Vulnerability &
Threat
Management
Social
Engineering
CONTROLS
ASSET
MANAGEMENT
Configuration
Unauthorized
changes to
critical systems
CHANGE
MANAGEMENT
Lack of
vulnerability
and patch
management
DDOs
Network
Attacks
Port
Scanning
THREAT AND
VULNERABILITY
MANAGEMENT
BOUNDARY
DEFENCE AND
BRING YOUR
OWN DEVICE
(BYOD)
MANAGEMENT
Mobile
Malware
Email
Spoofing
CONFIGURATION
MANAGEMENT
Definitions
Global
Frameworks
Referenced
Organisations should identify
and maintain a risk-based
inventory of the data, personnel,
devices, systems, and facilities
that enable the organization to
achieve business purposes.
NIST SP 800-53,
PCI DSS,
ISO 27002 8.1
and SANS CSC
14.5
Organisations should establish processes
to manage asset configuration. This
should involve defining a configuration
baseline for all critical IT assets and
ensuring that assets are configured
according to the baseline.
NIST CM 6,
PCI DSS 2.2,
ISO 27001
CNSSI 4009 and
SANS CSC 3,10
Organisations should establish processes and
technologies to manage changes to assets
including analyzing requested changes to ensure
they do not introduce unacceptable vulnerabilities
into the operating environment, ensuring all
changes follow the change management process,
and identifying unauthorized changes.
Organisations should establish and maintain
processes and technologies to detect, identify,
analyze, manage, and respond to cyber security
threats and vulnerabilities, commensurate with
the risk to the organization’s infrastructure (e.g.,
critical, IT, operational) and organizational
objectives.
Organisations should establish and
implement processes and
technologies to prevent
inappropriate or unauthorized
access to an organizations network
infrastructure including used of
non-organisation owned devices.
NIST CM 5,
PCI DSS 6.4.5,
ISO 27002 7.3.1
and SANS
NIST RA 5,
PCI DSS 5,
ISO 27002 12.6CNSSI
4009 and SANS CSC
4-1,10
NIST SP 800-53,
PCI DSS 12.3
ISO 27002 6.2.2,
CNSSI 4009 and
SANS CSC 5-1,11