0a1d1f8f7f2
User Content
\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{forest} \usepackage[margin=1in]{geometry} \begin{document} \section*{Organizational Controls} \subsection*{1. Security Policies, Training, and Awareness} \subsubsection*{1.1 Security Policy Development Services} \begin{itemize} \item Helps in the development of security policies. \item Entrance Criteria: Organization lacks a comprehensive security policy. \item NIST Control: PL-2 System and Communications Protection Policy and Procedures \end{itemize} \subsubsection*{1.2 Security Training and Awareness Program Services} \begin{itemize} \item Offers training to increase cybersecurity awareness. \item Entrance Criteria: Employees lack adequate cybersecurity awareness. \item NIST Control: AT-2 Security Awareness Training \end{itemize} \section*{Physical Controls} \subsection*{2. Physical Security} \subsubsection*{2.1 Physical Security Assessment Services} \begin{itemize} \item Reviews physical security measures. \item Entrance Criteria: Organization has not recently assessed its physical security measures. \item NIST Controls: PE-3 Physical Access Control, PE-2 Physical Access Authorizations, PE-10 Emergency Shutoff \end{itemize} \subsubsection*{2.2 Physical Security Design and Implementation Services} \begin{itemize} \item Helps design and implement physical security measures. \item Entrance Criteria: Organization lacks sufficient physical security measures. \end{itemize} % ... (previous code) \section*{Perimeter Controls} \subsection*{3. Perimeter Defense} \subsubsection*{3.1 Firewall Management Services} \begin{itemize} \item Manages firewall systems. \item Entrance Criteria: Firewall management is not up to date or is unmanaged. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{3.2 Intrusion Detection/Prevention System (IDS/IPS) Services} \begin{itemize} \item Monitors network traffic for threats. \item Entrance Criteria: No real-time network traffic monitoring is in place. \item NIST Control: SI-3 System and Information Integrity \end{itemize} \section*{Network Controls} \subsection*{4. Network Security} \subsubsection*{4.1 Segmentation Services} \begin{itemize} \item Divides the network into segments. \item Entrance Criteria: Network lacks sufficient segmentation. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{4.2 Network Monitoring Services} \begin{itemize} \item Monitors network activity. \item Entrance Criteria: Network activity is not adequately monitored. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{4.3 Network Access Control Services} \begin{itemize} \item Controls network access. \item Entrance Criteria: Network access control is insufficient or absent. \item NIST Controls: AC-16 Security Attribute Based Access Control, AC-18 Wireless Access \end{itemize} \subsubsection*{4.4 Social Engineering Awareness and Training Services} \begin{itemize} \item Increases awareness of social engineering attacks. \item Entrance Criteria: Employees lack adequate awareness of social engineering attacks. \end{itemize} \section*{Host and Application Controls} \subsection*{5. Host Security} \subsubsection*{5.1 Host-Based Security Controls (HBS) Services} \begin{itemize} \item Protects endpoints. \item Entrance Criteria: Insufficient host-based security measures. \item NIST Controls: SI-3 Malicious Code Protection, SI-7 Software and Information Integrity, SI-2 Flaw Remediation \end{itemize} \subsubsection*{5.2 Patch Management Services} \begin{itemize} \item Manages software security patches. \item Entrance Criteria: Software patch management is unorganized or absent. \end{itemize} \subsection*{6. Application Security} \subsubsection*{6.1 Web Application Firewall (WAF) Services} \begin{itemize} \item Protects web applications. \item Entrance Criteria: Web applications lack real-time protection. \item NIST Control: SC-10 Network Disconnect \end{itemize} \subsubsection*{6.2 Secure Coding Practices Services} \begin{itemize} \item Ensures secure coding. \item Entrance Criteria: Secure coding practices are not sufficiently implemented. \item NIST Control: SA-11 Developer Security Testing and Evaluation \end{itemize} \subsubsection*{6.3 Static Code Scanning Services} \begin{itemize} \item Scans source code for weaknesses. \item Entrance Criteria: Source code has not been recently or adequately scanned. \end{itemize} \subsubsection*{6.4 Vulnerability Scanning Services} \begin{itemize} \item Scans applications for vulnerabilities. \item Entrance Criteria: No recent or comprehensive vulnerability scan has been conducted. \end{itemize} \section*{Identity and Access Management (IAM) Controls} \subsection*{7. Authentication and Authorization} \subsubsection*{7.1 Authentication Services} \begin{itemize} \item Verifies user and device identity. \item Entrance Criteria: Current authentication methods are weak or insufficient. \item NIST Control: (No direct mapping available; depends on specific method e.g., multi-factor authentication, biometrics, etc.) \end{itemize} \subsubsection*{7.2 Authorization Services} \begin{itemize} \item Controls resource access. \item Entrance Criteria: Authorization processes lack granularity or are not role-based. \item NIST Control: AC-16 Security Attribute Based Access Control \end{itemize} \subsubsection*{7.3 Account Management Services} \begin{itemize} \item Manages user accounts. \item Entrance Criteria: User account management processes are inefficient or unsecure. \item NIST Control: (General reference to access control - AC controls) \end{itemize} \subsubsection*{7.4 Privileged Access Management Services} \begin{itemize} \item Manages privileged accounts. \item Entrance Criteria: Privileged accounts lack sufficient management or auditing. \item NIST Control: (No direct mapping available, but can refer to AC controls for privileged access) \end{itemize} \section*{Security Incident Response Controls} \subsection*{8. Incident Management} \subsubsection*{8.1 Incident Detection and Response Services} \begin{itemize} \item Monitors and responds to incidents. \item Entrance Criteria: Incident detection and response measures are insufficient or absent. \item NIST Control: IR-4 Incident Handling \end{itemize} \subsubsection*{8.2 Incident Response Plan Development Services} \begin{itemize} \item Develops incident response plans. \item Entrance Criteria: Incident response plan is absent or inadequate. \item NIST Control: IR-8 Incident Response Plan \end{itemize} \section*{Business Continuity and Disaster Recovery (BCDR) Controls} \subsection*{9. Contingency Planning} \subsubsection*{9.1 Business Continuity Planning Services} \begin{itemize} \item Develops business continuity plans. \item Entrance Criteria: Organization lacks a comprehensive business continuity plan. \item NIST Control: CP-2 Contingency Plan \end{itemize} \subsubsection*{9.2 Disaster Recovery Planning Services} \begin{itemize} \item Develops disaster recovery plans. \item Entrance Criteria: Organization lacks a comprehensive disaster recovery plan. \item NIST Control: (General reference to contingency planning - CP controls) \end{itemize} \section*{Advanced Threat Protection Controls} \subsection*{10. Threat Management} \subsubsection*{10.1 Endpoint Detection and Response (EDR) Services} \begin{itemize} \item Monitors and protects endpoints. \item Entrance Criteria: Insufficient endpoint detection and response measures. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{10.2 Threat Intelligence Services} \begin{itemize} \item Provides information on threats. \item Entrance Criteria: Organization lacks updated threat intelligence. \item NIST Control: (No direct mapping available, but SI-5 Security Alerts, Advisories, and Directives might be relevant) \end{itemize} \section*{Governance, Risk, and Compliance (GRC) Controls} \subsection*{11. Governance and Risk Management} \subsubsection*{11.1 IT Governance Services} \begin{itemize} \item Offers strategic IT guidance. \item Entrance Criteria: Organization lacks strategic IT governance. \item NIST Control: PM Program Management Controls \end{itemize} \subsubsection*{11.2 Risk Assessment Services} \begin{itemize} \item Identifies and assesses IT risks. \item Entrance Criteria: Comprehensive risk assessment has not been recently conducted. \item NIST Control: RA Risk Assessment \end{itemize} \section*{Information Security Officers (ISOs) Controls} \subsection*{12. Security Governance} \subsubsection*{12.1 Virtual Information Security Officer Services} \begin{itemize} \item Provides security professionals for the ISO role. \item Entrance Criteria: Organization lacks a dedicated information security officer or equivalent role. \item NIST Control: PM Program Management Controls (No direct mapping but generally under the purview of organizational controls) \end{itemize} \end{document}
\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{forest} \usepackage[margin=1in]{geometry} \begin{document} \section*{Organizational Controls} \subsection*{1. Security Policies, Training, and Awareness} \subsubsection*{1.1 Security Policy Development Services} \begin{itemize} \item Helps in the development of security policies. \item Entrance Criteria: Organization lacks a comprehensive security policy. \item NIST Control: PL-2 System and Communications Protection Policy and Procedures \end{itemize} \subsubsection*{1.2 Security Training and Awareness Program Services} \begin{itemize} \item Offers training to increase cybersecurity awareness. \item Entrance Criteria: Employees lack adequate cybersecurity awareness. \item NIST Control: AT-2 Security Awareness Training \end{itemize} \section*{Physical Controls} \subsection*{2. Physical Security} \subsubsection*{2.1 Physical Security Assessment Services} \begin{itemize} \item Reviews physical security measures. \item Entrance Criteria: Organization has not recently assessed its physical security measures. \item NIST Controls: PE-3 Physical Access Control, PE-2 Physical Access Authorizations, PE-10 Emergency Shutoff \end{itemize} \subsubsection*{2.2 Physical Security Design and Implementation Services} \begin{itemize} \item Helps design and implement physical security measures. \item Entrance Criteria: Organization lacks sufficient physical security measures. \end{itemize} % ... (previous code) \section*{Perimeter Controls} \subsection*{3. Perimeter Defense} \subsubsection*{3.1 Firewall Management Services} \begin{itemize} \item Manages firewall systems. \item Entrance Criteria: Firewall management is not up to date or is unmanaged. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{3.2 Intrusion Detection/Prevention System (IDS/IPS) Services} \begin{itemize} \item Monitors network traffic for threats. \item Entrance Criteria: No real-time network traffic monitoring is in place. \item NIST Control: SI-3 System and Information Integrity \end{itemize} \section*{Network Controls} \subsection*{4. Network Security} \subsubsection*{4.1 Segmentation Services} \begin{itemize} \item Divides the network into segments. \item Entrance Criteria: Network lacks sufficient segmentation. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{4.2 Network Monitoring Services} \begin{itemize} \item Monitors network activity. \item Entrance Criteria: Network activity is not adequately monitored. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{4.3 Network Access Control Services} \begin{itemize} \item Controls network access. \item Entrance Criteria: Network access control is insufficient or absent. \item NIST Controls: AC-16 Security Attribute Based Access Control, AC-18 Wireless Access \end{itemize} \subsubsection*{4.4 Social Engineering Awareness and Training Services} \begin{itemize} \item Increases awareness of social engineering attacks. \item Entrance Criteria: Employees lack adequate awareness of social engineering attacks. \end{itemize} \section*{Host and Application Controls} \subsection*{5. Host Security} \subsubsection*{5.1 Host-Based Security Controls (HBS) Services} \begin{itemize} \item Protects endpoints. \item Entrance Criteria: Insufficient host-based security measures. \item NIST Controls: SI-3 Malicious Code Protection, SI-7 Software and Information Integrity, SI-2 Flaw Remediation \end{itemize} \subsubsection*{5.2 Patch Management Services} \begin{itemize} \item Manages software security patches. \item Entrance Criteria: Software patch management is unorganized or absent. \end{itemize} \subsection*{6. Application Security} \subsubsection*{6.1 Web Application Firewall (WAF) Services} \begin{itemize} \item Protects web applications. \item Entrance Criteria: Web applications lack real-time protection. \item NIST Control: SC-10 Network Disconnect \end{itemize} \subsubsection*{6.2 Secure Coding Practices Services} \begin{itemize} \item Ensures secure coding. \item Entrance Criteria: Secure coding practices are not sufficiently implemented. \item NIST Control: SA-11 Developer Security Testing and Evaluation \end{itemize} \subsubsection*{6.3 Static Code Scanning Services} \begin{itemize} \item Scans source code for weaknesses. \item Entrance Criteria: Source code has not been recently or adequately scanned. \end{itemize} \subsubsection*{6.4 Vulnerability Scanning Services} \begin{itemize} \item Scans applications for vulnerabilities. \item Entrance Criteria: No recent or comprehensive vulnerability scan has been conducted. \end{itemize} \section*{Identity and Access Management (IAM) Controls} \subsection*{7. Authentication and Authorization} \subsubsection*{7.1 Authentication Services} \begin{itemize} \item Verifies user and device identity. \item Entrance Criteria: Current authentication methods are weak or insufficient. \item NIST Control: (No direct mapping available; depends on specific method e.g., multi-factor authentication, biometrics, etc.) \end{itemize} \subsubsection*{7.2 Authorization Services} \begin{itemize} \item Controls resource access. \item Entrance Criteria: Authorization processes lack granularity or are not role-based. \item NIST Control: AC-16 Security Attribute Based Access Control \end{itemize} \subsubsection*{7.3 Account Management Services} \begin{itemize} \item Manages user accounts. \item Entrance Criteria: User account management processes are inefficient or unsecure. \item NIST Control: (General reference to access control - AC controls) \end{itemize} \subsubsection*{7.4 Privileged Access Management Services} \begin{itemize} \item Manages privileged accounts. \item Entrance Criteria: Privileged accounts lack sufficient management or auditing. \item NIST Control: (No direct mapping available, but can refer to AC controls for privileged access) \end{itemize} \section*{Security Incident Response Controls} \subsection*{8. Incident Management} \subsubsection*{8.1 Incident Detection and Response Services} \begin{itemize} \item Monitors and responds to incidents. \item Entrance Criteria: Incident detection and response measures are insufficient or absent. \item NIST Control: IR-4 Incident Handling \end{itemize} \subsubsection*{8.2 Incident Response Plan Development Services} \begin{itemize} \item Develops incident response plans. \item Entrance Criteria: Incident response plan is absent or inadequate. \item NIST Control: IR-8 Incident Response Plan \end{itemize} \section*{Business Continuity and Disaster Recovery (BCDR) Controls} \subsection*{9. Contingency Planning} \subsubsection*{9.1 Business Continuity Planning Services} \begin{itemize} \item Develops business continuity plans. \item Entrance Criteria: Organization lacks a comprehensive business continuity plan. \item NIST Control: CP-2 Contingency Plan \end{itemize} \subsubsection*{9.2 Disaster Recovery Planning Services} \begin{itemize} \item Develops disaster recovery plans. \item Entrance Criteria: Organization lacks a comprehensive disaster recovery plan. \item NIST Control: (General reference to contingency planning - CP controls) \end{itemize} \section*{Advanced Threat Protection Controls} \subsection*{10. Threat Management} \subsubsection*{10.1 Endpoint Detection and Response (EDR) Services} \begin{itemize} \item Monitors and protects endpoints. \item Entrance Criteria: Insufficient endpoint detection and response measures. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{10.2 Threat Intelligence Services} \begin{itemize} \item Provides information on threats. \item Entrance Criteria: Organization lacks updated threat intelligence. \item NIST Control: (No direct mapping available, but SI-5 Security Alerts, Advisories, and Directives might be relevant) \end{itemize} \section*{Governance, Risk, and Compliance (GRC) Controls} \subsection*{11. Governance and Risk Management} \subsubsection*{11.1 IT Governance Services} \begin{itemize} \item Offers strategic IT guidance. \item Entrance Criteria: Organization lacks strategic IT governance. \item NIST Control: PM Program Management Controls \end{itemize} \subsubsection*{11.2 Risk Assessment Services} \begin{itemize} \item Identifies and assesses IT risks. \item Entrance Criteria: Comprehensive risk assessment has not been recently conducted. \item NIST Control: RA Risk Assessment \end{itemize} \section*{Information Security Officers (ISOs) Controls} \subsection*{12. Security Governance} \subsubsection*{12.1 Virtual Information Security Officer Services} \begin{itemize} \item Provides security professionals for the ISO role. \item Entrance Criteria: Organization lacks a dedicated information security officer or equivalent role. \item NIST Control: PM Program Management Controls (No direct mapping but generally under the purview of organizational controls) \end{itemize} \end{document}
\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{forest} \usepackage[margin=1in]{geometry} \begin{document} \section*{Organizational Controls} \subsection*{1. Security Policies, Training, and Awareness} \subsubsection*{1.1 Security Policy Development Services} \begin{itemize} \item Helps in the development of security policies. \item Entrance Criteria: Organization lacks a comprehensive security policy. \item NIST Control: PL-2 System and Communications Protection Policy and Procedures \end{itemize} \subsubsection*{1.2 Security Training and Awareness Program Services} \begin{itemize} \item Offers training to increase cybersecurity awareness. \item Entrance Criteria: Employees lack adequate cybersecurity awareness. \item NIST Control: AT-2 Security Awareness Training \end{itemize} \section*{Physical Controls} \subsection*{2. Physical Security} \subsubsection*{2.1 Physical Security Assessment Services} \begin{itemize} \item Reviews physical security measures. \item Entrance Criteria: Organization has not recently assessed its physical security measures. \item NIST Controls: PE-3 Physical Access Control, PE-2 Physical Access Authorizations, PE-10 Emergency Shutoff \end{itemize} \subsubsection*{2.2 Physical Security Design and Implementation Services} \begin{itemize} \item Helps design and implement physical security measures. \item Entrance Criteria: Organization lacks sufficient physical security measures. \end{itemize} % ... (previous code) \section*{Perimeter Controls} \subsection*{3. Perimeter Defense} \subsubsection*{3.1 Firewall Management Services} \begin{itemize} \item Manages firewall systems. \item Entrance Criteria: Firewall management is not up to date or is unmanaged. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{3.2 Intrusion Detection/Prevention System (IDS/IPS) Services} \begin{itemize} \item Monitors network traffic for threats. \item Entrance Criteria: No real-time network traffic monitoring is in place. \item NIST Control: SI-3 System and Information Integrity \end{itemize} \section*{Network Controls} \subsection*{4. Network Security} \subsubsection*{4.1 Segmentation Services} \begin{itemize} \item Divides the network into segments. \item Entrance Criteria: Network lacks sufficient segmentation. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{4.2 Network Monitoring Services} \begin{itemize} \item Monitors network activity. \item Entrance Criteria: Network activity is not adequately monitored. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{4.3 Network Access Control Services} \begin{itemize} \item Controls network access. \item Entrance Criteria: Network access control is insufficient or absent. \item NIST Controls: AC-16 Security Attribute Based Access Control, AC-18 Wireless Access \end{itemize} \subsubsection*{4.4 Social Engineering Awareness and Training Services} \begin{itemize} \item Increases awareness of social engineering attacks. \item Entrance Criteria: Employees lack adequate awareness of social engineering attacks. \end{itemize} \section*{Host and Application Controls} \subsection*{5. Host Security} \subsubsection*{5.1 Host-Based Security Controls (HBS) Services} \begin{itemize} \item Protects endpoints. \item Entrance Criteria: Insufficient host-based security measures. \item NIST Controls: SI-3 Malicious Code Protection, SI-7 Software and Information Integrity, SI-2 Flaw Remediation \end{itemize} \subsubsection*{5.2 Patch Management Services} \begin{itemize} \item Manages software security patches. \item Entrance Criteria: Software patch management is unorganized or absent. \end{itemize} \subsection*{6. Application Security} \subsubsection*{6.1 Web Application Firewall (WAF) Services} \begin{itemize} \item Protects web applications. \item Entrance Criteria: Web applications lack real-time protection. \item NIST Control: SC-10 Network Disconnect \end{itemize} \subsubsection*{6.2 Secure Coding Practices Services} \begin{itemize} \item Ensures secure coding. \item Entrance Criteria: Secure coding practices are not sufficiently implemented. \item NIST Control: SA-11 Developer Security Testing and Evaluation \end{itemize} \subsubsection*{6.3 Static Code Scanning Services} \begin{itemize} \item Scans source code for weaknesses. \item Entrance Criteria: Source code has not been recently or adequately scanned. \end{itemize} \subsubsection*{6.4 Vulnerability Scanning Services} \begin{itemize} \item Scans applications for vulnerabilities. \item Entrance Criteria: No recent or comprehensive vulnerability scan has been conducted. \end{itemize} \section*{Identity and Access Management (IAM) Controls} \subsection*{7. Authentication and Authorization} \subsubsection*{7.1 Authentication Services} \begin{itemize} \item Verifies user and device identity. \item Entrance Criteria: Current authentication methods are weak or insufficient. \item NIST Control: (No direct mapping available; depends on specific method e.g., multi-factor authentication, biometrics, etc.) \end{itemize} \subsubsection*{7.2 Authorization Services} \begin{itemize} \item Controls resource access. \item Entrance Criteria: Authorization processes lack granularity or are not role-based. \item NIST Control: AC-16 Security Attribute Based Access Control \end{itemize} \subsubsection*{7.3 Account Management Services} \begin{itemize} \item Manages user accounts. \item Entrance Criteria: User account management processes are inefficient or unsecure. \item NIST Control: (General reference to access control - AC controls) \end{itemize} \subsubsection*{7.4 Privileged Access Management Services} \begin{itemize} \item Manages privileged accounts. \item Entrance Criteria: Privileged accounts lack sufficient management or auditing. \item NIST Control: (No direct mapping available, but can refer to AC controls for privileged access) \end{itemize} \section*{Security Incident Response Controls} \subsection*{8. Incident Management} \subsubsection*{8.1 Incident Detection and Response Services} \begin{itemize} \item Monitors and responds to incidents. \item Entrance Criteria: Incident detection and response measures are insufficient or absent. \item NIST Control: IR-4 Incident Handling \end{itemize} \subsubsection*{8.2 Incident Response Plan Development Services} \begin{itemize} \item Develops incident response plans. \item Entrance Criteria: Incident response plan is absent or inadequate. \item NIST Control: IR-8 Incident Response Plan \end{itemize} \section*{Business Continuity and Disaster Recovery (BCDR) Controls} \subsection*{9. Contingency Planning} \subsubsection*{9.1 Business Continuity Planning Services} \begin{itemize} \item Develops business continuity plans. \item Entrance Criteria: Organization lacks a comprehensive business continuity plan. \item NIST Control: CP-2 Contingency Plan \end{itemize} \subsubsection*{9.2 Disaster Recovery Planning Services} \begin{itemize} \item Develops disaster recovery plans. \item Entrance Criteria: Organization lacks a comprehensive disaster recovery plan. \item NIST Control: (General reference to contingency planning - CP controls) \end{itemize} \section*{Advanced Threat Protection Controls} \subsection*{10. Threat Management} \subsubsection*{10.1 Endpoint Detection and Response (EDR) Services} \begin{itemize} \item Monitors and protects endpoints. \item Entrance Criteria: Insufficient endpoint detection and response measures. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{10.2 Threat Intelligence Services} \begin{itemize} \item Provides information on threats. \item Entrance Criteria: Organization lacks updated threat intelligence. \item NIST Control: (No direct mapping available, but SI-5 Security Alerts, Advisories, and Directives might be relevant) \end{itemize} \section*{Governance, Risk, and Compliance (GRC) Controls} \subsection*{11. Governance and Risk Management} \subsubsection*{11.1 IT Governance Services} \begin{itemize} \item Offers strategic IT guidance. \item Entrance Criteria: Organization lacks strategic IT governance. \item NIST Control: PM Program Management Controls \end{itemize} \subsubsection*{11.2 Risk Assessment Services} \begin{itemize} \item Identifies and assesses IT risks. \item Entrance Criteria: Comprehensive risk assessment has not been recently conducted. \item NIST Control: RA Risk Assessment \end{itemize} \section*{Information Security Officers (ISOs) Controls} \subsection*{12. Security Governance} \subsubsection*{12.1 Virtual Information Security Officer Services} \begin{itemize} \item Provides security professionals for the ISO role. \item Entrance Criteria: Organization lacks a dedicated information security officer or equivalent role. \item NIST Control: PM Program Management Controls (No direct mapping but generally under the purview of organizational controls) \end{itemize} \end{document}
\documentclass{article} \usepackage[utf8]{inputenc} \usepackage{forest} \usepackage[margin=1in]{geometry} \begin{document} \section*{Organizational Controls} \subsection*{1. Security Policies, Training, and Awareness} \subsubsection*{1.1 Security Policy Development Services} \begin{itemize} \item Helps in the development of security policies. \item Entrance Criteria: Organization lacks a comprehensive security policy. \item NIST Control: PL-2 System and Communications Protection Policy and Procedures \end{itemize} \subsubsection*{1.2 Security Training and Awareness Program Services} \begin{itemize} \item Offers training to increase cybersecurity awareness. \item Entrance Criteria: Employees lack adequate cybersecurity awareness. \item NIST Control: AT-2 Security Awareness Training \end{itemize} \section*{Physical Controls} \subsection*{2. Physical Security} \subsubsection*{2.1 Physical Security Assessment Services} \begin{itemize} \item Reviews physical security measures. \item Entrance Criteria: Organization has not recently assessed its physical security measures. \item NIST Controls: PE-3 Physical Access Control, PE-2 Physical Access Authorizations, PE-10 Emergency Shutoff \end{itemize} \subsubsection*{2.2 Physical Security Design and Implementation Services} \begin{itemize} \item Helps design and implement physical security measures. \item Entrance Criteria: Organization lacks sufficient physical security measures. \end{itemize} % ... (previous code) \section*{Perimeter Controls} \subsection*{3. Perimeter Defense} \subsubsection*{3.1 Firewall Management Services} \begin{itemize} \item Manages firewall systems. \item Entrance Criteria: Firewall management is not up to date or is unmanaged. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{3.2 Intrusion Detection/Prevention System (IDS/IPS) Services} \begin{itemize} \item Monitors network traffic for threats. \item Entrance Criteria: No real-time network traffic monitoring is in place. \item NIST Control: SI-3 System and Information Integrity \end{itemize} \section*{Network Controls} \subsection*{4. Network Security} \subsubsection*{4.1 Segmentation Services} \begin{itemize} \item Divides the network into segments. \item Entrance Criteria: Network lacks sufficient segmentation. \item NIST Control: SC-7 Boundary Protection \end{itemize} \subsubsection*{4.2 Network Monitoring Services} \begin{itemize} \item Monitors network activity. \item Entrance Criteria: Network activity is not adequately monitored. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{4.3 Network Access Control Services} \begin{itemize} \item Controls network access. \item Entrance Criteria: Network access control is insufficient or absent. \item NIST Controls: AC-16 Security Attribute Based Access Control, AC-18 Wireless Access \end{itemize} \subsubsection*{4.4 Social Engineering Awareness and Training Services} \begin{itemize} \item Increases awareness of social engineering attacks. \item Entrance Criteria: Employees lack adequate awareness of social engineering attacks. \end{itemize} \section*{Host and Application Controls} \subsection*{5. Host Security} \subsubsection*{5.1 Host-Based Security Controls (HBS) Services} \begin{itemize} \item Protects endpoints. \item Entrance Criteria: Insufficient host-based security measures. \item NIST Controls: SI-3 Malicious Code Protection, SI-7 Software and Information Integrity, SI-2 Flaw Remediation \end{itemize} \subsubsection*{5.2 Patch Management Services} \begin{itemize} \item Manages software security patches. \item Entrance Criteria: Software patch management is unorganized or absent. \end{itemize} \subsection*{6. Application Security} \subsubsection*{6.1 Web Application Firewall (WAF) Services} \begin{itemize} \item Protects web applications. \item Entrance Criteria: Web applications lack real-time protection. \item NIST Control: SC-10 Network Disconnect \end{itemize} \subsubsection*{6.2 Secure Coding Practices Services} \begin{itemize} \item Ensures secure coding. \item Entrance Criteria: Secure coding practices are not sufficiently implemented. \item NIST Control: SA-11 Developer Security Testing and Evaluation \end{itemize} \subsubsection*{6.3 Static Code Scanning Services} \begin{itemize} \item Scans source code for weaknesses. \item Entrance Criteria: Source code has not been recently or adequately scanned. \end{itemize} \subsubsection*{6.4 Vulnerability Scanning Services} \begin{itemize} \item Scans applications for vulnerabilities. \item Entrance Criteria: No recent or comprehensive vulnerability scan has been conducted. \end{itemize} \section*{Identity and Access Management (IAM) Controls} \subsection*{7. Authentication and Authorization} \subsubsection*{7.1 Authentication Services} \begin{itemize} \item Verifies user and device identity. \item Entrance Criteria: Current authentication methods are weak or insufficient. \item NIST Control: (No direct mapping available; depends on specific method e.g., multi-factor authentication, biometrics, etc.) \end{itemize} \subsubsection*{7.2 Authorization Services} \begin{itemize} \item Controls resource access. \item Entrance Criteria: Authorization processes lack granularity or are not role-based. \item NIST Control: AC-16 Security Attribute Based Access Control \end{itemize} \subsubsection*{7.3 Account Management Services} \begin{itemize} \item Manages user accounts. \item Entrance Criteria: User account management processes are inefficient or unsecure. \item NIST Control: (General reference to access control - AC controls) \end{itemize} \subsubsection*{7.4 Privileged Access Management Services} \begin{itemize} \item Manages privileged accounts. \item Entrance Criteria: Privileged accounts lack sufficient management or auditing. \item NIST Control: (No direct mapping available, but can refer to AC controls for privileged access) \end{itemize} \section*{Security Incident Response Controls} \subsection*{8. Incident Management} \subsubsection*{8.1 Incident Detection and Response Services} \begin{itemize} \item Monitors and responds to incidents. \item Entrance Criteria: Incident detection and response measures are insufficient or absent. \item NIST Control: IR-4 Incident Handling \end{itemize} \subsubsection*{8.2 Incident Response Plan Development Services} \begin{itemize} \item Develops incident response plans. \item Entrance Criteria: Incident response plan is absent or inadequate. \item NIST Control: IR-8 Incident Response Plan \end{itemize} \section*{Business Continuity and Disaster Recovery (BCDR) Controls} \subsection*{9. Contingency Planning} \subsubsection*{9.1 Business Continuity Planning Services} \begin{itemize} \item Develops business continuity plans. \item Entrance Criteria: Organization lacks a comprehensive business continuity plan. \item NIST Control: CP-2 Contingency Plan \end{itemize} \subsubsection*{9.2 Disaster Recovery Planning Services} \begin{itemize} \item Develops disaster recovery plans. \item Entrance Criteria: Organization lacks a comprehensive disaster recovery plan. \item NIST Control: (General reference to contingency planning - CP controls) \end{itemize} \section*{Advanced Threat Protection Controls} \subsection*{10. Threat Management} \subsubsection*{10.1 Endpoint Detection and Response (EDR) Services} \begin{itemize} \item Monitors and protects endpoints. \item Entrance Criteria: Insufficient endpoint detection and response measures. \item NIST Control: SI-4 Information System Monitoring \end{itemize} \subsubsection*{10.2 Threat Intelligence Services} \begin{itemize} \item Provides information on threats. \item Entrance Criteria: Organization lacks updated threat intelligence. \item NIST Control: (No direct mapping available, but SI-5 Security Alerts, Advisories, and Directives might be relevant) \end{itemize} \section*{Governance, Risk, and Compliance (GRC) Controls} \subsection*{11. Governance and Risk Management} \subsubsection*{11.1 IT Governance Services} \begin{itemize} \item Offers strategic IT guidance. \item Entrance Criteria: Organization lacks strategic IT governance. \item NIST Control: PM Program Management Controls \end{itemize} \subsubsection*{11.2 Risk Assessment Services} \begin{itemize} \item Identifies and assesses IT risks. \item Entrance Criteria: Comprehensive risk assessment has not been recently conducted. \item NIST Control: RA Risk Assessment \end{itemize} \section*{Information Security Officers (ISOs) Controls} \subsection*{12. Security Governance} \subsubsection*{12.1 Virtual Information Security Officer Services} \begin{itemize} \item Provides security professionals for the ISO role. \item Entrance Criteria: Organization lacks a dedicated information security officer or equivalent role. \item NIST Control: PM Program Management Controls (No direct mapping but generally under the purview of organizational controls) \end{itemize} \end{document}