Understand and apply threat modeling concepts and methodologies
1
|
|
1.12
|
Apply Supply Chain Risk Management (SCRM) concepts
|
1
|
|
1.12.1
|
Risks associated with hardware, software, and services
|
1
|
|
1.12.2
|
Third-party assessment and monitoring
|
1
|
|
1.12.3
|
Minimum security requirements
|
1
|
|
1.12.4
|
Service level requirements
|
1
|
|
1.13
|
Establish and maintain a security awareness, education, and training program
|
2
|
|
1.13.1
|
Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)
|
2
|
|
1.13.2
|
Periodic content reviews
|
2
|
|
1.13.3
|
Program effectiveness evaluation
|
2
|
|
Domain 2
|
Asset Security
|
|
|
2.1
|
Identify and classify information and assets
|
5
|
|
2.1.1
|
Data classification
|
5
|
|
2.1.2
|
Asset Classification
|
5
|
|
2.2
|
Establish information and asset handling requirements
|
5
|
|
2.3
|
Provision resources securely
|
16
|
|
2.3.1
|
Information and asset ownership
|
16
|
|
2.3.2
|
Asset inventory (e.g., tangible, intangible)
|
16
|
|
2.3.3
|
Asset management
|
16
|
|
2.4
|
Manage data lifecycle
|
5
|
|
2.4.1
|
Data roles (i.e., owners, controllers, custodians, processors, users/subjects)
|
5
|
|
2.4.2
|
Data collection
|
5
|
|
2.4.3
|
Data location
|
5
|
|
2.4.4
|
Data maintenance
|
5
|
|
2.4.5
|
Data retention
|
5
|
|
2.4.6
|
Data remanence
|
5
|
|
2.4.7
|
Data destruction
|
5
|
|
2.5
|
Ensure appropriate asset retention (e.g., End-of-Life (EOL) End-of-Support (EOS))
|
5
|
|
2.6
|
Determine data security controls and compliance requirements
|
5
|
|
2.6.1
|
Data states (e.g., in use, in transit, at rest)
|
5
|
|
2.6.2
|
Scoping and tailoring
|
5
|
|
2.6.3
|
Standards selection
|
5
|
