": "Fysieke veiligheidsperimeter", "uuid": "267fcca4-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.2", "label": "Fysieke toegangscontroles", "uuid": "267fcce9-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.3", "label": "Beveiliging van de kantoren, de lokalen en de uitrustingen", "uuid": "267fcd30-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.4", "label": "Beveiliging tegen externe en milieubedreigingen", "uuid": "267fcd6f-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.5", "label": "Werk in de beveiligde zones", "uuid": "267fcdac-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.1.6", "label": "Leverings- en laad- en loszones", "uuid": "267fcdec-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.1", "label": "Plaats en bescherming van de hardware", "uuid": "267fce44-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.2", "label": "Algemene diensten", "uuid": "267fce8a-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.3", "label": "Veiligheid van de bekabeling", "uuid": "267fcecb-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.4", "label": "Onderhoud van de hardware", "uuid": "267fcf0a-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.6", "label": "Veiligheid van de hardware en de activa buiten de bedrijfsruimten", "uuid": "267fcf4f-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.7", "label": "Veilige afdanking of recyclage van de hardware", "uuid": "267fcf90-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.5", "label": "Afdanking van de activa", "uuid": "267fcfdf-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.1.1", "label": "Gedocumenteerde exploitatieprocedures", "uuid": "267fd029-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.1.2", "label": "Beheer van verandering (change management)", "uuid": "267fd073-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.1.2", "label": "Scheiding van de taken", "uuid": "267fd0b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.1.4", "label": "Scheiding van de ontwikkelings-, test- en exploitatieomgevingen", "uuid": "267fd0ef-f705-11e8-b555-0800279aaa2b" }, { "category": "Leveranciersrelaties", "code": "15.2.1", "label": "Toezicht op en beoordeling van de diensten van de leveranciers", "uuid": "267fd12f-f705-11e8-b555-0800279aaa2b" }, { "category": "Leveranciersrelaties", "code": "15.2.2", "label": "Beheer van de wijzigingen aangebracht in de diensten van de leveranciers", "uuid": "267fd16b-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.1.3", "label": "Dimensionering", "uuid": "267fd1a8-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.9", "label": "Systeemconformiteitstest", "uuid": "267fd1ea-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.2.1", "label": "Maatregelen tegen malware", "uuid": "267fd22e-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.3.1", "label": "Back-up van de informatie", "uuid": "267fd272-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.1.1", "label": "Controle van de netwerken", "uuid": "267fd2b1-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.1.2", "label": "Veiligheid van de netwerkdiensten", "uuid": "267fd2ee-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.3.1", "label": "Beheer van de draagbare informatiedragers", "uuid": "267fd32a-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.3.2", "label": "Afdanking van informatiedragers", "uuid": "267fd369-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.2.1", "label": "Beleid en procedures op het vlak van informatiedoorgifte", "uuid": "267fd3a6-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.2.2", "label": "Akkoorden op het vlak van informatiedoorgifte", "uuid": "267fd3e3-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.3.3", "label": "Fysieke doorgifte van informatiedragers", "uuid": "267fd421-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.2.3", "label": "E-mail", "uuid": "267fd462-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.1.2", "label": "Beveiliging van de toepassingsdiensten op de openbare communicatienetwerken", "uuid": "267fd4ac-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.1.3", "label": "Bescherming van de transacties i.v.m. de toepassingsdiensten", "uuid": "267fd4ed-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.4.1", "label": "Loggen van evenementen", "uuid": "267fd529-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.4.2", "label": "Beveiliging van de gelogde informatie", "uuid": "267fd567-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.4.3", "label": "Administrator- en operatorlogboeken", "uuid": "267fd5ae-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.4.4", "label": "Synchronisatie van de klokken", "uuid": "267fd610-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.1.1", "label": "Toegangscontrolebeleid", "uuid": "267fd659-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.3", "label": "Beheer van de toegangsrechten", "uuid": "267fd69f-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.4", "label": "Beheer van de geheime gebruikersauthenticatiegegevens", "uuid": "267fd6e4-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.5", "label": "Beoordeling van de gebruikerstoegangsrechten", "uuid": "267fd723-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.3.1", "label": "Gebruik van geheime authenticatiegegevens", "uuid": "267fd761-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.8", "label": "Onbewaakt achtergelaten gebruikershardware", "uuid": "267fd7a0-f705-11e8-b555-0800279aaa2b" }, { "category": "Fysieke beveiliging en beveiliging van de omgeving", "code": "11.2.9", "label": "Clean desk- en leeg-schermbeleid", "uuid": "267fd7dd-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.1.2", "label": "Toegang tot de netwerken en de netwerkdiensten", "uuid": "267fd81b-f705-11e8-b555-0800279aaa2b" }, { "category": "Communicatiebeveiliging", "code": "13.1.3", "label": "Scheiding van de netwerken", "uuid": "267fd85b-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.1", "label": "Registratie en uitschrijving van de gebruikers", "uuid": "267fd899-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.4.3", "label": "Wachtwoordbeheerssysteem", "uuid": "267fd8d8-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.4.4", "label": "Gebruik van utility-programma\u2019s met bevoegdheden", "uuid": "267fd917-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.4.2", "label": "Beveiligen van de verbindingsprocedures", "uuid": "267fd954-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.4.1", "label": "Beperking van de toegang tot de informatie", "uuid": "267fd993-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.2.1", "label": "Beleid inzake mobiele toestellen", "uuid": "267fd9d0-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.2.2", "label": "Telewerk", "uuid": "267fda0e-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.1.1", "label": "Analyse en specificatie van de eisen inzake informatiebeveiliging", "uuid": "267fda50-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptografie", "code": "10.1.1", "label": "Beleid inzake het gebruik van cryptografische maatregelen", "uuid": "267fda8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Cryptografie", "code": "10.1.2", "label": "Beheer van de sleutels", "uuid": "267fdacc-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.5.1", "label": "Installatie van software op werkende systemen", "uuid": "267fdb18-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.3.1", "label": "Beveiliging van de testgegevens", "uuid": "267fdb78-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.4.5", "label": "Controle van de toegang tot de broncode van de programma\u2019s", "uuid": "267fdbf1-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.2", "label": "Procedures voor de controle van de aan het systeem aangebrachte wijzigingen", "uuid": "267fdc38-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.3", "label": "Technische beoordeling van de toepassingen na het aanbrengen van wijzigingen aan het besturingsplatform", "uuid": "267fdc8c-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.4", "label": "Beperkingen op het vlak van het aanbrengen van wijzigingen aan softwarepakketten.", "uuid": "267fdcf3-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.7", "label": "Geoutsourcete ontwikkeling ", "uuid": "267fdd55-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.6.1", "label": "Beheer van de technische kwetsbaarheden", "uuid": "267fdda3-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.2", "label": "Signalering van de gebeurtenissen i.v.m. informatiebeveiliging", "uuid": "267fddeb-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.3", "label": "Signalering van fouten i.v.m. informatiebeveiliging", "uuid": "267fde31-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.1", "label": "Verantwoordelijkheden en procedures", "uuid": "267fde78-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.6", "label": "Lessen trekken uit incidenten i.v.m. informatiebeveiliging", "uuid": "267fdeb8-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.7", "label": "Verzameling van bewijzen", "uuid": "267fdef6-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.5", "label": "Engineeringbeginselen van systeembeveiliging", "uuid": "267fdf36-f705-11e8-b555-0800279aaa2b" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "17.1.1", "label": "Organisatie van de continu\u00efteit van de informatiebeveiliging", "uuid": "267fdf76-f705-11e8-b555-0800279aaa2b" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "17.1.2", "label": "Implementatie van de continu\u00efteit van de informatiebeveiliging", "uuid": "267fdfbe-f705-11e8-b555-0800279aaa2b" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "17.1.3", "label": "Verifi\u00ebren, herzien en evalueren van de continu\u00efteit van de informatiebeveiliging", "uuid": "267fe022-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.1.1", "label": "Identificatie van de wetgeving en de geldende contractuele eisen", "uuid": "267fe08b-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.1.2", "label": "Intellectuele eigendomsrechten", "uuid": "267fe307-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.1.3", "label": "Bescherming van de opnamen", "uuid": "267fe37d-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.1.4", "label": "Bescherming van het priv\u00e9leven en bescherming van persoonlijke gegevens", "uuid": "267fe3de-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.1.5", "label": "Voorschriften op het vlak van cryptografische maatregelen", "uuid": "267fe510-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.2.2", "label": "Conformiteit met het veiligheidsbeleid en de veiligheidsnormen", "uuid": "267fe58f-f705-11e8-b555-0800279aaa2b" }, { "category": "Naleving", "code": "18.2.3", "label": "Onderzoek van de technische conformiteit", "uuid": "267fe600-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.7.1", "label": "Maatregelen betreffende de audit van de informatiesystemen", "uuid": "267fe660-f705-11e8-b555-0800279aaa2b" }, { "category": "Organiseren van informatiebeveiliging", "code": "6.1.5", "label": "Informatiebeveiliging in projectmanagement", "uuid": "267fe6b9-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van bedrijfsmiddelen", "code": "8.2.3", "label": "Manipulatie van de activa", "uuid": "267fe71a-f705-11e8-b555-0800279aaa2b" }, { "category": "Toegangsbeveiliging", "code": "9.2.2", "label": "Beheersing van het gebruikerstoegangsbeheer", "uuid": "267fe782-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.8", "label": "Testfase van systeembeveiliging", "uuid": "267fe7e9-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.6", "label": "Beveiligde ontwikkelingsomgeving", "uuid": "267fe847-f705-11e8-b555-0800279aaa2b" }, { "category": "Acquisitie, ontwikkeling en onderhoud van informatiesystemen", "code": "14.2.1", "label": "Beveiligd ontwikkelingsbeleid", "uuid": "267fe8a1-f705-11e8-b555-0800279aaa2b" }, { "category": "Beveiliging bedrijfsvoering", "code": "12.6.2", "label": "Beperkingen inzake de installatie van software", "uuid": "267fe8fe-f705-11e8-b555-0800279aaa2b" }, { "category": "Leveranciersrelaties", "code": "15.1.3", "label": "IT-bevoorradingsketen", "uuid": "267fe959-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.4", "label": "Beoordeling van de gebeurtenissen i.v.m. informatiebeveiliging en besluitvorming", "uuid": "267fe9b4-f705-11e8-b555-0800279aaa2b" }, { "category": "Beheer van informatiebeveiligingsincidenten", "code": "16.1.5", "label": "Reactie op incidenten i.v.m. informatiebeveiliging", "uuid": "267fea11-f705-11e8-b555-0800279aaa2b" }, { "category": "Informatiebeveiligingsaspecten van bedrijfscontinu\u00efteitsbeheer", "code": "17.2.1", "label": "Beschikbaarheid van de informatieverwerkingsmiddelen", "uuid": "267fea72-f705-11e8-b555-0800279aaa2b" } ], "version": 1, "version_ext": "ISO/IEC 27002:2013" }, { "authors": [ "Jeremy Dannenmuller" ], "label": "PCI DSS 4.0", "language": "EN", "refs": "https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf", "uuid": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "values": [ { "category": "Requirement 5: Protect All Systems and Networks from Malicious Software.", "code": "5.4", "label": "5.4 Anti-phishing mechanisms protect users against phishing attacks.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "033ed95f-0444-4200-a229-d36ba8d320ac" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.1", "label": "11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "042cc126-c21a-42c2-a003-fe0184ddbfec" }, { "category": "Requirement 6: Develop and Maintain Secure Systems and Software.", "code": "6.4", "label": "6.4 Public-facing web applications are protected against attacks.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "046b9fca-955e-4d7f-bfca-ae6a0cf92f01" }, { "category": "Requirement 1: Install and maintain Network Security Controls", "code": "1.1", "label": "1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "09262d8f-9fa8-48bc-90a6-b5dd76f6f5a6" }, { "category": "Requirement 1: Install and maintain Network Security Controls", "code": "1.3", "label": "1.3 Network access to and from the cardholder data environment is restricted.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "0a26e736-1827-4572-9165-617b4d4a5edd" }, { "category": "Requirement 2: Apply Secure Configurations to All System Components.", "code": "2.2", "label": "2.2 System components are configured and managed securely.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "109bd9fe-1bbd-45f0-91da-27758cfacb1f" }, { "category": "A2 - Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections", "code": "A.2.1", "label": "A2.1 POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "11bd5603-6d95-45b2-b166-2977810e693b" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.2", "label": "3.2 Storage of account data is kept to a minimum.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "13643f1d-5127-4338-8747-b9b1a5153553" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.2", "label": "10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity. and the forensic analysis of events.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "1570bd71-c8bd-4839-a833-20a4d9c78c19" }, { "category": "Requirement 6: Develop and Maintain Secure Systems and Software.", "code": "6.2", "label": "6.2 Bespoke and custom software are developed securely.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "166b54f6-039c-47ee-b53c-a4c441054ef3" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.2", "label": "11.2 Wireless access points are identified and monitored. and unauthorized wireless access points are addressed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "198e86b1-88fd-4ca2-920b-abe3188d2161" }, { "category": "Requirement 9: Restrict Physical Access to Cardholder Data.", "code": "9.2", "label": "9.2 Physical access controls manage entry into facilities and systems containing cardholder data.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "29116643-2936-45ae-b095-c32472c5c5fc" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.1", "label": "10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "291753d9-bdb7-4284-82cd-86639dd5051c" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.4", "label": "8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "2b3ceaf1-acd1-4a25-9920-9365a0edecc6" }, { "category": "Requirement 5: Protect All Systems and Networks from Malicious Software.", "code": "5.2", "label": "5.2 Malicious software (malware) is prevented. or detected and addressed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "367f079c-235c-415f-acfa-cfc8fcbf57e3" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.6", "label": "3.6 Cryptographic keys used to protect stored account data are secured.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "36db6005-d2cc-4406-a441-71cf2918935a" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.7", "label": "12.7 Personnel are screened to reduce risks from insider threats.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "37e791d6-5a76-4bf6-a8dc-ed2951acca43" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.5", "label": "12.5 PCI DSS scope is documented and validated.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "382b37cb-0b20-4d93-8297-156cbb7a0257" }, { "category": "Requirement 9: Restrict Physical Access to Cardholder Data.", "code": "9.4", "label": "9.4 Media with cardholder data is securely stored. accessed. distributed. and destroyed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "3b9336b9-d7b6-4ea6-bcba-920f9a6ced43" }, { "category": "Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open. Public Networks.", "code": "4.2", "label": "4.2 PAN is protected with strong cryptography during transmission", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "3b988763-bff2-4cee-b1b2-5cea61e9dcf8" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.5", "label": "11.5 Network intrusions and unexpected file changes are detected and responded to.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "3d7419df-8a0b-4ec0-902f-89f90e77bdc1" }, { "category": "Requirement 6: Develop and Maintain Secure Systems and Software.", "code": "6.5", "label": "6.5 Changes to all system components are managed securely.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "435fad54-ccb7-4f4f-b8fe-5b75af1bf4ea" }, { "category": "A3 - Designated Entities Supplemental Validation (DESV)", "code": "A3.3", "label": "A3.3 PCI DSS is incorporated into business-as-usual (BAU) activities.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "438c70bf-7e0c-477d-97ae-31578185da58" }, { "category": "Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know.", "code": "7.1", "label": "7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "43ec094e-fe4c-4355-b4f4-5e7281016cec" }, { "category": "Requirement 5: Protect All Systems and Networks from Malicious Software.", "code": "5.1", "label": "5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "471b054e-61a2-4a72-830b-13843ed09146" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.1", "label": "12.1 A comprehensive information security policy that governs and provides direction for protection of the entity\u2019s information assets is known and current.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "478a985a-4bad-42a5-b34e-45d5db543d63" }, { "category": "A1 - Additional PCI DSS Requirements for Multi-Tenant Service Providerss", "code": "A1.1", "label": "A1.1 Multi-tenant service providers protect and separate all customer environments and data.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "49c69882-50a8-4bb7-b56a-e9471d7943d1" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.1", "label": "8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "4c8a94b0-1f2c-4a10-a279-6ee20397543e" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.4", "label": "10.4 Audit logs are reviewed to identify anomalies or suspicious activity.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "536ee90b-6041-4e7f-b445-0fde74e24338" }, { "category": "A3 - Designated Entities Supplemental Validation (DESV)", "code": "A3.1", "label": "A3.1 A PCI DSS compliance program is implemented.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "5b43004f-9e3d-42f3-a321-f482d68ff54d" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.9", "label": "12.9 Third-party service providers (TPSPs) support their customers\u2019 PCI DSS compliance.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "5bf20465-8283-4b0f-82fa-ff2fa4f5b6e8" }, { "category": "Requirement 1: Install and maintain Network Security Controls", "code": "1.4", "label": "1.4 Network connections between trusted and untrusted networks are controlled.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "5d8988d4-09b2-416d-b58a-970597fc4397" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.1", "label": "3.1 Processes and mechanisms for protecting stored account data are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "6ad4ac2b-74e8-4ff2-9d39-f6becb2e124f" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.6", "label": "10.6 Time-synchronization mechanisms support consistent time settings across all systems.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "6eca23a9-8def-4bd9-8ece-b0666a2f4368" }, { "category": "Requirement 2: Apply Secure Configurations to All System Components.", "code": "2.1", "label": "2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "6f8d5129-c4df-49d4-9728-05d78632814b" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.6", "label": "12.6 Security awareness education is an ongoing activity.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "71787501-c169-411d-9778-e2cfc5e5736b" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.7", "label": "3.7 Where cryptography is used to protect stored account data. key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "842b0d6d-2577-4ab4-9b8f-c19679c8d473" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.7", "label": "10.7 Failures of critical security control systems are detected. reported. and responded to promptly.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "8500ef96-773c-4616-b5c8-62145ef3def8" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.3", "label": "12.3 Risks to the cardholder data environment are formally identified. evaluated. and managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "8553ef88-3cf6-419d-951b-60d9f0bfa59e" }, { "category": "Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know.", "code": "7.2", "label": "7.2 Access to system components and data is appropriately defined and assigned.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "898f18b0-f44b-4417-be6a-ce77e4291870" }, { "category": "Requirement 9: Restrict Physical Access to Cardholder Data.", "code": "9.1", "label": "9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "8ecf814d-8ead-4774-aa4c-9a0f447de93e" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.5", "label": "10.5 Audit log history is retained and available for analysis.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "91456cd4-47b4-49a8-9ac7-e10c94deb909" }, { "category": "Requirement 10: Log and Monitor All Access to System Components and Cardholder Data.", "code": "10.3", "label": "10.3 Audit logs are protected from destruction and unauthorized modifications.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "9545f6f7-1959-4972-828e-c002fb7c5e3f" }, { "category": "Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know.", "code": "7.3", "label": "7.3 Access to system components and data is managed via an access control system(s).", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "9bd5a560-6770-4620-8a87-3df344593a05" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.6", "label": "11.6 Unauthorized changes on payment pages are detected and responded to.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "9e9b1e73-bb3f-4dac-b85e-51b0a28a746a" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.6", "label": "8.6 Use of application and system accounts and associated authentication factors is strictly managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "9f0dec80-eec7-49a8-bbbd-9d1af3c3bd47" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.2", "label": "8.2 User identification and related accounts for users and administrators are strictly managed throughout an account\u2019s lifecycle.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "a77319f3-1eec-4789-8756-b2df9270901b" }, { "category": "Requirement 2: Apply Secure Configurations to All System Components.", "code": "2.3", "label": "2.3 Wireless environments are configured and managed securely.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "aa8d0ac1-cb2a-4e0f-bcaa-d2763497f676" }, { "category": "Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open. Public Networks.", "code": "4.1", "label": "4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open. public networks are defined and documented.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "af758496-f659-442b-be1a-cd11dbc05de8" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.4", "label": "3.4 Access to displays of full PAN and ability to copy cardholder data are restricted.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "b0a9f97c-0ecc-4ebf-865e-2a7efdb3b52b" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.3", "label": "11.3 External and internal vulnerabilities are regularly identified. prioritized. and addressed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "b1d5619d-525a-4bc9-9919-4a16efb68f81" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.3", "label": "3.3 Sensitive authentication data (SAD) is not stored after authorization.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "b8b5e383-cb55-43fc-b3ea-9a89b4e0ab10" }, { "category": "A3 - Designated Entities Supplemental Validation (DESV)", "code": "A3.4", "label": "A3.4 Logical access to the cardholder data environment is controlled and managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "be27bba6-21a1-416b-8258-cb9c232dc471" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.3", "label": "8.3 Strong authentication for users and administrators is established and managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "be64acf7-9530-4008-84d0-3a47086c9c27" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.10", "label": "12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "be9c173b-84c8-4b07-a71c-be8b1a44da6d" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.8", "label": "12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "be9d8fae-7af6-4555-812c-c587b43a8c2a" }, { "category": "Requirement 6: Develop and Maintain Secure Systems and Software.", "code": "6.1", "label": "6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "c059d4de-2980-46c8-bb74-b68b9e1053e4" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.4", "label": "12.4 PCI DSS compliance is managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "ca690618-be96-4a4b-ae7e-b55ad2c50241" }, { "category": "Requirement 8: Identify Users and Authenticate Access to System Components.", "code": "8.5", "label": "8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "ca745f8a-b78a-4031-b669-9f80f3aca137" }, { "category": "Requirement 11: Test Security of Systems and Networks Regularly.", "code": "11.4", "label": "11.4 External and internal penetration testing is regularly performed. and exploitable vulnerabilities and security weaknesses are corrected.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "ce87911e-ef45-44ec-8584-b63dbb0d3b10" }, { "category": "Requirement 6: Develop and Maintain Secure Systems and Software.", "code": "6.3", "label": "6.3 Security vulnerabilities are identified and addressed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "d33fbe7b-ca98-4cd7-805c-c25d2f54196d" }, { "category": "Requirement 5: Protect All Systems and Networks from Malicious Software.", "code": "5.3", "label": "5.3 Anti-malware mechanisms and processes are active. maintained. and monitored.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "de7526f0-bfdf-46a0-b6cd-bea9fb3ad41f" }, { "category": "Requirement 1: Install and maintain Network Security Controls", "code": "1.2", "label": "1.2 Network security controls (NSCs) are configured and maintained.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "df9c7366-838e-4107-951b-b7e1c8cfe80b" }, { "category": "A3 - Designated Entities Supplemental Validation (DESV)", "code": "A3.2", "label": "A3.2 PCI DSS scope is documented and validated.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "e1da88c4-6a4b-4e80-a8e8-1927bfb3f985" }, { "category": "Requirement 12: Support Information Security with Organizational Policies and Programs", "code": "12.2", "label": "12.2 Acceptable use policies for end-user technologies are defined and implemented.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "e3c4b267-059e-4591-8e66-d8241bdeb589" }, { "category": "Requirement 3: Protect Stored Account Data.", "code": "3.5", "label": "3.5 Primary account number (PAN) is secured wherever it is stored.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "e69ac6c5-0858-4bc1-813c-6b58b7f26add" }, { "category": "A1 - Additional PCI DSS Requirements for Multi-Tenant Service Providerss", "code": "A1.2", "label": "A1.2 Multi-tenant service providers facilitate logging and incident response for all customers.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "e8e297ed-23f7-4903-be2d-0726a26031cd" }, { "category": "Requirement 9: Restrict Physical Access to Cardholder Data.", "code": "9.5", "label": "9.5 Point of interaction (POI) devices are protected from tampering and unauthorized substitution.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "ec550cfe-4f7e-4b0c-91ee-7ed3846db76a" }, { "category": "Requirement 1: Install and maintain Network Security Controls", "code": "1.5", "label": "1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "efdaa881-863d-470a-b6fb-32b32a671145" }, { "category": "Requirement 9: Restrict Physical Access to Cardholder Data.", "code": "9.3", "label": "9.3 Physical access for personnel and visitors is authorized and managed.", "referential": "17e0d3f8-4808-4413-94ff-2cd2a217590e", "referential_label": "PCI DSS 4.0", "uuid": "fa1e1209-7b93-43e9-bace-461cbcf0f639" } ], "version": 1 }, { "authors": [ "CASES Team" ], "label": "ISO/IEC 27002 [2022]", "language": "EN", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "831acc76-2bcc-4376-836a-f6b0ee6df568", "values": [ { "category": "Organizational controls", "code": "5.1", "label": "Policies for information security", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "ac5590c1-5e43-4a29-87fb-5ba7416a0831" }, { "category": "Organizational controls", "code": "5.2", "label": "Information security roles and responsibilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "dcdebb24-3cf2-4c27-bb01-4cd04118e6f5" }, { "category": "Organizational controls", "code": "5.3", "label": "Segregation of duties", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6ea4f43d-0d12-4edf-8191-bf469f25e252" }, { "category": "Organizational controls", "code": "5.4", "label": "Management responsibilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "957e0fb3-f06e-4ef5-b152-f1045b3a576f" }, { "category": "Organizational controls", "code": "5.5", "label": "Contact with authorities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "7a5c4510-1d09-481b-822d-2d58745d390b" }, { "category": "Organizational controls", "code": "5.6", "label": "Contact with special interest groups", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "33aa534c-482a-4503-919c-635ac65d084e" }, { "category": "Organizational controls", "code": "5.7", "label": "Threat intelligence", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "dca62889-6240-406e-8c94-5f418e7e004e" }, { "category": "Organizational controls", "code": "5.8", "label": "Information security in project management", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "45d81142-d8b8-45c5-811b-8a636c404af8" }, { "category": "Organizational controls", "code": "5.9", "label": "Inventory of information and other associated assets", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "48ecb62f-f73d-4c65-a8e4-2fa831346a70" }, { "category": "Organizational controls", "code": "5.10", "label": "Acceptable use of information and other associated assets", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "95882551-578c-4c0d-afe8-1dff2b251da4" }, { "category": "Organizational controls", "code": "5.11", "label": "Return of assets", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "fb24425c-10df-4bc3-9b48-d72b952b92b5" }, { "category": "Organizational controls", "code": "5.12", "label": "Classification of information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "4ca57d37-8fc9-4d15-b6a7-64416a520ac1" }, { "category": "Organizational controls", "code": "5.13", "label": "Labelling of information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "006fc402-2bba-4bcb-85b6-7bb9de4c54cd" }, { "category": "Organizational controls", "code": "5.14", "label": "Information transfer", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "1fbd96df-158c-47a2-8dc5-a22c6f915a79" }, { "category": "Organizational controls", "code": "5.15", "label": "Access control", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "de075220-6acf-4ca7-837b-713b1f87f5f3" }, { "category": "Organizational controls", "code": "5.16", "label": "Identity management", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "d2cb623e-3cc6-46fd-bbe7-3239e5fa2626" }, { "category": "Organizational controls", "code": "5.17", "label": "Authentication information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "7fe8f85a-6c22-4680-b076-88d74ba5c4e3" }, { "category": "Organizational controls", "code": "5.18", "label": "Access rights", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "c26bedb1-42f5-4154-8cea-b923b1103cfe" }, { "category": "Organizational controls", "code": "5.19", "label": "Information security in supplier relationships", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "239e3bca-0b4b-4692-9ba1-9e2a73d6cc40" }, { "category": "Organizational controls", "code": "5.20", "label": "Addressing information security within supplier agreements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "0a23f517-b172-47b2-bc0a-0f693d2900b0" }, { "category": "Organizational controls", "code": "5.21", "label": "Managing information security in the ICT supply chain", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "86fdcdd5-2d94-43ad-aab1-ccc64b3e42f7" }, { "category": "Organizational controls", "code": "5.22", "label": "Monitoring, review and change management of supplier services", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "307d39d8-d31f-4b55-8a0e-9632cd0e380a" }, { "category": "Organizational controls", "code": "5.23", "label": "Information security for use of cloud services", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "e706a0d1-b2ce-4488-b8ae-905f88ab7e4d" }, { "category": "Organizational controls", "code": "5.24", "label": "Information security incident management planning and preparation", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "07e0fb5e-7b82-4f85-b7c7-d22b205436b1" }, { "category": "Organizational controls", "code": "5.25", "label": "Assessment and decision on information security events", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "0aa214a8-51a6-45df-a279-03f04ea5c19e" }, { "category": "Organizational controls", "code": "5.26", "label": "Response to information security incidents", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "865ca2d0-30e8-47f2-9f25-4256943a0d72" }, { "category": "Organizational controls", "code": "5.27", "label": "Learning from information security incidents", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "1c03c68f-29a0-4606-b99d-072491f53e96" }, { "category": "Organizational controls", "code": "5.28", "label": "Collection of evidence", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "432a79d3-45e9-477e-b63a-ab7566bb8590" }, { "category": "Organizational controls", "code": "5.29", "label": "Information security during disruption", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "a197825e-e8f5-47f5-851d-66105a6fc3b2" }, { "category": "Organizational controls", "code": "5.30", "label": "ICT readiness for business continuity", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "4ca07c19-4442-41b8-81ef-bd105af640c8" }, { "category": "Organizational controls", "code": "5.31", "label": "Legal, statutory, regulatory and contractual requirements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "7f58e55e-17f5-4dca-a7e5-4566192fa8f1" }, { "category": "Organizational controls", "code": "5.32", "label": "Intellectual property rights", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "3d347675-c00a-4fa2-a0af-a5b66cbd8edd" }, { "category": "Organizational controls", "code": "5.33", "label": "Protection of records", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "9f8e81c8-8a90-4b5e-bcf1-ff2e8b4384e8" }, { "category": "Organizational controls", "code": "5.34", "label": "Privacy and protection of PII", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6a6b0a5f-4e3a-4845-94cc-890aee7f19d9" }, { "category": "Organizational controls", "code": "5.35", "label": "Independent review of information security", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "41d38a42-6f44-4561-b0a2-801095d4eec9" }, { "category": "Organizational controls", "code": "5.36", "label": "Compliance with policies, rules and standards for information security", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "3ff683de-9ca5-482d-8423-06d4d8e315a3" }, { "category": "Organizational controls", "code": "5.37", "label": "Documented operating procedures", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "4c41ffb8-fbf4-48b7-9e16-52293fbcc3c3" }, { "category": "People controls", "code": "6.1", "label": "Screening", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "9e7bdc0e-1603-4545-a2cc-0650fe035e37" }, { "category": "People controls", "code": "6.2", "label": "Terms and conditions of employment", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "83389b64-b080-4625-8e81-05174311e2d8" }, { "category": "People controls", "code": "6.3", "label": "Information security awareness, education and training", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "bb6eac6b-129a-4ea8-8c26-3df5e05d9680" }, { "category": "People controls", "code": "6.4", "label": "Disciplinary process", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "9acaadb0-2f58-4d9b-963b-7671ed0471a6" }, { "category": "People controls", "code": "6.5", "label": "Responsibilities after termination or change of employment", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "e4ef6822-7f1f-46f8-9700-37cde17e81b8" }, { "category": "People controls", "code": "6.6", "label": "Confidentiality or non-disclosure agreements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "e283f5ed-3a64-4bed-b479-35e4cd8173e6" }, { "category": "People controls", "code": "6.7", "label": "Remote working", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "276430e7-47c5-461b-a5c4-7b46dae11759" }, { "category": "People controls", "code": "6.8", "label": "Information security event reporting", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "ed627a92-cb52-472a-aa2e-b981f8b12de5" }, { "category": "Physical controls", "code": "7.1", "label": "Physical security perimeters", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "26fbd0ef-28da-4930-850f-8519da290fd4" }, { "category": "Physical controls", "code": "7.2", "label": "Physical entry", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "14667423-4f22-49dd-a0fc-bbf3c25597d3" }, { "category": "Physical controls", "code": "7.3", "label": "Securing offices, rooms and facilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "474fedbd-0b89-436c-ac04-41c21d6e7420" }, { "category": "Physical controls", "code": "7.4", "label": "Physical security monitoring", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "f439e26f-cec6-41cb-8c86-1b6c0f112ebf" }, { "category": "Physical controls", "code": "7.5", "label": "Protecting against physical and environmental threats", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "07285d43-9ee2-406b-a9fa-3ad36650054b" }, { "category": "Physical controls", "code": "7.6", "label": "Working in secure areas", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "cb371cfa-e8d4-4a83-af29-2f8982929268" }, { "category": "Physical controls", "code": "7.7", "label": "Clear desk and clear screen", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "069bd61a-62a9-4158-b5f9-59e4ee0c8614" }, { "category": "Physical controls", "code": "7.8", "label": "Equipment siting and protection", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "a3897661-541e-4c4c-9844-2981d8288ec6" }, { "category": "Physical controls", "code": "7.9", "label": "Security of assets off-premises", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "68c2f82b-83a3-4aaf-9bce-c57b3f537fa6" }, { "category": "Physical controls", "code": "7.10", "label": "Storage media", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "1167decd-0e55-4359-8fb2-599c490d89fa" }, { "category": "Physical controls", "code": "7.11", "label": "Supporting utilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "fc66f113-3f02-4354-8610-879b5467971a" }, { "category": "Physical controls", "code": "7.12", "label": "Cabling security", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "00e9c4c9-c718-4834-a312-c08abb03838c" }, { "category": "Physical controls", "code": "7.13", "label": "Equipment maintenance", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "096b291e-bded-40aa-a3f7-492bcc5dcf4c" }, { "category": "Physical controls", "code": "7.14", "label": "Secure disposal or re-use of equipment", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "43e73ea3-8fcd-455c-b05e-c5d8a747ec33" }, { "category": "Technological controls", "code": "8.1", "label": "User endpoint devices", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "26f82aa2-2a5b-49d9-92dd-53a2d98d743f" }, { "category": "Technological controls", "code": "8.2", "label": "Privileged access rights", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "8890016c-2883-4771-b346-2e8ec19ff2dd" }, { "category": "Technological controls", "code": "8.3", "label": "Information access restriction", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "8eda18e5-8a5e-404a-9f2b-1880fa0e400d" }, { "category": "Technological controls", "code": "8.4", "label": "Access to source code", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "b56726a8-3883-4893-ae75-2ba555411148" }, { "category": "Technological controls", "code": "8.5", "label": "Secure authentication", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "1d9e4229-e86e-4cb1-8e63-fd30711040dd" }, { "category": "Technological controls", "code": "8.6", "label": "Capacity management", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "e8d6402b-f022-494b-b289-3d5d98368e8e" }, { "category": "Technological controls", "code": "8.7", "label": "Protection against malware", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "f331b956-c83b-47b6-a563-09222b1ae7a0" }, { "category": "Technological controls", "code": "8.8", "label": "Management of technical vulnerabilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "b2fc0199-a3a8-4386-88d1-0f3b776c3e5d" }, { "category": "Technological controls", "code": "8.9", "label": "Configuration management", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6f4468c5-06a6-4248-a82b-ef86601d6dd9" }, { "category": "Technological controls", "code": "8.10", "label": "Information deletion", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "af8efe54-1e09-44e8-818d-22dc5446b234" }, { "category": "Technological controls", "code": "8.11", "label": "Data masking", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "082e34b9-5811-485b-a81a-761e79918ebc" }, { "category": "Technological controls", "code": "8.12", "label": "Data leakage prevention", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "c24dd798-1284-440e-82d3-78ef0d149ae6" }, { "category": "Technological controls", "code": "8.13", "label": "Information backup", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "e2e52a80-4222-4f57-b471-92ce90a83ed7" }, { "category": "Technological controls", "code": "8.14", "label": "Redundancy of information processing facilities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6a76bfdb-843e-4aa2-8cd7-f738f68845e4" }, { "category": "Technological controls", "code": "8.15", "label": "Logging", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6e2ed592-c992-4076-b9ec-b7e9a78a7029" }, { "category": "Technological controls", "code": "8.16", "label": "Monitoring activities", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "ba719d1a-81a3-485c-b9b5-fb6332fd3aff" }, { "category": "Technological controls", "code": "8.17", "label": "Clock synchronization", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "dab5cccf-c67d-45b0-a3d4-89ef9f51a2f2" }, { "category": "Technological controls", "code": "8.18", "label": "Use of privileged utility programs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "9389f178-57cb-4b52-b464-5b983d10ae90" }, { "category": "Technological controls", "code": "8.19", "label": "Installation of software on operational systems", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "5773b0a9-8687-4802-9f19-2d1fba45e6a5" }, { "category": "Technological controls", "code": "8.20", "label": "Networks security", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "3cfb677a-cc3c-437d-aabf-c0ad88d740a5" }, { "category": "Technological controls", "code": "8.21", "label": "Security of network services", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "47ad87a1-dd3e-443e-8d82-2ec782979637" }, { "category": "Technological controls", "code": "8.22", "label": "Segregation of networks", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "6c305573-67ac-488e-882a-8e94e6373355" }, { "category": "Technological controls", "code": "8.23", "label": "Web filtering", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "8a973656-95e8-4664-9e6c-c788b4ba0771" }, { "category": "Technological controls", "code": "8.24", "label": "Use of cryptography", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "1a0fe2b2-4401-4d3d-b4a2-53d7d95a76c9" }, { "category": "Technological controls", "code": "8.25", "label": "Secure development life cycle", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "3ddf1641-0529-44d2-8a23-b5811555cdd2" }, { "category": "Technological controls", "code": "8.26", "label": "Application security requirements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "8298dbd1-c18e-4f03-bb63-4867bfeaf716" }, { "category": "Technological controls", "code": "8.27", "label": "Secure system architecture and engineering principles", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "497618e9-e495-42b6-b04e-21801f9c01f7" }, { "category": "Technological controls", "code": "8.28", "label": "Secure coding", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "2452bf90-43da-46d9-9dee-05d73b9fce09" }, { "category": "Technological controls", "code": "8.29", "label": "Security testing in development and acceptance", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "991f8c55-2da0-4dbf-b604-cbadc8df8389" }, { "category": "Technological controls", "code": "8.30", "label": "Outsourced development", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "d5f93f4a-eac7-4200-b90b-c02db54c76f4" }, { "category": "Technological controls", "code": "8.31", "label": "Separation of development, test and production environments", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "00383120-11a9-4b95-bfb9-47b3d4975bcb" }, { "category": "Technological controls", "code": "8.32", "label": "Change management", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "866a0676-f2bd-4499-ba25-cd6f9466969a" }, { "category": "Technological controls", "code": "8.33", "label": "Test information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "7df0a5ac-79b3-416c-8a38-c22f5c4d94d5" }, { "category": "Technological controls", "code": "8.34", "label": "Protection of information systems during audit testing", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022]", "uuid": "744146f1-5a14-43c0-b675-8c2649486f64" } ], "version": 1, "version_ext": "ISO/IEC 27002:2022" }, { "authors": [ "Jeremy Dannenmuller" ], "label": "ISO 27017", "language": "EN", "refs": "https://www.iso.org/fr/standard/43757.html", "uuid": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "values": [ { "category": "Security in development and support processes", "code": "14.2.2", "label": "System change control procedures", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "027c0996-57fa-44d3-85cd-6ea667923174" }, { "category": "Supplier service delivery management", "code": "15.2.2", "label": "Managing chages to supplier services", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "03c9db14-f91d-4c4e-a4a1-18e7709d9fd7" }, { "category": "Security in development and support processes", "code": "14.2.1", "label": "Secure development policy", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "07c05b75-2e57-4fd0-9ab7-d7d87742477b" }, { "category": "Termination and change of employment", "code": "7.3.1", "label": "Termination or change of employment responsabilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "0afb0635-1b85-4e2a-b0cf-5cdad6a23fd8" }, { "category": "Secure areas", "code": "11.1.1", "label": "Physical security perimeter", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "0fe351eb-d64b-4c74-b05b-bdfda6b9c4d3" }, { "category": "During employment", "code": "7.2.1", "label": "Management responsabilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "100d29a6-1441-4de6-a05a-594c8b1c7243" }, { "category": "Logging and monitoring", "code": "12.4.4", "label": "Clock synchronization", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "1100bd1a-cfd4-4450-9192-5bd85ef107e2" }, { "category": "Equipment", "code": "11.2.1", "label": "Equipment siting and protection", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "12844c4c-d0c9-4441-9467-9da5b15dd18b" }, { "category": "Business requirements of access control", "code": "9.1.1", "label": "Access control policy", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "12c2d158-c0d2-448f-b36e-9f17e1cc230f" }, { "category": "Management of information security incidents and improvements", "code": "16.1.7", "label": "Collection of evidence", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "1703d350-59d5-4510-bf45-d538e4c076a0" }, { "category": "Security requirements of information systems", "code": "14.1.1", "label": "Information security requirements analysis and specification", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "1de9d538-a7c3-4817-8c44-3ffbdfc9f12b" }, { "category": "Security in development and support processes", "code": "14.2.7", "label": "Outsourced development", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "21a6dbb4-8365-4b48-8421-ea10458695ee" }, { "category": "Equipment", "code": "11.2.8", "label": "Unattended user equipment", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "21c24fcd-374d-408a-9682-eac7e8c3ebf2" }, { "category": "Media handling", "code": "8.3.1", "label": "Management or removable media", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2327176c-b127-4ad3-a1a9-710467ea246f" }, { "category": "Security in development and support processes", "code": "14.2.6", "label": "Secure development environment", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "256e6e9e-cd8b-440a-843b-264e85d582f7" }, { "category": "Information security in supplier relationships", "code": "15.1.3", "label": "Information and communication technology supply chain", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2c59fe2c-5312-4f3e-b960-4fd843031af7" }, { "category": "Operational procedures and responsibilities", "code": "CLD.12.1.5", "label": "Administrator's operational security", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2df8b9c3-b6f4-4484-a9b3-5e6f33ad1038" }, { "category": "Network security management", "code": "13.1.3", "label": "Segregation in networks", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2e10ce2d-1c5c-41f6-a8a9-f1f7f3b07315" }, { "category": "Relationship between cloud service customer and cloud service provider", "code": "CLD.6.3.1", "label": "Shared roles and responsibilities within a cloud computing environment", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2e43ca82-0b18-4dbd-916c-b2fc102bf662" }, { "category": "Information security in supplier relationships", "code": "15.1.1", "label": "Information security policy for supplier relationships", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2ed059b3-7ea4-465e-b20e-f6180b218505" }, { "category": "Information classification", "code": "8.2.2", "label": "Labelling of information", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "2f9175dc-3c0e-48d6-b1cb-687009bbf392" }, { "category": "Internal organization", "code": "6.1.4", "label": "Contact with special interest groups", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "317394d2-538d-42e6-ac3d-f7a54b867ec4" }, { "category": "Secure areas", "code": "11.1.4", "label": "Protecting against external and environmental threats", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "34ac073d-80ad-4503-b748-bcbad097ea26" }, { "category": "Access control of cloud service customer data in shared virtual environment", "code": "CLD.9.5.2", "label": "Virtual machine hardening", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "34fa0af1-02c7-46c0-b38f-30db3f27bf46" }, { "category": "Compliance with legal and contractual requirements", "code": "18.1.3", "label": "Protection of records", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "38527fcd-9eef-4f31-9ff1-551c9cb1ea88" }, { "category": "Network security management", "code": "13.1.1", "label": "Network controls", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "3ad14be8-e76e-4c06-bb5c-6722361ee1ee" }, { "category": "Responsibility for assets", "code": "CLD.8.1.5", "label": "Removal of cloud service customer assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "3ae82816-ae78-4a6c-889e-07bdb84da4e4" }, { "category": "Equipment", "code": "11.2.4", "label": "Equipment maintenance", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "3b7c3fa7-d143-483c-9c26-4908a55979d5" }, { "category": "User access management", "code": "9.2.4", "label": "Management of secret authentication information of users", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "3c138556-2201-4b36-8907-f6c0f57d420b" }, { "category": "Logging and monitoring", "code": "CLD.12.4.5", "label": "Monitoring of Cloud Services", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "439a4491-65aa-4990-b6e4-6e10af836373" }, { "category": "Responsibility for assets", "code": "8.1.1", "label": "Inventory of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "44dddcc0-257a-4f2b-94d5-1b63a25a6e46" }, { "category": "System and application access control", "code": "9.4.3", "label": "Password management system", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "46678a0c-cd66-4610-8687-0d25afe68c1d" }, { "category": "Information security policies", "code": "5.1.1", "label": "Policies for information security", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "498b0cc7-fbe3-40fb-9b61-1b6db629027f" }, { "category": "Management of information security incidents and improvements", "code": "16.1.1", "label": "Responsabilities and procedures", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "4ab927a0-835d-4122-8377-ed08c418b1c5" }, { "category": "Internal organization", "code": "6.1.5", "label": "Information security in project management", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "4c660684-7259-461d-9eb8-f9c82ca42c98" }, { "category": "Control of operational software", "code": "12.5.1", "label": "Installation of software on operational systems", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "4d2882a6-5a63-404c-bbe7-2f2ea08ff933" }, { "category": "Information classification", "code": "8.2.3", "label": "Handling of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "4dabfd52-4369-4999-9091-6a346703e981" }, { "category": "Secure areas", "code": "11.1.5", "label": "Working in secure areas", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "4ed3205f-9921-432b-9a8b-3e400598e0ff" }, { "category": "Internal organization", "code": "6.1.1", "label": "Information security roles and responsabilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "515aacb3-f1c1-4bb2-95fa-1cb29713b03e" }, { "category": "Security in development and support processes", "code": "14.2.3", "label": "Technical review of applications after operating platform changes", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "54885438-8b8a-4fae-8f23-e8901ec621b4" }, { "category": "System and application access control", "code": "9.4.1", "label": "Information access restriction", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "553e228a-15dd-430c-a35b-604b9fccd629" }, { "category": "User access management", "code": "9.2.2", "label": "User access provisioning", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "55677739-524b-4167-a2e1-1dc5356e4764" }, { "category": "Equipment", "code": "11.2.5", "label": "Removal of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "55f40782-51f0-4e9a-9cae-3898190144c4" }, { "category": "Supplier service delivery management", "code": "15.2.1", "label": "Monitoring and review of supplier services", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "58566e59-9ce2-4ded-b2bb-20a7e1c4a5c6" }, { "category": "Information transfer", "code": "13.2.4", "label": "Confidentiality or non-disclosure agreements", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "5b239f2c-162d-4fa1-9e98-9fdf54426a8a" }, { "category": "Responsibility for assets", "code": "8.1.3", "label": "The acceptable use of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "5ddefc67-2c51-4a11-b1e2-3ca2eaaf02b9" }, { "category": "Internal organization", "code": "6.1.3", "label": "Contact with authorities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "61bf6872-052b-468c-83b5-ea70d4530629" }, { "category": "Cryptographic controls", "code": "10.1.2", "label": "Key management", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "62b6663e-768e-4eb3-8c2e-d170f84588d7" }, { "category": "Operational procedures and responsibilities", "code": "12.1.4", "label": "Separation of development, testing and operational environments", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "64c2a025-e7bf-4ac3-9ab2-431910fff804" }, { "category": "Information security continuity", "code": "17.1.1", "label": "Planning information security continuity", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "66adb661-6e13-41f6-8a50-b894b3ed9e5b" }, { "category": "Management of information security incidents and improvements", "code": "16.1.4", "label": "Assessment of and decision on information security events", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "66d299d8-e55f-42d7-997b-e5f69392ed82" }, { "category": "Backup", "code": "12.3.1", "label": "Information backup", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "6769d72a-c19a-4af1-814b-e58ecce6bb34" }, { "category": "System and application access control", "code": "9.4.2", "label": "Secure log-on procedures", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "678b1392-7cab-49c2-a5f5-9f7884e0d9ac" }, { "category": "User access management", "code": "9.2.1", "label": "User registration and deregistration", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "680335b4-1efb-4257-ae7c-17de32670edd" }, { "category": "Internal organization", "code": "6.1.2", "label": "Segregtion of duties", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "682075b0-f0b6-4d2f-b4ad-8e93569bafa0" }, { "category": "Information security continuity", "code": "17.1.3", "label": "Verify, review and evaluate information security continuity", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "68f40f2c-d0c9-405e-b56e-fca2a63cb7e7" }, { "category": "Security requirements of information systems", "code": "14.1.3", "label": "Protecting application services transactions", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "6a1b60fb-5c46-40d1-b0b8-5494b1d00b8d" }, { "category": "Network security management", "code": "CLD.13.1.4", "label": "Alignment of security management for virtual and physical networks", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "6a972973-2dec-4c54-ac8f-d4e1e06dcc63" }, { "category": "Equipment", "code": "11.2.2", "label": "Supporting utilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "6ade5e75-9f3a-4b23-b3aa-301908f5bc25" }, { "category": "Responsibility for assets", "code": "8.1.4", "label": "Return of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "6c082aee-3c87-423e-9a46-4467cc6dc823" }, { "category": "Technical vulnerability management", "code": "12.6.1", "label": "Management of technical vulnerabilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "71839786-0214-4608-80be-2555ee0334aa" }, { "category": "Information classification", "code": "8.2.1", "label": "Classification of information", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "77e30376-3b61-4675-95dc-329c7c2186b8" }, { "category": "Operational procedures and responsibilities", "code": "12.1.3", "label": "Capacity management", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "7fadb5eb-5597-44f2-b323-88fa75a0e08e" }, { "category": "Equipment", "code": "11.2.7", "label": "Secure disposal or reuse of equipment", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "81b8f773-4488-495e-a48e-337be46602cb" }, { "category": "Information security continuity", "code": "17.1.2", "label": "Implementing information security continuity", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "81dc65f7-92e2-4516-9a0c-d1b474d547ba" }, { "category": "Security in development and support processes", "code": "14.2.8", "label": "System security testing", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "82890d01-c97f-4388-b182-e3838afa9ee2" }, { "category": "Management of information security incidents and improvements", "code": "16.1.6", "label": "Learning from information security incidents", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "854a7ad0-7db7-4d8c-8374-3be5c36aa026" }, { "category": "Information systems audit considerations", "code": "12.7.1", "label": "Information systems audit controls", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "8b53cd63-6c1a-4a7e-9437-fd908941bcca" }, { "category": "During employment", "code": "7.2.2", "label": "Information security awareness, education and training", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "8c3b6fe5-ce53-4b61-9ca4-5f7850c169b2" }, { "category": "Logging and monitoring", "code": "12.4.3", "label": "Administrator and operator logs", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "8e969c8d-e7a3-41e1-b425-3e678c3ae2af" }, { "category": "Compliance with legal and contractual requirements", "code": "18.1.2", "label": "Intellectual property rights", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "975cc456-ba0c-4a33-8b65-cbf798f5d979" }, { "category": "Redundancies", "code": "17.2.1", "label": "Availability of information processing facilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "98255bf6-65b8-45b1-b5bf-d1da91d0d36f" }, { "category": "Cryptographic controls", "code": "10.1.1", "label": "Policy on the use of cryptographic controls", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "99d6328e-f0f6-41ee-b8e3-e9ba7e8e4598" }, { "category": "During employment", "code": "7.2.3", "label": "Disciplinary process", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "9ab263ad-4a10-4817-a993-93fff2444c61" }, { "category": "System and application access control", "code": "9.4.5", "label": "Access control to program source code", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "9c912ab0-7023-46d5-9376-798a8b81ba6e" }, { "category": "Information security reviews", "code": "18.2.2", "label": "Compliance with security policies and standards", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "9d2bc87a-ceae-463a-a44d-7c60bed5324d" }, { "category": "Management of information security incidents and improvements", "code": "16.1.2", "label": "Reporting information security events", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "9d8e4c20-d33c-4a15-9dd9-8f1f215450ea" }, { "category": "Operational procedures and responsibilities", "code": "12.1.2", "label": "Change management", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "a6f3e7d1-9f4c-43a1-8406-7c96bfcc409d" }, { "category": "Management of information security incidents and improvements", "code": "16.1.5", "label": "Response to information security incidents", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "ab2d3a44-e28b-4f3d-8efa-8038faccd318" }, { "category": "Security requirements of information systems", "code": "14.1.2", "label": "Securing applications services on public networks", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "b2548a30-85d7-4c8f-8dd6-16272ff3b5a1" }, { "category": "Secure areas", "code": "11.1.2", "label": "Physical entry controls", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "b5005f3e-bdc7-4367-8f96-46dd795399c3" }, { "category": "System and application access control", "code": "9.4.4", "label": "Use of privileged utility programs", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "b5bb6249-a936-4828-9251-c8d4e3ea1f12" }, { "category": "Equipment", "code": "11.2.6", "label": "Security of equipment and assets off-premises", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "b811e64d-cda4-4416-baec-9f6beda1dd87" }, { "category": "Secure areas", "code": "11.1.6", "label": "Delivery and loading areas", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "b98389fe-8024-4d51-90bb-869962c97898" }, { "category": "Media handling", "code": "8.3.2", "label": "Disposal of media", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "bae65eff-a2eb-4da1-899c-539f30f94963" }, { "category": "Information transfer", "code": "13.2.1", "label": "Information transfer policies and procedures", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "bb0c3df6-e3f4-4684-b0c7-2beadada7aeb" }, { "category": "Information transfer", "code": "13.2.2", "label": "Agreements on information transfer", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "bd05d07c-d272-4c55-a4ff-72c6218148d0" }, { "category": "User access management", "code": "9.2.5", "label": "Review of user access rights", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "be07fc69-14fc-4c94-8626-083983f204f7" }, { "category": "Access control of cloud service customer data in shared virtual environment", "code": "CLD.9.5.1", "label": "Segregation in virtual computing environments", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "be604ecc-3dee-4e29-b1b7-d63d58f54748" }, { "category": "Mobile devices and teleworking", "code": "6.2.2", "label": "Teleworking", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "c55c6391-56a2-44de-be4f-a23770cec2fb" }, { "category": "Management of information security incidents and improvements", "code": "16.1.3", "label": "Reporting information security weakness", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "c7ad8338-7659-4783-af2b-55f35e3ccfdf" }, { "category": "User access management", "code": "9.2.3", "label": "Management of privileged access rights", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "cb1f54b6-05b5-4e68-88c3-b943e4952141" }, { "category": "User access management", "code": "9.2.6", "label": "Removal or adjustment of access rights", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "cb40e300-60d1-4ae8-88e8-338e536ddbdb" }, { "category": "Security in development and support processes", "code": "14.2.4", "label": "Restrictions on changes to software packages", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "cc06514a-bc04-4528-b7bf-3ac296b16dd1" }, { "category": "Logging and monitoring", "code": "12.4.2", "label": "Protection of log information", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "cdccb912-7aa9-4542-96fc-2507e9e89b29" }, { "category": "Security in development and support processes", "code": "14.2.9", "label": "System acceptance testing", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "ce1b8c19-d3cf-4070-b239-9471272c1faf" }, { "category": "Prior to empoyment", "code": "7.1.1", "label": "Screening", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d063c875-6442-495b-9118-97906030ceef" }, { "category": "Security in development and support processes", "code": "14.2.5", "label": "Secure system engineering principles", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d181a7ba-55fd-40ef-a1c5-a32348e2d4c0" }, { "category": "Responsibility for assets", "code": "8.1.2", "label": "Owernship of assets", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d278ad4c-0e81-4008-b7c2-dc52895c5eff" }, { "category": "Equipment", "code": "11.2.3", "label": "Cabling security", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d41b6bc1-82a4-4791-b276-dbbb8d833a33" }, { "category": "Information security reviews", "code": "18.2.3", "label": "Technical compliance review", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d439ae3a-6cee-4f59-91f7-8562266e4d65" }, { "category": "Network security management", "code": "13.1.2", "label": "Security of network services", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d5367603-b1f9-4df6-a188-7ea3b6c28533" }, { "category": "Information security reviews", "code": "18.2.1", "label": "Independant review of information security", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d5908953-79d7-4ad8-ac0e-b4e11ba74c8a" }, { "category": "Business requirements of access control", "code": "9.1.2", "label": "Access to networks and network services", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d8a9d846-b938-4f74-8f4c-f35f120209be" }, { "category": "Test data", "code": "14.3.1", "label": "Protection of test data", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d8bda302-9c55-4ec0-964b-db63640c12ee" }, { "category": "Prior to empoyment", "code": "7.1.2", "label": "Terms and conditions of employment", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "d96e8662-872e-44ac-a9d5-9229507a5a80" }, { "category": "Compliance with legal and contractual requirements", "code": "18.1.4", "label": "Privacy and protection of personally identifiable information", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "ddcabe58-0ffb-4021-a5f5-1b71fbbe8d45" }, { "category": "Logging and monitoring", "code": "12.4.1", "label": "Event logging", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "de5bec22-ea67-4e67-8d37-52303895c67f" }, { "category": "Information transfer", "code": "13.2.3", "label": "Electronic messaging", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "e186f19e-8174-4a21-bbb6-1018f32dc714" }, { "category": "Compliance with legal and contractual requirements", "code": "18.1.5", "label": "Regulation of cryptographic controls", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "e9bdd53f-e094-4084-9e40-adeced6d445b" }, { "category": "Operational procedures and responsibilities", "code": "12.1.1", "label": "Documented operating procedures", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f0048224-5868-4d00-a32f-20725cd9752d" }, { "category": "Technical vulnerability management", "code": "12.6.2", "label": "Restrictions on software installation", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f34f797f-5c32-4b52-9836-7d103d1a129a" }, { "category": "Equipment", "code": "11.2.9", "label": "Clear desk and clear screen policy", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f34f88d5-7e52-4516-a734-096a09ef1d9b" }, { "category": "Media handling", "code": "8.3.3", "label": "Physical media transfer", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f36660f5-1485-4aca-9757-1dd5399e9cee" }, { "category": "Secure areas", "code": "11.1.3", "label": "Securing offices, rooms and facilities", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f44dad64-71cd-447f-a9da-56a1d9f297e4" }, { "category": "Protection from malware", "code": "12.2.1", "label": "Controls against malware", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f4cc92f8-58e8-4129-b48e-d118a94496ab" }, { "category": "Information security policies", "code": "5.1.2", "label": "Review of the policies for information security", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "f9614eeb-7fb2-4901-8834-f9ecf5a1c977" }, { "category": "Compliance with legal and contractual requirements", "code": "18.1.1", "label": "Identification of applicable legislation and contractual requirements", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "fc109da0-3bf5-4f8e-8df8-1dd4d45b8dab" }, { "category": "User responsabilities", "code": "9.3.1", "label": "Use of secret authentication information", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "fe3e4943-3440-4818-903d-664972cfb466" }, { "category": "Mobile devices and teleworking", "code": "6.2.1", "label": "Mobile device policy", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "fe98e1f0-175f-4fd8-8530-ac183707c54c" }, { "category": "Information security in supplier relationships", "code": "15.1.2", "label": "Addressing security within supplier agreements", "referential": "9a73a15e-bb36-434e-a2fe-c3ac1b7ed9a2", "referential_label": "ISO 27017", "uuid": "ff7435b8-55f6-46bb-ae61-ddb09c731348" } ], "version": 1 }, { "label": "ISO/IEC 27002 [2022][DE]", "language": "DE", "uuid": "bc4bf7d8-d738-4093-9a1a-33bbd13af30f", "values": [ { "category": "Organisatorische Ma\u00dfnahmen", "code": "5.1", "label": "Informationssicherheitsrichtlinien", "referential": "bc4bf7d8-d738-4093-9a1a-33bbd13af30f", "referential_label": "ISO/IEC 27002 [2022][DE]", "uuid": "43fe08c3-c29c-42db-918b-901949981e83" }, { "category": "Organisatorische Ma\u00dfnahmen", "code": "5.2", "label": "Informationssicherheitsrollen und -verantwortlichkeiten", "referential": "bc4bf7d8-d738-4093-9a1a-33bbd13af30f", "referential_label": "ISO/IEC 27002 [2022][DE]", "uuid": "32634bb6-e6eb-4d3e-b90c-53f5d8851d2e" }, { "category": "Organisatorische Ma\u00dfnahmen", "code": "5.3", "label": "Aufgabentrennung", "referential": "bc4bf7d8-d738-4093-9a1a-33bbd13af30f", "referential_label": "ISO/IEC 27002 [2022][DE]", "uuid": "36f7a45c-3b8f-4dc9-bafb-77f9bb8ebb9c" }, { "category": "Organisatorische Ma\u00dfnahmen", "code": "5.4", "label": "Verantwortlichkeiten der Leitung", "referential": "bc4bf7d8-d738-4093-9a1a-33bbd13af30f", "referential_label": "ISO/IEC 27002 [2022][DE]", "uuid": "accc7de7-51aa-43d0-a08e-508d824d24b1" } ], "version": 0 }, { "authors": [ "Luminess" ], "label": "ISO/IEC 27002 [2022][FR]", "language": "FR", "refs": [ "https://www.iso.org/standard/54533.html" ], "uuid": "831acc76-2bcc-4376-836a-f6b0ee6df568", "values": [ { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.1", "label": "Politiques de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "ac5590c1-5e43-4a29-87fb-5ba7416a0831" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.2", "label": "Fonctions et responsabilit\u00e9s li\u00e9es \u00e0 la s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "dcdebb24-3cf2-4c27-bb01-4cd04118e6f5" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.3", "label": "S\u00e9paration des t\u00e2ches", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6ea4f43d-0d12-4edf-8191-bf469f25e252" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.4", "label": "Responsabilit\u00e9s de la direction", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "957e0fb3-f06e-4ef5-b152-f1045b3a576f" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.5", "label": "Contacts avec les autorit\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "7a5c4510-1d09-481b-822d-2d58745d390b" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.6", "label": "Contacts avec des groupes d'int\u00e9r\u00eat sp\u00e9cifiques", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "33aa534c-482a-4503-919c-635ac65d084e" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.7", "label": "Renseignement sur les menaces", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "dca62889-6240-406e-8c94-5f418e7e004e" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.8", "label": "S\u00e9curit\u00e9 de l'information dans la gestion de projet", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "45d81142-d8b8-45c5-811b-8a636c404af8" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.9", "label": "Inventaire des informations et autres actifs associ\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "48ecb62f-f73d-4c65-a8e4-2fa831346a70" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.10", "label": "Utilisation correcte des informations et autres actifs associ\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "95882551-578c-4c0d-afe8-1dff2b251da4" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.11", "label": "Restitution des actifs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "fb24425c-10df-4bc3-9b48-d72b952b92b5" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.12", "label": "Classification des informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "4ca57d37-8fc9-4d15-b6a7-64416a520ac1" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.13", "label": "Marquage des informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "006fc402-2bba-4bcb-85b6-7bb9de4c54cd" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.14", "label": "Transfert des informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "1fbd96df-158c-47a2-8dc5-a22c6f915a79" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.15", "label": "Contr\u00f4le d'acc\u00e8s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "de075220-6acf-4ca7-837b-713b1f87f5f3" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.16", "label": "Gestion des identit\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "d2cb623e-3cc6-46fd-bbe7-3239e5fa2626" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.17", "label": "Informations d'authentification", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "7fe8f85a-6c22-4680-b076-88d74ba5c4e3" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.18", "label": "Droits d'acc\u00e8s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "c26bedb1-42f5-4154-8cea-b923b1103cfe" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.19", "label": "S\u00e9curit\u00e9 de l'information dans les relations avec les fournisseurs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "239e3bca-0b4b-4692-9ba1-9e2a73d6cc40" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.20", "label": "La s\u00e9curit\u00e9 de l'information dans les accords conclus avec les fournisseurs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "0a23f517-b172-47b2-bc0a-0f693d2900b0" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.21", "label": "Gestion de la s\u00e9curit\u00e9 de l'information dans la cha\u00eene d'approvisionnement des technologies de l'information et de la communication (TIC)", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "86fdcdd5-2d94-43ad-aab1-ccc64b3e42f7" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.22", "label": "Surveillance, r\u00e9vision et gestion des changements des services fournisseurs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "307d39d8-d31f-4b55-8a0e-9632cd0e380a" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.23", "label": "S\u00e9curit\u00e9 de l'information dans l'utilisation de services en nuage", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "e706a0d1-b2ce-4488-b8ae-905f88ab7e4d" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.24", "label": "Planification et pr\u00e9paration de la gestion des incidents de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "07e0fb5e-7b82-4f85-b7c7-d22b205436b1" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.25", "label": "\u00c9valuation des \u00e9v\u00e9nements de s\u00e9curit\u00e9 de l'information et prise de d\u00e9cision", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "0aa214a8-51a6-45df-a279-03f04ea5c19e" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.26", "label": "R\u00e9ponse aux incidents de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "865ca2d0-30e8-47f2-9f25-4256943a0d72" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.27", "label": "Tirer des enseignements des incidents de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "1c03c68f-29a0-4606-b99d-072491f53e96" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.28", "label": "Collecte de preuves", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "432a79d3-45e9-477e-b63a-ab7566bb8590" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.29", "label": "S\u00e9curit\u00e9 de l'information pendant une perturbation", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "a197825e-e8f5-47f5-851d-66105a6fc3b2" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.30", "label": "Pr\u00e9paration des TIC pour la continuit\u00e9 d'activit\u00e9", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "4ca07c19-4442-41b8-81ef-bd105af640c8" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.31", "label": "Exigences l\u00e9gales, statutaires, r\u00e9glementaires et contractuelles", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "7f58e55e-17f5-4dca-a7e5-4566192fa8f1" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.32", "label": "Droits de propri\u00e9t\u00e9 intellectuelle", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "3d347675-c00a-4fa2-a0af-a5b66cbd8edd" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.33", "label": "Protection des enregistrements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "9f8e81c8-8a90-4b5e-bcf1-ff2e8b4384e8" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.34", "label": "Protection de la vie priv\u00e9e et des donn\u00e9es \u00e0 caract\u00e8re personnel (DCP)", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6a6b0a5f-4e3a-4845-94cc-890aee7f19d9" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.35", "label": "R\u00e9vision ind\u00e9pendante de la s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "41d38a42-6f44-4561-b0a2-801095d4eec9" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.36", "label": "Conformit\u00e9 aux politiques, r\u00e8gles et normes de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "3ff683de-9ca5-482d-8423-06d4d8e315a3" }, { "category": "Mesures de s\u00e9curit\u00e9 organisationnelles", "code": "5.37", "label": "Proc\u00e9dures d'exploitation document\u00e9es", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "4c41ffb8-fbf4-48b7-9e16-52293fbcc3c3" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.1", "label": "S\u00e9lection des candidats", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "9e7bdc0e-1603-4545-a2cc-0650fe035e37" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.2", "label": "Termes et conditions du contrat de travail", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "83389b64-b080-4625-8e81-05174311e2d8" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.3", "label": "Sensibilisation, enseignement et formation en s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "bb6eac6b-129a-4ea8-8c26-3df5e05d9680" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.4", "label": "Processus disciplinaire", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "9acaadb0-2f58-4d9b-963b-7671ed0471a6" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.5", "label": "Responsabilit\u00e9s apr\u00e8s la fin ou le changement d'un emploi", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "e4ef6822-7f1f-46f8-9700-37cde17e81b8" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.6", "label": "Accords de confidentialit\u00e9 ou de non-divulgation", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "e283f5ed-3a64-4bed-b479-35e4cd8173e6" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.7", "label": "Travail \u00e0 distance", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "276430e7-47c5-461b-a5c4-7b46dae11759" }, { "category": "Mesures de s\u00e9curit\u00e9 applicables aux personnes", "code": "6.8", "label": "D\u00e9claration des \u00e9v\u00e9nements de s\u00e9curit\u00e9 de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "ed627a92-cb52-472a-aa2e-b981f8b12de5" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.1", "label": "P\u00e9rim\u00e8tres de s\u00e9curit\u00e9 physique", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "26fbd0ef-28da-4930-850f-8519da290fd4" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.2", "label": "Les entr\u00e9es physiques", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "14667423-4f22-49dd-a0fc-bbf3c25597d3" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.3", "label": "S\u00e9curisation des bureaux, des salles et des installations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "474fedbd-0b89-436c-ac04-41c21d6e7420" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.4", "label": "Surveillance de la s\u00e9curit\u00e9 physique", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "f439e26f-cec6-41cb-8c86-1b6c0f112ebf" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.5", "label": "Protection contre les menaces physiques et environnementales", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "07285d43-9ee2-406b-a9fa-3ad36650054b" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.6", "label": "Travail dans les zones s\u00e9curis\u00e9es", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "cb371cfa-e8d4-4a83-af29-2f8982929268" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.7", "label": "Bureau propre et \u00e9cran vide", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "069bd61a-62a9-4158-b5f9-59e4ee0c8614" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.8", "label": "Emplacement et protection du mat\u00e9riel", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "a3897661-541e-4c4c-9844-2981d8288ec6" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.9", "label": "S\u00e9curit\u00e9 des actifs hors des locaux", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "68c2f82b-83a3-4aaf-9bce-c57b3f537fa6" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.10", "label": "Supports de stockage", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "1167decd-0e55-4359-8fb2-599c490d89fa" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.11", "label": "Services supports", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "fc66f113-3f02-4354-8610-879b5467971a" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.12", "label": "S\u00e9curit\u00e9 du c\u00e2blage", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "00e9c4c9-c718-4834-a312-c08abb03838c" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.13", "label": "Maintenance du mat\u00e9riel", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "096b291e-bded-40aa-a3f7-492bcc5dcf4c" }, { "category": "Mesures de s\u00e9curit\u00e9 physique", "code": "7.14", "label": "\u00c9limination ou recyclage s\u00e9curis\u00e9(e) du mat\u00e9riel", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "43e73ea3-8fcd-455c-b05e-c5d8a747ec33" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.1", "label": "Terminaux finaux des utilisateurs", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "26f82aa2-2a5b-49d9-92dd-53a2d98d743f" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.2", "label": "Droits d'acc\u00e8s privil\u00e9gi\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "8890016c-2883-4771-b346-2e8ec19ff2dd" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.3", "label": "Restriction d'acc\u00e8s aux informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "8eda18e5-8a5e-404a-9f2b-1880fa0e400d" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.4", "label": "Acc\u00e8s aux codes source", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "b56726a8-3883-4893-ae75-2ba555411148" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.5", "label": "Authentification s\u00e9curis\u00e9e", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "1d9e4229-e86e-4cb1-8e63-fd30711040dd" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.6", "label": "Dimensionnement", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "e8d6402b-f022-494b-b289-3d5d98368e8e" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.7", "label": "Protection contre les programmes malveillants (malware)", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "f331b956-c83b-47b6-a563-09222b1ae7a0" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.8", "label": "Gestion des vuln\u00e9rabilit\u00e9s techniques", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "b2fc0199-a3a8-4386-88d1-0f3b776c3e5d" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.9", "label": "Gestion des configurations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6f4468c5-06a6-4248-a82b-ef86601d6dd9" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.10", "label": "Suppression des informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "af8efe54-1e09-44e8-818d-22dc5446b234" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.11", "label": "Masquage des donn\u00e9es", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "082e34b9-5811-485b-a81a-761e79918ebc" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.12", "label": "Pr\u00e9vention de la fuite de donn\u00e9es", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "c24dd798-1284-440e-82d3-78ef0d149ae6" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.13", "label": "Sauvegarde des informations", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "e2e52a80-4222-4f57-b471-92ce90a83ed7" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.14", "label": "Redondance des moyens de traitement de l'information", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6a76bfdb-843e-4aa2-8cd7-f738f68845e4" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.15", "label": "Journalisation", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6e2ed592-c992-4076-b9ec-b7e9a78a7029" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.16", "label": "Activit\u00e9s de surveillance", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "ba719d1a-81a3-485c-b9b5-fb6332fd3aff" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.17", "label": "Synchronisation des horloges", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "dab5cccf-c67d-45b0-a3d4-89ef9f51a2f2" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.18", "label": "Utilisation de programmes utilitaires \u00e0 privil\u00e8ges", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "9389f178-57cb-4b52-b464-5b983d10ae90" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.19", "label": "Installation de logiciels sur des syst\u00e8mes op\u00e9rationnels", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "5773b0a9-8687-4802-9f19-2d1fba45e6a5" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.20", "label": "S\u00e9curit\u00e9 des r\u00e9seaux", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "3cfb677a-cc3c-437d-aabf-c0ad88d740a5" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.21", "label": "S\u00e9curit\u00e9 des services r\u00e9seau", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "47ad87a1-dd3e-443e-8d82-2ec782979637" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.22", "label": "Cloisonnement des r\u00e9seaux", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "6c305573-67ac-488e-882a-8e94e6373355" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.23", "label": "Filtrage web", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "8a973656-95e8-4664-9e6c-c788b4ba0771" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.24", "label": "Utilisation de la cryptographie", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "1a0fe2b2-4401-4d3d-b4a2-53d7d95a76c9" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.25", "label": "Cycle de vie de d\u00e9veloppement s\u00e9curis\u00e9", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "3ddf1641-0529-44d2-8a23-b5811555cdd2" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.26", "label": "Exigences de s\u00e9curit\u00e9 des applications", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "8298dbd1-c18e-4f03-bb63-4867bfeaf716" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.27", "label": "Principes d'ing\u00e9nierie et d'architecture des syst\u00e8mes s\u00e9curis\u00e9s", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "497618e9-e495-42b6-b04e-21801f9c01f7" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.28", "label": "Codage s\u00e9curis\u00e9", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "2452bf90-43da-46d9-9dee-05d73b9fce09" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.29", "label": "Tests de s\u00e9curit\u00e9 dans le d\u00e9veloppement et l'acceptation", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "991f8c55-2da0-4dbf-b604-cbadc8df8389" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.30", "label": "D\u00e9veloppement externalis\u00e9", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "d5f93f4a-eac7-4200-b90b-c02db54c76f4" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.31", "label": "S\u00e9paration des environnements de d\u00e9veloppement, de test et op\u00e9rationnels", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "00383120-11a9-4b95-bfb9-47b3d4975bcb" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.32", "label": "Gestion des changements", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "866a0676-f2bd-4499-ba25-cd6f9466969a" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.33", "label": "Informations de test", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "7df0a5ac-79b3-416c-8a38-c22f5c4d94d5" }, { "category": "Mesures de s\u00e9curit\u00e9 technologiques", "code": "8.34", "label": "Protection des syst\u00e8mes d'information pendant les tests d'audit", "referential": "831acc76-2bcc-4376-836a-f6b0ee6df568", "referential_label": "ISO/IEC 27002 [2022][FR]", "uuid": "744146f1-5a14-43c0-b675-8c2649486f64" } ], "version": 1, "version_ext": "ISO/IEC 27002:2022" }, { "authors": [ "Consortium GARR [www.garr.it]" ], "label": "Cybersecurity Framework v. 2.0", "language": "IT", "refs": [ "https://www.cybersecurityframework.it" ], "uuid": "3b1976ac-0d28-4091-ac16-db043108fd16", "values": [ { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-1", "label": "Sono censiti i sistemi e gli apparati fisici in uso nell'organizzazione", "uuid": "84138a92-41d0-4cdb-9e3d-80771e8fd131" }, { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-2", "label": "Sono censite le piattaforme e le applicazioni software in uso nell'organizzazione", "uuid": "4dc6ba68-1f3d-4d86-9f0f-5335f20444ef" }, { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-3", "label": "I flussi di dati e comunicazioni inerenti l'organizzazione sono identificati", "uuid": "55479734-9577-4ee4-a411-cbf6bbb06832" }, { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-4", "label": "I sistemi informativi esterni all'organizzazione sono catalogati", "uuid": "41247f94-084f-4a90-bba0-daf0983cb572" }, { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-5", "label": "Le risorse (es: hardware, dispositivi, dati, allocazione temporale, personale e software) sono prioritizzate in base alla loro classificazione (e.g. confidenzialit\u00e0, integrit\u00e0, disponibilit\u00e0), criticit\u00e0 e valore per il business dell'organizzazione", "uuid": "2bc5807b-14de-4360-9992-332c1962d97d" }, { "category": "Asset Management (ID.AM)", "code": "1.1.ID.AM-6", "label": "Sono definiti e resi noti ruoli e responsabilit\u00e0 inerenti la cybersecurity per tutto il personale e per eventuali terze parti rilevanti (es. fornitori, clienti, partner)", "uuid": "b29ec75b-aad8-485d-aa8d-1d47b87bd94f" }, { "category": "Asset Management (ID.AM)", "code": "1.1a.DP-ID.AM-7", "label": "Sono definiti e resi noti ruoli e responsabilit\u00e0 inerenti al trattamento e la protezione dei dati personali per tutto il personale e per eventuali terze parti rilevanti (es. fornitori, clienti, partner)", "uuid": "fc71a31f-cd4d-4a11-9459-b5977b7cc920" }, { "category": "Asset Management (ID.AM)", "code": "1.1a.DP-ID.AM-8", "label": "I trattamenti di dati personali sono identificati e catalogati", "uuid": "055c813b-f053-4c5b-8db4-f927a7aa2ae7" }, { "category": "Business Environment (ID.BE)", "code": "1.2.ID.BE-1", "label": " Il ruolo dell'organizzazione all'interno della filiera produttiva \u00e8 identificato e reso noto", "uuid": "b89649b6-bd4f-47dc-b52e-218e049aa3f4" }, { "category": "Business Environment (ID.BE)", "code": "1.2.ID.BE-2", "label": " Il ruolo dell'organizzazione come infrastruttura critica e nel settore industriale di riferimento \u00e8 identificato e reso noto", "uuid": "0e6252ee-89e0-4160-bb7f-25d5e05aea43" }, { "category": "Business Environment (ID.BE)", "code": "1.2.ID.BE-3", "label": " Sono definite e rese note delle priorit\u00e0 per quanto riguarda la missione, gli obiettivi e le attivit\u00e0 dell'organizzazione", "uuid": "333cccaa-780f-4b7b-92d8-eb794a503a82" }, { "category": "Business Environment (ID.BE)", "code": "1.2.ID.BE-4", "label": " Sono identificate e rese note interdipendenze e funzioni fondamentali per la fornitura di servizi critici", "uuid": "c6020a33-5dba-4b23-8675-1a1f9822f73a" }, { "category": "Business Environment (ID.BE)", "code": "1.2.ID.BE-5", "label": " Sono identificati e resi noti i requisiti di resilienza a supporto della fornitura di servizi critici per tutti gli stati di esercizio (es. sotto stress/attacco, in fase di recovery, normale esercizio)", "uuid": "79989e0a-b83f-4a5d-961c-cf51e4c6964f" }, { "category": "Governance (ID.GV)", "code": "1.3.ID.GV-1", "label": " \u00c8 inentificata e resa nota una policy di cybersecurity", "uuid": "e6bb37ed-bf75-4d68-b815-a0d5b60ef252" }, { "category": "Governance (ID.GV)", "code": "1.3.ID.GV-2", "label": " Ruoli e responsabilit\u00e0 inerenti la cybersecurity sono coordinati ed allineati con i ruoli interni ed i partner esterni", "uuid": "9a74326c-cc6f-489c-b178-1a12ddc0fece" }, { "category": "Governance (ID.GV)", "code": "1.3.ID.GV-3", "label": " I requisiti legali in materia di cybersecurity, con l'inclusione degli obblighi riguardanti la privacy e le libert\u00e0 civili, sono compresi e gestiti", "uuid": "e71480cc-df70-409b-9d14-79ea41ad0316" }, { "category": "Governance (ID.GV)", "code": "1.3.ID.GV-4", "label": " La governance ed i processi di risk management includono la gestione dei rischi legati alla cybersecurity", "uuid": "78e4cb22-8520-48e0-a01f-9809fa7a2928" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-1", "label": " Le vulnerabilit\u00e0 delle risorse (es. sistemi, locali, dispositivi) dell'organizzazione sono identificate e documentate", "uuid": "c102ef43-4c4b-46fe-94c2-395beacf30a9" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-2", "label": " L'organizzazione riceve informazioni su minacce, vulnerabilit\u00e0 ed altri dati configurabili come Cyber Threat Intelligence da fonti esterne (e.g. CERT, fonti aperte, forum di information sharing)", "uuid": "7f8d9b8e-55ac-47da-a1d7-e6c650b63993" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-3", "label": " Le minacce, sia interne che esterne, sono identificate e documentate", "uuid": "539b0ec8-6760-4a02-af98-e566f16b96d6" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-4", "label": " Sono identificati i potenziali impatti sul business e le relative probabilit\u00e0 di accadimento", "uuid": "c3853ebc-1b17-4e7f-bd24-b9163bd2e451" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-5", "label": " Le minacce, le vulnerabilit\u00e0, le relative probabilit\u00e0 di accadimento e conseguenti impatti sono utilizzati per determinare il rischio", "uuid": "3dfe3919-dcd5-4799-9931-927cea4b3183" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4.ID.RA-6", "label": " Sono identificate e prioritizzate le risposte al rischio", "uuid": "522f0662-c830-4a84-8a52-ca8f91641114" }, { "category": "Risk Assessment (ID.RA)", "code": "1.4a.DP-ID.RA-7", "label": " Viene effettuata una valutazione di impatto sulla protezione dei dati personali", "uuid": "78d35a37-b479-4486-9ca9-223d42d4a803" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1.5.ID.RM-1", "label": " I processi di risk management sono stabiliti, gestiti e concordati tra i responsabili dell'organizzazione (c.d. stakeholder)", "uuid": "84a3c69a-c202-482c-a02e-0cf701d181bd" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1.5.ID.RM-2", "label": " Il rischio tollerato dall'organizzazione \u00e8 identificato ed espresso chiaramente", "uuid": "abc86189-bedb-4704-913c-f1a029813ac5" }, { "category": "Risk Management Strategy (ID.RM)", "code": "1.5.ID.RM-3", "label": " Il rischio tollerato \u00e8 determinato tenendo conto del ruolo dell'organizzazione come infrastruttura critica e dei rischi specifici presenti nel settore industriale di appartenenza", "uuid": "8e497367-d331-4936-a67b-9b683a4952e8" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1.6.ID.SC-1", "label": " I processi di gestione del rischio inerenti la catena di approvvigionamento cyber sono identificati, ben definiti, validati, gestiti e approvati da attori interni all'organizzazione", "uuid": "8c187922-0450-4d65-bef3-48df8078f7c7" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1.6.ID.SC-2", "label": " I fornitori e i partner terzi di sistemi informatici, componenti e servizi sono identificati, prioritizzati e valutati utilizzando un processo di valutazione del rischio inerente la catena di approvvigionamento cyber", "uuid": "1a51b54a-e0ac-45dc-bba7-8d142b67b32a" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1.6.ID.SC-3", "label": " I contratti con i fornitori e i partner terzi sono utilizzati per realizzare appropriate misure progettate per rispettare gli obiettivi del programma di cybersecurity dell'organizzazione e del Piano di Gestione del Rischio della catena di approvvigionamento cyber", "uuid": "3ddd9057-012f-4c52-bcb2-81b739592f59" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1.6.ID.SC-4", "label": " Fornitori e partner terzi sono regolarmente valutati utilizzando audit, verifiche, o altre forme di valutazione per confermare il rispetto degli obblighi contrattuali", "uuid": "95b33d81-a932-418e-adb5-8fdf227b17a0" }, { "category": "Supply Chain Risk Management (ID.SC)", "code": "1.6.ID.SC-5", "label": " La pianificazione e la verifica della risposta e del ripristino sono condotti con i fornitori e i partner terzi", "uuid": "69cd9d82-dd9c-4a80-a572-54bd8f125891" }, { "category": "Data Management (DP-ID.DM)", "code": "1.7.DP-ID.DM-1", "label": " Il ciclo di vita dei dati \u00e8 definito e documentato", "uuid": "8491c560-2f47-43e4-983b-934a7dd6d157" }, { "category": "Data Management (DP-ID.DM)", "code": "1.7.DP-ID.DM-2", "label": " Sono definiti, implementati e documentati i processi riguardanti l'informazione dell'interessato in merito al trattamento dei dati", "uuid": "053542b5-089c-4b54-936c-929981f6265e" }, { "category": "Data Management (DP-ID.DM)", "code": "1.7.DP-ID.DM-3", "label": " Sono definiti, implementati e documentati i processi di raccolta e revoca del consenso dell'interessato al trattamento di dati", "uuid": "d7d8ef0d-03ca-47e9-b011-d1ae6597947a" }, { "category": "Data Management (DP-ID.DM)", "code": "1.7.DP-ID.DM-4", "label": " Sono definiti, implementati e documentati i processi per l'esercizio dei diritti (accesso, rettifica, cancellazione, ecc.) dell'interessato", "uuid": "dd0fed00-a05e-4201-8615-89c9ed3293cc" }, { "category": "Data Management (DP-ID.DM)", "code": "1.7.DP-ID.DM-5", "label": " Sono definiti, implementati e documentati i processi di trasferimento dei dati in ambito internazionale", "uuid": "0b1b121d-0def-4816-9b4b-ce763522ce13" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-1", "label": " Le identit\u00e0 digitali e le credenziali di accesso per gli utenti, i dispositivi e i processi autorizzati sono amministrate, verificate, revocate e sottoposte a audit sicurezza", "uuid": "e520a460-bdb8-4d66-9a68-9226c4e13cfa" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-2", "label": " L'accesso fisico alle risorse \u00e8 protetto e amministrato", "uuid": "8b2b130a-d307-4795-928a-1d9f07877c9d" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-3", "label": " L'accesso remoto alle risorse \u00e8 amministrato", "uuid": "e95b4660-4b53-4bc0-8e37-1d5d429a6d78" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-4", "label": " I diritti di accesso alle risorse e le relative autorizzazioni sono amministrati secondo il principio del privilegio minimo e della separazione delle funzioni", "uuid": "c6923165-ee8a-4fb2-bbd5-50cbd71d63c6" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-5", "label": " L'integrit\u00e0 di rete \u00e8 protetta (es. segregazione di rete, segmentazione di rete)", "uuid": "86d4153e-42af-4f8e-9495-a987726a452e" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-6", "label": " Le identit\u00e0 sono comprovate, associate a credenziali e verificate durante le interazioni", "uuid": "ad8fb9a2-5b5e-4f95-ba69-5bf6c49fe559" }, { "category": "Identity Management, Authentication and Access Control (PR.AC)", "code": "2.1.PR.AC-7", "label": " Le modalit\u00e0 di autenticazione (es. autenticazione a fattore singolo o multiplo) per gli utenti, i dispositivi e altri asset sono commisurate al rischio della transazione (es. rischi legati alla sicurezza e privacy degli individui e altri rischi dell'organizzazione)", "uuid": "657cab82-56a2-4fd9-99ee-17a99e22884d" }, { "category": "Awareness and Training (PR.AT)", "code": "2.2.PR.AT-1", "label": " Tutti gli utenti sono informati e addestrati ", "uuid": "8a18161b-a76f-4d4f-9ab6-790b0dc095c9" }, { "category": "Awareness and Training (PR.AT)", "code": "2.2.PR.AT-2", "label": " Gli utenti con privilegi (es. Amministratori di Sistema) comprendono i loro ruoli e responsabilit\u00e0 ", "uuid": "f46f1bd9-6325-417f-917c-603a1f59c4be" }, { "category": "Awareness and Training (PR.AT)", "code": "2.2.PR.AT-3", "label": " Tutte le terze parti (es. fornitori, clienti, partner) comprendono i loro ruoli e responsabilit\u00e0 ", "uuid": "a89c1e4d-34cc-44a6-b9ef-745011ea205c" }, { "category": "Awareness and Training (PR.AT)", "code": "2.2.PR.AT-4", "label": " I dirigenti ed i vertici aziendali comprendono i loro ruoli e responsabilit\u00e0 ", "uuid": "dbfc1342-5cbc-4ea1-ac1a-2026b530b47f" }, { "category": "Awareness and Training (PR.AT)", "code": "2.2.PR.AT-5", "label": " Il personale addetto alla sicurezza fisica e alla cybersecurity comprende i suoi ruoli e responsabilit\u00e0 ", "uuid": "b585efcf-3fbf-4b0a-a94a-2ab0eced9b8a" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-1", "label": " I dati memorizzati sono protetti", "uuid": "d7db880a-5d0e-42c5-a5f4-c53d3cf5cf3a" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-2", "label": " I dati sono protetti durante la trasmissione", "uuid": "fdefe408-c539-4af5-8cab-ae45a09563df" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-3", "label": " Il trasferimento fisico, la rimozione e la distruzione dei dispositivi atti alla memorizzazione di dati sono gestiti attraverso un processo formale", "uuid": "c56b3cd7-32da-4773-aa95-3a0ec0455f60" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-4", "label": " I sistemi hanno adeguate risorse a disposizione per poter garantire la disponibilit\u00e0", "uuid": "199e81e0-171e-4ae3-a116-894e9137b318" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-5", "label": " Sono implementate tecniche di protezione (es. controllo di accesso) contro la sottrazione dei dati (data leak).", "uuid": "b36e3766-6225-4dab-83b2-22e2dba74c9c" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-6", "label": " Sono impiegati meccanismi di controllo dell'integrit\u00e0 dei dati per verificare l'autenticit\u00e0 di software, firmware e delle informazioni", "uuid": "d280c6c5-9564-412a-92ca-298d9df91e50" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-7", "label": " Gli ambienti di sviluppo e test sono separati dall'ambiente di produzione", "uuid": "8cc43966-a771-441a-aea0-d30798a08e97" }, { "category": "Data Security (PR.DS)", "code": "2.3.PR.DS-8", "label": " Sono impiegati meccanismi di controllo dell'integrit\u00e0 per verificare l'integrit\u00e0 del hardware", "uuid": "b2c462ac-7b2d-44a7-8637-01579385d523" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-1", "label": " Sono definite e gestite delle pratiche di riferimento (c.d. baseline) per la configurazione dei sistemi IT e di controllo industriale che incorporano principi di sicurezza (es. principio di minima funzionalit\u00e0)", "uuid": "0a464452-81b8-4a13-a962-641c3e8d3b4a" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-2", "label": " Viene implementato un processo per la gestione del ciclo di vita dei sistemi (System Development Life Cycle).", "uuid": "8fbe2c06-01a8-456a-b97a-d305aab4a4c5" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-3", "label": " Sono attivi processi di controllo della modifica delle configurazioni", "uuid": "f3f9699b-1730-48ed-8ed0-b3c88fdc1847" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-4", "label": " I backup delle informazioni sono eseguiti, amministrati e verificati ", "uuid": "179343ae-0cf7-4b39-a66e-9d9670c47d08" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-5", "label": " Sono rispettate le policy ed i regolamenti relativi agli ambienti fisici in cui operano le risorse dell'organizzazione", "uuid": "d414d4c6-01b3-48bd-bcb2-075f922427d8" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-6", "label": " I dati sono distrutti in conformit\u00e0 con le policy", "uuid": "634af946-334a-449b-a3dc-39d6717c2aed" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-7", "label": " I processi di protezione sono sottoposti a miglioramenti", "uuid": "753ee2a1-2bea-4893-a0bb-c44f3b0ac306" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-8", "label": " L'efficacia delle tecnologie di protezione viene condivisa", "uuid": "c9d007e5-ad37-4532-b3c0-6c6582d513f5" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-9", "label": " Sono attivi ed amministrati piani di risposta (Incident Response e Business Continuity) e recupero (Incident Recovery e Disaster Recovery) in caso di incidente/disastro", "uuid": "59e36de2-8cd8-43ad-b4a5-bc3367291589" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-10", "label": " I piani di risposta e recupero a seguito di incidenti/disastri sono verificati nel tempo", "uuid": "d198e765-c7f8-4a18-a7d0-9ccb7ee22e77" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-11", "label": " Le problematiche inerenti la cybersecurity sono incluse nei processi di gestione del personale (es: screening, deprovisioning)", "uuid": "d6ba7937-513f-4ca3-ae65-f8a501ebb5d8" }, { "category": "Information Protection Processes and Procedures (PR.IP)", "code": "2.4.PR.IP-12", "label": " Viene sviluppato e implementato un piano di gestione delle vulnerabilit\u00e0", "uuid": "19cee290-e181-43a7-95b7-a9a4a0bc1397" }, { "category": "Maintenance (PR.MA)", "code": "2.5.PR.MA-1", "label": " La manutenzione e la riparazione delle risorse e dei sistemi \u00e8 eseguita e registrata con strumenti controllati ed autorizzati", "uuid": "a0be9ff4-b7e3-4bea-9c1a-1e9061f419e6" }, { "category": "Maintenance (PR.MA)", "code": "2.5.PR.MA-2", "label": " La manutenzione remota delle risorse e dei sistemi \u00e8 approvata, documentata e svolta in modo da evitare accessi non autorizzati", "uuid": "be58b985-5461-4905-b234-5fc825d2a082" }, { "category": "Protective Technology (PR.PT)", "code": "2.6.PR.PT-1", "label": " Esiste ed \u00e8 attuata una policy per definire, implementare e revisionare i log dei sistemi", "uuid": "ff10d792-9d1e-4c22-9292-a2fa7d71ed7c" }, { "category": "Protective Technology (PR.PT)", "code": "2.6.PR.PT-2", "label": " I supporti di memorizzazione removibili sono protetti ed il loro uso \u00e8 ristretto in accordo alle policy", "uuid": "da9f7340-0a01-4c03-a251-75050a5f5b4e" }, { "category": "Protective Technology (PR.PT)", "code": "2.6.PR.PT-3", "label": " Viene adottato il principio di minima funzionalit\u00e0 configurando i sistemi in modo che forniscano solo le funzionalit\u00e0 necessarie", "uuid": "3b60881b-a2c3-4281-8c68-d06b81dde9d9" }, { "category": "Protective Technology (PR.PT)", "code": "2.6.PR.PT-4", "label": " Le reti di comunicazione e controllo sono protette", "uuid": "0f283c7f-d6c2-424f-9f4f-86012a83e618" }, { "category": "Protective Technology (PR.PT)", "code": "2.6.PR.PT-5", "label": " Sono implementati meccanismi (es. failsafe, load balancing, hot swap) che permettono di soddisfare requisiti di resilienza sia durante il normale esercizio che in situazioni avverse", "uuid": "cddde647-c977-42f6-bd99-bfd3d403aeb4" }, { "category": "Anomalies and Events (DE.AE)", "code": "3.1.DE.AE-1", "label": " Sono definite, rese note e gestite delle pratiche di riferimento (c.d. baseline) inerenti l'utilizzo della rete ed i flussi informativi attesi per utenti e sistemi", "uuid": "19e8baa2-1f65-486c-8f8a-4b6c6063e113" }, { "category": "Anomalies and Events (DE.AE)", "code": "3.1.DE.AE-2", "label": " Gli eventi rilevati vengono analizzati per comprendere gli obiettivi e le metodologie dell'attacco", "uuid": "138b73de-0fb8-4be9-a427-d3657cef1277" }, { "category": "Anomalies and Events (DE.AE)", "code": "3.1.DE.AE-3", "label": " Le informazioni relative agli eventi sono raccolte e correlate da sensori e sorgenti multiple", "uuid": "d5df4426-ab20-467c-9781-bd62c50fd5c7" }, { "category": "Anomalies and Events (DE.AE)", "code": "3.1.DE.AE-4", "label": " Viene determinato l'impatto di un evento", "uuid": "93baabab-5a69-4175-b4c7-505e625cf251" }, { "category": "Anomalies and Events (DE.AE)", "code": "3.1.DE.AE-5", "label": " Vengono definite delle soglie di allerta per gli incidenti", "uuid": "57583b78-ad59-431a-b4fa-51b6162c83c0" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-1", "label": " Viene svolto il monitoraggio della rete informatica per rilevare potenziali eventi di cybersecurity", "uuid": "d50ef5a1-bcbe-429e-bd86-ffcdfeece362" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-2", "label": " Viene svolto il monitoraggio degli spazi fisici per rilevare potenziali eventi di cybersecurity", "uuid": "851bcdea-9226-4379-883e-bb95975d2cb9" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-3", "label": " Viene svolto il monitoraggio del personale per rilevare potenziali eventi di cybersecurity", "uuid": "b2f733f0-eb19-4dd4-9e8c-6b8f4f4e6054" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-4", "label": " Il codice malevolo viene rilevato", "uuid": "7bd761cc-be09-4ff1-955f-ca7f13bcb54e" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-5", "label": " Il codice non autorizzato su dispositivi mobili viene rilevato", "uuid": "ec72e9bd-6076-4014-b6be-c163872a6a22" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-6", "label": " Viene svolto il monitoraggio delle attivit\u00e0 dei service provider esterni per rilevare potenziali eventi di cybersecurity", "uuid": "36053532-f7cf-4023-a55d-d04799f024e9" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-7", "label": " Viene svolto il monitoraggio per rilevare personale, connessioni, dispositivi o software non autorizzati", "uuid": "cf9df479-d460-40fe-94e0-6e454e96e7b8" }, { "category": "Security Continuous Monitoring (DE.CM)", "code": "3.2.DE.CM-8", "label": " Vengono svolte scansioni per l'identificazione di vulnerabilit\u00e0", "uuid": "a050008d-ce2e-4868-9759-5d8ea4a87296" }, { "category": "Detection Processes (DE.DP)", "code": "3.3.DE.DP-1", "label": " Ruoli e responsabilit\u00e0 per i processi di monitoraggio sono ben definiti al fine di garantire l'accountability", "uuid": "b622c30b-5be3-4ab6-a286-f05e45f13220" }, { "category": "Detection Processes (DE.DP)", "code": "3.3.DE.DP-2", "label": " Le attivit\u00e0 di monitoraggio soddisfano tutti i requisiti applicabili", "uuid": "5f5383ab-29c2-4ec7-8123-88a42363b007" }, { "category": "Detection Processes (DE.DP)", "code": "3.3.DE.DP-3", "label": " I processi di monitoraggio vengono testati", "uuid": "366274c5-b852-4463-ae2d-673ac4ce691d" }, { "category": "Detection Processes (DE.DP)", "code": "3.3.DE.DP-4", "label": " L'informazione relativa agli eventi rilevati viene comunicata", "uuid": "32b83104-6c94-4e95-8a69-36748802fd2c" }, { "category": "Detection Processes (DE.DP)", "code": "3.3.DE.DP-5", "label": " I processi di monitoraggio sono oggetto di periodici miglioramenti e perfezionamenti", "uuid": "19295d00-29ae-49ca-978a-ef692e4c6194" }, { "category": "Response Planning (RS.RP)", "code": "4.1.RS.RP-1", "label": " Esiste un piano di risposta (response plan) e questo viene eseguito durante o dopo un incidente", "uuid": "79e3059f-7bc6-4db1-93e0-3ef24f41b90e" }, { "category": "Communications (RS.CO)", "code": "4.2.RS.CO-1", "label": " Il personale conosce il proprio ruolo e le operazioni che deve svolgere in caso sia necessaria una risposta ad un incidente", "uuid": "6b86edbb-0fbf-45e8-9367-1c370ae1e8a6" }, { "category": "Communications (RS.CO)", "code": "4.2.RS.CO-2", "label": " Sono stabiliti dei criteri per documentare gli incidenti", "uuid": "97b64b04-6b59-4549-96ab-27616f6f87f6" }, { "category": "Communications (RS.CO)", "code": "4.2.RS.CO-3", "label": " Le informazioni sono condivise in maniera coerente con il piano di risposta", "uuid": "cc8b76a3-1fba-4d83-956e-55e3b06b7aeb" }, { "category": "Communications (RS.CO)", "code": "4.2.RS.CO-4", "label": " Il coordinamento con le parti interessate dell'organizzazione avviene in coerenza con i piani di risposta", "uuid": "b8764c97-45b0-4ea3-ab24-f0a555d6dadb" }, { "category": "Communications (RS.CO)", "code": "4.2.RS.CO-5", "label": " \u00c8 attuata una condivisione spontanea delle informazioni con le parti interessate esterne all'organizzazione (information sharing) per ottenere una maggior consapevolezza della situazione (c.d. situational awareness)", "uuid": "f43e846e-e1ca-416e-b719-85ff613eacdb" }, { "category": "Communications (RS.CO)", "code": "4.2a.DP-RS.CO-6", "label": " Gli incidenti che si configurano come violazioni di dati personali sono documentati ed eventualmente vengono informati le autorit\u00e0 di riferimento e gli interessati", "uuid": "45d017f7-171c-4b39-bd7b-c36d9a086af7" }, { "category": "Analysis (RS.AN)", "code": "4.3.RS.AN-1", "label": " Le notifiche provenienti dai sistemi di monitoraggio vengono sempre visionate e analizzate", "uuid": "6039fa58-6d7e-42c2-b537-d09253980e2e" }, { "category": "Analysis (RS.AN)", "code": "4.3.RS.AN-2", "label": " Viene compreso l'impatto di ogni incidente", "uuid": "7627ebc0-7590-4032-83e3-c25c14f0e24c" }, { "category": "Analysis (RS.AN)", "code": "4.3.RS.AN-3", "label": " A seguito di un incidente viene svolta un'analisi forense", "uuid": "7b107db4-f437-49f5-92e0-df180a158b41" }, { "category": "Analysis (RS.AN)", "code": "4.3.RS.AN-4", "label": " Gli incidenti sono categorizzate in maniera coerente con i piani di risposta", "uuid": "f4571b0d-6630-492f-8321-41dde3197605" }, { "category": "Analysis (RS.AN)", "code": "4.3.RS.AN-5", "label": " Sono definiti processi per ricevere, analizzare e rispondere a informazioni inerenti vulnerabilit\u00e0 rese note da fonti interne o esterne all'organizzazione (es. test interni, bollettini di sicurezza, o ricercatori in sicurezza)", "uuid": "c481413c-993c-49c4-90e8-f2f5b0d635af" }, { "category": "Mitigation (RS.MI)", "code": "4.4.RS.MI-1", "label": " In caso di incidente vengono messe in atto procedure atte a contenerne l'impatto", "uuid": "fb2d8e74-c78f-42f7-be32-16a0c9864049" }, { "category": "Mitigation (RS.MI)", "code": "4.4.RS.MI-2", "label": " In caso di incidente vengono messe in atto procedure atte a mitigarne gli effetti", "uuid": "3c1d41ca-44ac-4711-916e-2ea646ee7506" }, { "category": "Mitigation (RS.MI)", "code": "4.4.RS.MI-3", "label": " Le nuove vulnerabilit\u00e0 sono mitigate o documentate come rischio accettato", "uuid": "1bd11353-4a30-42d3-a206-3e309cf1150a" }, { "category": "Improvements (RS.IM)", "code": "4.5.RS.IM-1", "label": " I piani di risposta agli incidenti tengono in considerazione le esperienze passate (lesson learned)", "uuid": "9f7579fc-71d2-4eab-9bcc-5b52b45529bf" }, { "category": "Improvements (RS.IM)", "code": "4.5.RS.IM-2", "label": " Le strategie di risposta agli incidenti sono aggiornate", "uuid": "2b891a3b-dde4-4ce3-a59f-85c74d506542" }, { "category": "Recovery Planning (RC.RP)", "code": "5.1.RC.RP-1", "label": " Esiste un piano di ripristino (recovery plan) e viene eseguito durante o dopo un incidente di cybersecurity", "uuid": "6bd639fd-0fac-4b20-ae90-21569003d7af" }, { "category": "Improvements (RC.IM)", "code": "5.2.RC.IM-1", "label": " I piani di riprisitino tengono in considerazione le esperienze passate (lesson learned)", "uuid": "6a099d23-7edf-434a-bf56-67632206fa1f" }, { "category": "Improvements (RC.IM)", "code": "5.2.RC.IM-2", "label": " Le strategie di recupero sono aggiornate", "uuid": "f3bd034b-8e54-4a77-8e9b-36ffd57943da" }, { "category": "Communications (RC.CO)", "code": "5.3.RC.CO-1", "label": " A seguito di un incidente vengono gestite le pubbliche relazioni", "uuid": "cb2ee8c9-26bc-478f-8ce9-9b9698bda7f3" }, { "category": "Communications (RC.CO)", "code": "5.3.RC.CO-2", "label": " A seguito di un incidente viene ripristinata la reputazione ", "uuid": "f0992b88-7853-4d43-ac5c-478434456d59" }, { "category": "Communications (RC.CO)", "code": "5.3.RC.CO-3", "label": " Le attivit\u00e0 di ripristino condotte a seguito di un incidente vengono comunicate alle parti interessate interne ed esterne all'organizzazione, inclusi i dirigenti ed i vertici dell'organizzazione", "uuid": "ed168887-4bd7-4d3e-9ecb-8d88970c49df" } ], "version": 2, "version_ext": "0" } ]