opexxx/Protect

## Protect
Identity Management
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
Awareness and Training
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Data Security
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Info Protection
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
PR.IP-12: A vulnerability management plan is developed and implemented
Maintenance
PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools
PR.MA-2: Remote maintenance of organizational assets are approved, logged, and performed in a manner that prevents unauthorized access
Protective Tech
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
PR.PT-4: Communications and control networks are protected
PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations)
	Identity Management
	PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
	PR.AC-2: Physical access to assets is managed and protected
	PR.AC-3: Remote access is managed
	PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
	PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
	PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate
	PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
	Awareness and Training
	PR.AT-1: All users are informed and trained
	PR.AT-2: Privileged users understand roles and responsibilities
	PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities
	PR.AT-4: Senior executives understand roles and responsibilities
	PR.AT-5: Physical and information security personnel understand roles and responsibilities
	Data Security
	PR.DS-1: Data-at-rest is protected
	PR.DS-2: Data-in-transit is protected
	PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
	PR.DS-4: Adequate capacity to ensure availability is maintained
	PR.DS-5: Protections against data leaks are implemented
	PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
	PR.DS-7: The development and testing environment(s) are separate from the production environment
	PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
	Info Protection
	PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)
	PR.IP-2: A System Development Life Cycle to manage systems is implemented
	PR.IP-3: Configuration change control processes are in place
	PR.IP-4: Backups of information are conducted, maintained, and tested periodically
	PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
	PR.IP-6: Data is destroyed according to policy
	PR.IP-7: Protection processes are continuously improved
	PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
	PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
	PR.IP-10: Response and recovery plans are tested
	PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
	PR.IP-12: A vulnerability management plan is developed and implemented
	Maintenance
	PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely manner, with approved and controlled tools
	PR.MA-2: Remote maintenance of organizational assets are approved, logged, and performed in a manner that prevents unauthorized access
	Protective Tech
	PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
	PR.PT-2: Removable media is protected and its use restricted according to policy
	PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
	PR.PT-4: Communications and control networks are protected
	PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations)