Search by name, code, or keyword. Filter by category. Click any card to expand its full description, related keywords, and example controls.
GOV
Governance
Execute a documented, risk-based program that supports business objectiveswhile encompassing appropriate cybersecurity & data protection principles thataddresses applicable statutory, regulatory and contractual obligations
AAT
Artificial Intelligence and Autonomous Technology
Ensure trustworthy and resilient Artificial Intelligence (AI) and autonomoustechnologies to achieve a beneficial impact by informing, advising or simplifyingtasks, while minimizing emergent properties or unintended consequences.
AST
Asset Management
Manage all technology assets from purchase through disposition, both physicaland virtual, to ensure secured use, regardless of the asset?s location.
BCD
Business Continuity & Disaster Recovery
Maintain a resilient capability to sustain business-critical functions whilesuccessfully responding to and recovering from incidents throughwell-documented and exercised processes
CAP
Cybersecurity Assessment Program
Govern the current and future capacities and performance of technology assets.
CHG
Change Management
Manage change in a sustainable and ongoing manner that involves activeparticipation from both technology and business stakeholders to ensure that onlyauthorized changes occur.
CLD
Cloud Security
Govern cloud instances as an extension of on-premise technologies with equal orgreater security protections than the organization?s own internal cybersecurity &data privacy controls.
CPL
Compliance
Oversee the execution of cybersecurity & data privacy controls to ensureappropriate evidence required due care and due diligence exists to meetcompliance with applicable statutory, regulatory and contractual obligations.
CFG
Configuration Management
Enforce secure configurations according to vendor-recommended andindustry-recognized secure practices that enforce the concepts of ?least privilege?and ?least functionality?for all systems, applications and services.
MON
Continuous Monitoring
Maintain situational awareness of security-related events through the centralizedcollection and analysis of event logs from systems, applications and services.
CRY
Cryptographic Protections
Utilize appropriate cryptographic solutions and industry-recognized keymanagement practices to protect the confidentiality and integrity ofsensitive/regulated data both at rest and in transit.
DCH
Data Classification & Handling
Enforce a standardized data classification methodology to objectively determinethe sensitivity and criticality of all data and technology assets so that properhandling and disposal requirements can be followed.
EMB
Embedded Technology
Provide additional scrutiny to reduce the risks associated with embedded technology,based on the potential damages posed from malicious use of the technology.
END
Endpoint Security
Harden endpoint devices to protect against reasonable threats to those devices and thedata those devices store, transmit and process.
HRS
Human Resources Security
Execute sound hiring practices and ongoing personnel management to cultivate acybersecurity & data privacy-minded workforce.
IAC
Identity & Access Control
Enforce the concept of ?least privilege?consistently across all systems, applications andservices for individual, group and service accounts through a documented andstandardized Identity and Access Management (IAM) capability.
IRO
Incident Response
Maintain a viable incident response capability that trains personnel on how to recognizeand report suspicious activities so that trained incident responders can take the appropriatesteps to handle incidents, in accordance with a documented Incident Response Plan (IRP).
IAO
Information Assurance
Execute an impartial assessment process to validate the existence and functionality ofappropriate cybersecurity & data privacy controls, prior to a system, application or servicebeing used in a production environment.
MNT
Maintenance
Proactively maintain technology assets, according to current vendor recommendations forconfigurations and updates, including those supported or hosted by third-parties.
MDM
Mobile Device Management
Implement measures to restrict mobile device connectivity with critical infrastructure andsensitive/regulated data that limit the attack surface and potential data exposure frommobile device usage.
NET
Network Security
Architect and implement a secure and resilient defense-in-depth methodology that enforcesthe concept of ?least functionality?through restricting network access to systems,applications and services.
PES
Physical & Environmental Security
Protect physical environments through layers of physical security and environmentalcontrols that work together to protect both physical and digital assets from theft anddamage.
PRI
Data Privacy
Align data privacy practices with industry-recognized data privacy principles to implementappropriate administrative, technical and physical controls to protect regulated personaldata throughout the lifecycle of systems, applications and services.
PRM
Project & Resource Management
Operationalize a viable strategy to achieve cybersecurity & data privacy objectives thatestablishes cybersecurity as a key stakeholder within project management practices toensure the delivery of resilient and secure solutions.
RSK
Risk Management
Proactively identify, assess, prioritize and remediate risk through alignment withindustry-recognized risk management principles to ensure risk decisions adhere tothe organization's risk threshold.
SEA
Secure Engineering & Architecture
Utilize industry-recognized secure engineering and architecture principles to deliversecure and resilient systems, applications and services.
OPS
Security Operations
Execute the delivery of cybersecurity & data privacy operations to provide qualityservices and secure systems, applications and services that meet the organization'sbusiness needs.
SAT
Security Awareness & Training
Foster a cybersecurity & data privacy-minded workforce through ongoing usereducation about evolving threats, compliance obligations and secure workplacepractices.
TDA
Technology Development & Acquisition
Develop and/or acquire systems, applications and services according to a SecureSoftware Development Framework (SSDF) to reduce the potential impact ofundetected or unaddressed vulnerabilities and design flaws.
TPM
Third-Party Management
Execute Supply Chain Risk Management (SCRM) practices so that only trustworthythird-parties are used for products and/or service delivery.
THR
Threat Management
Proactively identify and assess technology-related threats, to both assets andbusiness processes, to determine the applicable risk and necessary corrective action
VPM
Vulnerability & Patch Management
Leverage industry-recognized Attack Surface Management (ASM) practices tostrengthen the security and resilience systems, applications and services againstevolving and sophisticated attack vectors.
WEB
Web Security
Ensure the security and resilience of Internet-facing technologies through secureconfiguration management practices and monitoring for anomalous activity
.png)
%20(white).png)