The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives
The entity identifies, inventories, classifies, and manages information assets
Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets
Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely
Network segmentation permits unrelated portions of the entity's information system to be isolated from each other
Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed.
Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets
Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software
New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.
The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk
Processes are in place to protect encryption keys during generation, storage, use, and destruction.
- CRY-01 - Use of Cryptographic Controls
- CRY-03 - Transmission Confidentiality
- CRY-05 - Encrypting Data At Rest
- CRY-08 - Public Key Infrastructure (PKI)
- CRY-09 - Cryptographic Key Management
- CRY-09.1 - Symmetric Keys
- CRY-09.2 - Asymmetric Keys
- IAC-01 - Identity & Access Management (IAM)
- IAC-02 - Identification & Authentication for Organizational Users
- IAC-03 - Identification & Authentication for Non-Organizational Users
- IAC-04 - Identification & Authentication for Devices
- IAC-05 - Identification & Authentication for Third Party Systems & Services
- IAC-08 - Role-Based Access Control (RBAC)
- IAC-09 - Identifier Management (User Names)
- IAC-09.1 - User Identity (ID) Management
- IAC-10 - Authenticator Management
- IAC-10.8 - Vendor-Supplied Defaults
- IAC-15 - Account Management
- IAC-16 - Privileged Account Management (PAM)
- IAC-20 - Access Enforcement
- IAC-21 - Least Privilege
- NET-01 - Network Security Controls (NSC)
- NET-03 - Boundary Protection
- NET-03.1 - Limit Network Connections
- NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)
- NET-05.1 - External System Connections
- NET-06 - Network Segmentation
- NET-06.1 - Security Management Subnets