Audit & Compliance

ClearArmor’s ICSP Framework is compliant with both NIST Framework requirements (Version 1.1 of the Cybersecurity Framework – January 10, 2017) and CIS Critical Security Controls (Version 6.1 – August 31, 2016).

 

Learn more here

On January 10, 2017, NIST released proposed updates to Cybersecurity Framework – Version 1.1 (Draft) of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework.  
Function Category ClearArmor Framework Compliant
IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy. Yes
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. Yes
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. Yes
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Yes
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Yes
Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks. Yes
PROTECT (PR) Identity Management and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. Yes
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Yes
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Yes
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Yes
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Yes
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Yes
DETECT (DE) Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. Yes
Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Yes
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Yes
RESPOND (RS) Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Yes
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Yes
Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities. Yes
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Yes
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Yes
RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. Yes
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. Yes
Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. Yes
The Center for Internet Security – Critical Security Controls Version 6.1 ClearArmor Framework Compliant
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices Yes
Critical Security Control #2: Inventory of Authorized and Unauthorized Software Yes
Critical Security Control #3: Secure Configurations for Hardware and Software Yes
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation Yes
Critical Security Control #5: Controlled Use of Administrative Privileges Yes
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs Yes
Critical Security Control #7: Email and Web Browser Protections Yes
Critical Security Control #8: Malware Defenses Yes
Critical Security Control #9: Limitation and Control of Network Ports Yes
Critical Security Control #10: Data Recovery Capability Yes
Critical Security Control #11: Secure Configurations for Network Devices Yes
Critical Security Control #12: Boundary Defense Yes
Critical Security Control #13: Data Protection Yes
Critical Security Control #14: Controlled Access Based on the Need to Know Yes
Critical Security Control #15: Wireless Access Control Yes
Critical Security Control #16: Account Monitoring and Control Yes
Critical Security Control #17: Security Skills Assessment and Appropriate Training to Fill Gaps Yes
Critical Security Control #18: Application Software Security Yes
Critical Security Control #19: Incident Response and Management Yes
Critical Security Control #20: Penetration Tests and Red Team Exercises Yes