forked from intuitem/ciso-assistant-community
-
Notifications
You must be signed in to change notification settings - Fork 0
/
asf-baseline-v2.yaml
257 lines (257 loc) · 10.6 KB
/
asf-baseline-v2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
urn: urn:intuitem:risk:library:asf-baseline-v2
locale: en
ref_id: ASF-Baseline
name: Agile Security Framework - Baseline
description: Quick overview of essential security domains - holistic baseline for
custom framework
copyright: "\xA9 intuitem"
version: 1
provider: intuitem
packager: intuitem
objects:
reference_controls:
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-01
ref_id: ASF-REC-01
category: process
description: Risk assessment framework
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-02
ref_id: ASF-REC-02
category: technical
description: EDR deployment
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-03
ref_id: ASF-REC-03
category: physical
description: Facility surveillance
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-04
ref_id: ASF-REC-04
category: policy
description: IAM/PAM Policy
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-05
ref_id: ASF-REC-05
category: technical
description: Immutable backups
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-06
ref_id: ASF-REC-06
category: technical
description: SAST
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-07
ref_id: ASF-REC-07
category: technical
description: SCA
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-08
ref_id: ASF-REC-08
category: technical
description: DAST/IAST
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-09
ref_id: ASF-REC-09
category: process
description: TPRM Framework
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-10
ref_id: ASF-REC-10
category: technical
description: CMDB
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-11
ref_id: ASF-REC-11
category: technical
description: Network Segmentation and Isolation
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-12
ref_id: ASF-REC-12
category: policy
description: Data Retention and Destruction Policy
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-13
ref_id: ASF-REC-13
category: technical
description: Multi-factor Authentication (MFA) Implementation
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-14
ref_id: ASF-REC-14
category: process
description: Incident Response Plan
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-15
ref_id: ASF-REC-15
category: technical
description: Application Whitelisting
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-16
ref_id: ASF-REC-16
category: physical
description: Biometric Access Controls
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-17
ref_id: ASF-REC-17
category: process
description: Regular Security Awareness Training
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-18
ref_id: ASF-REC-18
category: technical
description: Email Security Gateway
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-19
ref_id: ASF-REC-19
category: policy
description: BYOD (Bring Your Own Device) Policy
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-20
ref_id: ASF-REC-20
category: technical
description: Cloud Access Security Broker (CASB)
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-21
ref_id: ASF-REC-21
category: technical
description: Compute Vulnerability scanner
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-22
ref_id: ASF-REC-22
category: process
description: Vulnerabilities triage and review
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-23
ref_id: ASF-REC-23
category: technical
description: Web Application Firewall (WAF)
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-24
ref_id: ASF-REC-24
category: technical
description: Secure Coding Training - Tooling and practices
- urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-25
ref_id: ASF-REC-25
category: process
description: Third parties compliance questionnaire
framework:
urn: urn:intuitem:risk:framework:asf-baseline-v2
ref_id: ASF-Baseline
name: Agile Security Framework - Baseline
description: Quick overview of essential security domains - holistic baseline
for custom framework
requirement_nodes:
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:01
assessable: true
depth: 1
ref_id: '01'
name: Risk, Governance and Regulation
description: Risk analysis, assigned personnel, management involvement, regulatory
framework identification, independent audit
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-01
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:02
assessable: true
depth: 1
ref_id: '02'
name: Inventory
description: Hardware and software components listed, regular controls and audits,
lifecycle management, categorization, visibility, and continuous improvement
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-10
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:03
assessable: true
depth: 1
ref_id: '03'
name: IAM/PAM
description: Identity federation, SSO and MFA, group-based access management,
secrets management, AD hardening, IAM aligned with onboarding and offboarding
processes
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-04
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:04
assessable: true
depth: 1
ref_id: '04'
name: Data Protection and Privacy
description: Encryption (in transit and at rest), audit trails, privacy by design
(data minimization at least), GDPR compliance
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-12
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:05
assessable: true
depth: 1
ref_id: '05'
name: Endpoint Protection
description: Antivirus/Antimalware, EDR, MDM, Application Control, quarantaine
management, email and browsing security
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-02
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-18
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:06
assessable: true
depth: 1
ref_id: '06'
name: Network Protection
description: Network segmentation, Firewall, IDS, Remote Access Control (VPN
and/or ZTNA), WAF, NAC, and Wireless Security
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-11
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-23
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:07
assessable: true
depth: 1
ref_id: '07'
name: Vulnerability Management
description: Identification on all workloads and assets, monitoring and communication,
triage and prioritization processes, continuous patching, periodic checkpoints
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-21
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-22
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:08
assessable: true
depth: 1
ref_id: 08
name: Training
description: General cybersecurity awareness, specialized training, campaigns
to check for efficiency
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-17
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-24
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:09
assessable: true
depth: 1
ref_id: 09
name: Third-Party Risk Management
description: Vendor management, exit strategy, privileged communication channels,
decoupling, incident management, contract management
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-09
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-25
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:10
assessable: true
depth: 1
ref_id: '10'
name: Physical Security
description: Facility access control, surveillance, security personnel, visitor
management, locks and safes, emergency response, secure disposal
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-03
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-16
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:11
assessable: true
depth: 1
ref_id: '11'
name: Cloud Security
description: Understanding of the shared responsibility model, applying the
same principles of IAM, network, and data protection, threat detection, and
response
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-20
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:12
assessable: true
depth: 1
ref_id: '12'
name: Software Security
description: Application security and DevSecOps principles, threat modelling,
use standard libraries, software factory security through gates (SAST, SCA,
secret leaks, DAST)
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-06
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-07
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-08
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:13
assessable: true
depth: 1
ref_id: '13'
name: Security Detection and Response
description: Aggregation of events for inspection and correlation, logs protection,
tooling and processes for timely incident response involving relevant stakeholders
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-13
- urn: urn:intuitem:risk:req_node:asf-baseline-v2:14
assessable: true
depth: 1
ref_id: '14'
name: Disaster Recovery & Backup
description: Offline or immutable backups, performed and tested, protocols and
playbooks for disaster recovery documented and tested, cyber resiliency strategy
documented and known
reference_controls:
- urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-14