Cyberfundamentals Basic
Requirements
ID.AM- Asset management The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
ID.AM-1- Physical devices and systems within the organization are inventoried An inventory of assets associated with information and information processing facilities within the organization shall be documented, reviewed, and updated when changes occur.
ID.AM-2- Software platforms and applications within the organization are inventoried An inventory that reflects what software platforms and applications are being used in the organization shall be documented, reviewed, and updated when changes occur.
ID.AM-3- Organizational communication and data flows are mapped Information that the organization stores and uses shall be identified.
ID.AM-5- Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value The organization’s resources (hardware, devices, data, time, personnel, information, and software) shall be prioritized based on their classification, criticality, and business value.
ID.GV- Governance The policies, policies, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
ID.GV-1- Organizational cybersecurity policy is established and communicated Policies and procedures for information security and cyber security shall be created, documented, reviewed, approved, and updated when changes occur
ID.GV-3- Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be understood and implemented.
ID.GV-4- Governance and risk management processes address cybersecurity risks As part of the company's overall risk management, a comprehensive strategy to manage information security and cybersecurity risks shall be developed and updated when changes occur.
ID.RA- The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
PR.AC- Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AC-1- Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes Identities and credentials for authorized devices and users shall be managed.
PR.AC-2- Physical access to assets is managed and protected Physical access to the facility, servers and network components shall be managed.
PR.AC-3- Remote access is managed
The organisation's wireless access points shall be secured.
The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).
PR.AC-4- Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
Access permissions for users to the organization’s systems shall be defined and managed.
It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.
Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).
Nobody shall have administrator privileges for daily tasks.
PR.AC-5- Network integrity is protected (e.g., network segregation, network segmentation)
Firewalls shall be installed and activated on all the organization's networks.
Where appropriate, network integrity of the organization's critical systems shall be protected by incorporating network segmentation and segregation.
PR.AT- Awareness and Training
PR.AT-1- All users are informed and trained Employees shall be trained as appropriate.
PR.DS- Data Security
PR.DS-3- Assets are formally managed throughout removal, transfers, and disposition Assets and media shall be disposed of safely.
PR.IP- Information Protection Processes & Procedures Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets
PR.IP-4- Backups of information are conducted, maintained, and tested Backups for organization's business critical data shall be conducted and stored on a system different from the device on which the original data resides.
PR.IP-11- Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) Personnel having access to the organization’s most critical information or technology shall be verified.
PR.MA- Maintenance Maintenance and repair of industrial control and information system components are performed consistent with policies and procedures
PR.MA-1- Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools Patches and security updates for Operating Systems and critical system components shall be installed.
PR.PT- Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
PR.PT-1- Audit/log records are determined, documented, implemented, and reviewed in accordance with policy Logs shall be maintained, documented, and reviewed.
PR.PT-4- Communications and control networks are protected Web and e-mail filters shall be installed and used.
DE.AE- Anomalies and Events Anomalous activity is detected, and the potential impact of events is understood.
DE.AE-3- Event data are collected and correlated from multiple sources and sensors The activity logging functionality of protection / detection hardware or software (e.g. firewalls, anti-virus) shall be enabled, backed-up and reviewed.
DE.CM- Security Continuous Monitoring The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
DE.CM-1- The network is monitored to detect potential cybersecurity events Firewalls shall be installed and operated on the network boundaries and completed with firewall protection on the endpoints.
DE.CM-3- Personnel activity is monitored to detect potential cybersecurity events Endpoint and network protection tools to monitor end-user behaviour for dangerous activity shall be implemented.
DE.CM-4- Malicious code is detected Anti-virus, -spyware, and other -malware programs shall be installed and updated.
RS.RP- Response Planning Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
RS.RP-1- Response plan is executed during or after an incident An incident response process, including roles, responsibilities, and authorities, shall be executed during or after an information/cybersecurity event on the organization's critical systems.
RS.CO- Communications Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).
RS.CO-3- Information is shared consistent with response plans Information/cybersecurity incident information shall be communicated and shared with the organization’s employees in a format that they can understand.
RS.IM- Improvements Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities
RC.RP- Recovery Planning Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
See more requirements in the Anove app!