generated from finos/standards-project-blueprint
-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create controls.yaml for secMgmt (#508)
Co-authored-by: Eddie Knight <[email protected]> Co-authored-by: Michael Lysaght <[email protected]>
- Loading branch information
3 people
authored
Jan 20, 2025
1 parent
34bb1c8
commit 2dbaa2f
Showing
1 changed file
with
56 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| common_controls: | ||
| - CCC.C01 # Prevent unencrypted requests | ||
| - CCC.C02 # Ensure data encryption at rest for all stored data | ||
| - CCC.C03 # Implement multi-factor authentication (MFA) for access | ||
| - CCC.C04 # Log all access and changes | ||
| - CCC.C05 # Prevent access from untrusted entities | ||
| - CCC.C06 # Prevent deployment in restricted regions | ||
| - CCC.C07 # Alert on non-human enumeration | ||
| - CCC.C09 # Prevent tampering, deletion, or unauthorized access to access logs | ||
| - CCC.C10 # Prevent data replication to destinations outside of defined trust perimeter | ||
|
|
||
| controls: | ||
| - id: CCC.SecMgmt.C01 | ||
| title: Enforce Automatic Secret Rotation | ||
| objective: | | ||
| Ensure that secrets are automatically rotated on a defined schedule to | ||
| reduce the risk of secret compromise and unauthorized access. | ||
| control_family: Data Protection | ||
| threats: | ||
| - CCC.TH01 # Access control is misconfigured | ||
| - CCC.TH14 # Older Resource Versions Are Exploited | ||
| nist_csf: PR.DS-6 # Integrity checking mechanisms are used | ||
| control_mappings: | ||
| NIST_800_53: | ||
| - SC-12 # Cryptographic Key Establishment and Management | ||
| - SC-28 # Protection of Information at Rest | ||
| test_requirements: | ||
| - id: CCC.SecMgmt.C01.TR01 | ||
| text: | | ||
| Attempt to use an outdated version of a secret after its rotation period | ||
| has passed and verify that access is denied. | ||
| tlp_levels: | ||
| - tlp_red | ||
| - tlp_amber | ||
|
|
||
| - id: CCC.SecMgmt.C02 | ||
| title: Enforce Secret Replication Policies | ||
| objective: | | ||
| Ensure that secrets are replicated only to authorized locations as per | ||
| organizational data residency and compliance requirements. | ||
| control_family: Data Protection | ||
| threats: | ||
| - CCC.TH03 # Deployment region network is untrusted | ||
| - CCC.TH04 # Data is replicated to untrusted or external locations | ||
| nist_csf: PR.DS-5 # Protections against data leaks are implemented | ||
| control_mappings: | ||
| NIST_800_53: | ||
| - AC-3 # Access Enforcement | ||
| - SC-7 # Boundary Protection | ||
| test_requirements: | ||
| - id: CCC.SecMgmt.C02.TR01 | ||
| text: | | ||
| Attempt to retrieve a secret from an unauthorized region and verify that access is denied. | ||
| tlp_levels: | ||
| - tlp_red | ||
| - tlp_amber |