Access Control Management
Require MFA for remote network access.
Access Control Management
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
Access Control Management
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Access Control Management
Level 2
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Access Control Management
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Continuous Vulnerability Management
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Continuous Vulnerability Management
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Continuous Vulnerability Management
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Continuous Vulnerability Management
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Continuous Vulnerability Management
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
