All Episodes
Displaying 31 - 60 of 114 in total
DE.CM-02 - Watching the Physical Environment for Threats
DE.CM-02 involves monitoring the physical environment housing technology assets to detect adverse events, such as unauthorized access or tampering with controls like l...
DE.CM-01 - Monitoring Networks for Adverse Events
DE.CM-01 focuses on continuously monitoring networks and network services, such as DNS and BGP, to detect potentially adverse events like unauthorized connections or t...
PR.IR-04 - Maintaining Resource Capacity for Availability
PR.IR-04 maintains sufficient resource capacity—storage, compute, power, and bandwidth—to ensure system availability, monitoring usage and forecasting needs. This proa...
PR.IR-03 - Building Resilient Technology Systems
PR.IR-03 implements mechanisms like redundant storage, load balancing, and high-availability components to meet resilience requirements under both normal and adverse c...
PR.IR-02 - Shielding Assets from Environmental Threats
PR.IR-02 safeguards technology assets from environmental threats like flooding, fire, or excessive heat, using physical protections and resilient infrastructure. This ...
PR.IR-01 - Protecting Against Unauthorized Network Access
PR.IR-01 protects networks and environments from unauthorized logical access by segmenting them based on trust boundaries (e.g., IT, IoT, OT) and restricting communica...
PR.PS-06 - Securing the Software Development Process
PR.PS-06 integrates secure development practices into the software lifecycle, protecting code from tampering and ensuring releases have minimal vulnerabilities. This i...
PR.PS-05 - Preventing Unauthorized Software Use
PR.PS-05 prevents the installation and execution of unauthorized software by restricting platforms to approved applications and verifying software integrity before use...
PR.PS-04 - Enabling Continuous Monitoring with Logs
PR.PS-04 requires configuring systems, applications, and services to generate log records that support continuous monitoring, ensuring visibility into activities and e...
PR.PS-03 - Managing Hardware Lifecycles
PR.PS-03 ensures hardware is maintained, replaced, or securely removed based on its security capabilities and risk profile, such as replacing devices unable to support...
PR.PS-02 - Maintaining Software Security
PR.PS-02 focuses on maintaining, replacing, or removing software based on risk, including timely patching, updating container images, and phasing out end-of-life versi...
PR.PS-01 - Implementing Configuration Management
PR.PS-01 establishes and applies configuration management practices to maintain secure baselines for hardware, software, and services, adhering to the principle of lea...
PR.DS-11 - Ensuring Reliable Data Backups
PR.DS-11 ensures that data backups are regularly created, securely stored, and tested to maintain availability and integrity for recovery purposes. This includes near-...
PR.DS-10 - Safeguarding Data-in-Use
PR.DS-10 protects data-in-use—actively processed in memory or applications—by removing it when no longer needed and isolating it from other users or processes on the s...
PR.DS-02 - Securing Data-in-Transit
PR.DS-02 secures data-in-transit—moving across networks or communications—using encryption and integrity checks like digital signatures to prevent interception or alte...
PR.DS-01 - Protecting Data-at-Rest
PR.DS-01 focuses on securing data-at-rest—stored in files, databases, or devices—using encryption, digital signatures, and physical controls to protect confidentiality...
PR.AT-02 - Preparing Specialists for Cybersecurity Roles
PR.AT-02 targets individuals in specialized roles—like cybersecurity staff, finance personnel, or senior leaders—with tailored training to address role-specific risks....
PR.AT-01 - Training Personnel on Cybersecurity Basics
PR.AT-01 ensures that all personnel—employees, contractors, and partners—receive basic cybersecurity awareness and training to handle tasks securely. This includes rec...
PR.AA-06 - Controlling Physical Access to Assets
PR.AA-06 addresses the management and monitoring of physical access to assets, using controls like security guards, cameras, and locked entries to restrict entry based...
PR.AA-05 - Enforcing Access Control Policies
PR.AA-05 establishes a policy-driven approach to managing access permissions, ensuring they are granted based on need (least privilege) and distinct roles (separation ...
PR.AA-04 - Securing Identity Assertions
PR.AA-04 focuses on securing identity assertions—digital statements used to convey authentication and user information—across systems like single sign-on or federated ...
PR.AA-03 - Authenticating Users and Devices
PR.AA-03 mandates the authentication of users, services, and hardware to verify their identity before granting access to organizational assets. This can include multif...
PR.AA-02 - Verifying Identities for Credential Issuance
PR.AA-02 requires verifying the identities of individuals or entities before binding them to credentials, tailoring the proofing process to the context of their intend...
PR.AA-01 - Managing Identities and Credentials
PR.AA-01 focuses on the management of identities and credentials for all authorized entities—users, services, and hardware—within the organization’s control. This invo...
ID.IM-04 - Strengthening Incident Response Plans
ID.IM-04 involves establishing, sharing, and maintaining cybersecurity plans—like incident response or disaster recovery—that impact operations, with a focus on contin...
ID.IM-03 - Enhancing Processes from Operational Insights
ID.IM-03 seeks improvements from the day-to-day execution of cybersecurity processes, procedures, and activities, capturing lessons learned in real-world operations. T...
ID.IM-02 - Improving Through Security Tests and Exercises
ID.IM-02 identifies improvements from security tests and exercises, like penetration testing or incident response simulations, often involving suppliers and third part...
ID.IM-01 - Learning from Cybersecurity Evaluations
ID.IM-01 focuses on identifying improvements to cybersecurity risk management through evaluations, such as self-assessments or third-party audits. These reviews consid...
ID.RA-10 - Assessing Critical Suppliers Before Acquisition
ID.RA-10 involves conducting risk assessments of critical suppliers before engaging them, evaluating their cybersecurity practices and supply chain risks. This ensures...
ID.RA-09 - Verifying Hardware and Software Integrity
ID.RA-09 requires assessing the authenticity and integrity of hardware and software before purchase or deployment, ensuring they are free from tampering or vulnerabili...
