KEMBAR78
NIST CSF 2.0 Audit Guide | PDF | Information Security | Authentication
100% found this document useful (1 vote)
1K views16 pages

NIST CSF 2.0 Audit Guide

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
1K views16 pages

NIST CSF 2.0 Audit Guide

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

NIST CSF 2.

0 AUDIT CHECKLIST
NIST CSF 2.0 AUDIT CHECKLIST

NIST CSF 2.0 Audit Checklist


Function PROTECT (PR): Safeguards to manage the organization’s cybersecurity risks are used
Identity Management, Authentication, and Access Control (PR.AA): Access to
Category physical and logical assets is limited to authorized users, services, and hardware and
managed commensurate with the assessed risk of unauthorized access
Subcategory Audit Questionnaire Compliance Status
PR.AA-01: Identities and 1. Does the organization have a defined process for
credentials for authorized managing identities and credentials for authorized
users, services, and users, services, and hardware?
hardware are managed by 2. How does the organization ensure that identities
the organization and credentials are uniquely assigned and
accurately associated with the corresponding
users, services, or hardware?
3. What mechanisms are in place to create, modify,
disable, and revoke identities and credentials in a
timely and secure manner?
4. Does the organization maintain a centralized
repository or system for managing and storing
identities and credentials?
5. Are there processes in place to periodically review
and validate the active identities and credentials
to ensure their continued necessity and accuracy?
6. How does the organization monitor and detect the
use of unauthorized or compromised identities
and credentials?
7. Are there defined policies and procedures for the
secure handling, storage, and protection of
credentials (e.g., password policies, multi-factor
authentication, encryption)?
8. Does the organization provide training or guidance
to personnel on the proper management and use
of identities and credentials?
9. Are there clear roles and responsibilities assigned
for the management of identities and credentials
across the organization?
10. How does the organization's leadership ensure the
effectiveness of the identity and credential
management processes?
PR.AA-02: Identities are 1. Does the organization have processes in place to
proofed and bound to proof identities and bind them to credentials
credentials based on the based on the context of interactions?
context of interactions 2. What methods or techniques are used for identity
proofing (e.g., document verification, biometric
authentication, third-party identity services)?
3. How does the organization determine the
appropriate level of identity proofing required
based on the context and risk associated with
different types of interactions?
4. Are there defined procedures for securely binding
proofed identities to the corresponding
NIST CSF 2.0 AUDIT CHECKLIST

credentials?
5. Does the organization maintain records or
documentation of the identity proofing and
credential binding processes?
6. Are there mechanisms in place to detect and
prevent the use of fraudulent or compromised
identities and credentials?
PR.AA-03: Users, 1. Does the organization have processes in place to
services, and hardware authenticate users, services, and hardware before
are authenticated granting access to systems or resources?
2. What authentication mechanisms or protocols are
used (e.g., passwords, multi-factor
authentication, biometrics, digital certificates,
hardware tokens)?
3. How does the organization ensure that the
authentication mechanisms are appropriate and
commensurate with the risk associated with
different types of access or interactions?
4. Are there defined procedures for securely
managing and distributing authentication
credentials or factors to authorized users,
services, and hardware?
5. Does the organization maintain records or logs of
authentication activities for auditing and
monitoring purposes?
6. How does the organization ensure that
authentication mechanisms are consistently
applied across different systems, applications, or
environments?
7. Are there mechanisms in place to detect and
prevent unauthorized or brute-force
authentication attempts?
PR.AA-04: Identity 1. Does the organization have processes in place to
assertions are protected, protect, convey, and verify identity assertions?
conveyed, and verified 2. What mechanisms or protocols are used to ensure
the confidentiality, integrity, and authenticity of
identity assertions during transmission and
storage (e.g., encryption, digital signatures, secure
protocols)?
3. How does the organization ensure that identity
assertions are conveyed and verified in a secure
and trusted manner across different systems,
applications, or environments?
4. Are there defined procedures for managing and
validating the trust relationships between entities
involved in the exchange of identity assertions?
5. Does the organization maintain records or logs of
identity assertion activities for auditing and
monitoring purposes?
6. Are there mechanisms in place to detect and
prevent unauthorized or malicious modifications
NIST CSF 2.0 AUDIT CHECKLIST

to identity assertions?

PR.AA-05: Access 1. Does the organization have a defined policy for


permissions, managing access permissions, entitlements, and
entitlements, and authorizations?
authorizations are defined 2. How does the organization ensure that access
in a policy, managed, permissions, entitlements, and authorizations are
enforced, and reviewed, aligned with the principles of least privilege and
and incorporate the separation of duties?
principles of least 3. Are there processes in place to periodically review
privilege and separation and validate the appropriateness of access
of duties permissions, entitlements, and authorizations
based on user roles, responsibilities, and
business requirements?
4. Does the organization maintain a centralized
repository or system for managing and enforcing
access permissions, entitlements, and
authorizations across different systems and
applications?
5. How does the organization monitor and detect
unauthorized or excessive access permissions,
entitlements, or authorizations?
6. Are there defined procedures for granting,
modifying, and revoking access permissions,
entitlements, and authorizations in a timely and
secure manner?
7. Does the organization provide training or guidance
to personnel on the proper assignment and
management of access permissions,
entitlements, and authorizations?
8. Are there clear roles and responsibilities assigned
for the management and oversight of access
permissions, entitlements, and authorizations?
9. How does the organization's leadership ensure the
effectiveness and continuous improvement of the
access management processes?
10. Are there mechanisms in place to audit and report
on the compliance with the access management
policy and procedures?
PR.AA-06: Physical 1. Does the organization have processes in place to
access to assets is manage, monitor, and enforce physical access to
managed, monitored, and assets commensurate with risk?
enforced commensurate 2. How does the organization identify and classify
with risk assets that require physical access controls
based on their criticality and sensitivity?
3. What types of physical access controls are
implemented (e.g., locks, access cards,
biometrics, surveillance cameras, security
guards)?
4. Are there defined procedures for granting,
NIST CSF 2.0 AUDIT CHECKLIST

modifying, and revoking physical access


permissions to authorized personnel or visitors?
5. Does the organization maintain records or logs of
physical access activities for auditing and
monitoring purposes?
6. How does the organization monitor and detect
unauthorized physical access attempts or
breaches?
7. Are there mechanisms in place to prevent or
mitigate the consequences of unauthorized
physical access to assets?
8. Does the organization provide training or guidance
to personnel on the proper physical security
practices and access control procedures?
9. Are there clear roles and responsibilities assigned
for the management and oversight of physical
access to assets?
10. How does the organization's leadership ensure the
effectiveness and continuous improvement of the
physical access management processes?
Awareness and Training (PR.AT): The organization’s personnel are provided with
Category cybersecurity awareness and training so that they can perform their cybersecurity-
related tasks

Subcategory Audit Questionnaire Compliance Status


PR.AT-01: Personnel are 1. Does the organization have a comprehensive
provided with awareness cybersecurity awareness and training program for
and training so that they all personnel?
possess the knowledge 2. How does the organization determine the specific
and skills to perform cybersecurity knowledge and skills required for
general tasks with personnel to perform their general tasks while
cybersecurity risks in considering cybersecurity risks?
mind 3. What types of awareness and training activities
are included in the program (e.g., online courses,
classroom sessions, phishing simulations,
security advisories)?
4. Are the awareness and training materials regularly
reviewed and updated to reflect the latest
cybersecurity threats, best practices, and
organizational policies?
5. Does the organization have a mechanism to
assess the effectiveness of the awareness and
training program, such as knowledge assessments
or practical exercises?
6. Are there processes in place to track and monitor
personnel's completion of required cybersecurity
awareness and training activities?
7. How does the organization ensure that personnel
apply the acquired cybersecurity knowledge and
skills in their day-to-day tasks and decision-
making?
NIST CSF 2.0 AUDIT CHECKLIST

8. Does the organization provide refresher or ongoing


cybersecurity awareness and training to reinforce
the knowledge and skills of personnel?
9. Are there clear roles and responsibilities assigned
for the development, delivery, and oversight of the
cybersecurity awareness and training program?
10. How does the organization's leadership support
and promote the importance of cybersecurity
awareness and training among personnel?

PR.AT-02: Individuals in 1. Does the organization have a specialized


specialized roles are cybersecurity awareness and training program for
provided with awareness individuals in specialized roles (e.g., cybersecurity
and training so that they professionals, IT administrators, developers)?
possess the knowledge 2. How does the organization identify the specialized
and skills to perform roles that require advanced cybersecurity
relevant tasks with knowledge and skills to perform their tasks
cybersecurity risks in effectively?
mind 3. What types of specialized awareness and training
activities are included in the program (e.g.,
technical certifications, hands-on workshops,
threat hunting exercises)?
4. Are the specialized awareness and training
materials regularly reviewed and updated to
reflect the latest cybersecurity technologies,
techniques, and industry best practices?
5. Does the organization have a mechanism to
assess the effectiveness of the specialized
awareness and training program, such as practical
assessments or simulations?
6. Are there processes in place to track and monitor
the completion of required specialized
cybersecurity awareness and training activities?
7. How does the organization ensure that individuals
in specialized roles apply the acquired advanced
cybersecurity knowledge and skills in their day-to-
day tasks and responsibilities?
8. Does the organization provide opportunities for
continuous learning and professional
development in specialized cybersecurity areas?
9. Are there clear roles and responsibilities assigned
for the development, delivery, and oversight of the
specialized cybersecurity awareness and training
program?
10. How does the organization's leadership support
and promote the importance of specialized
cybersecurity awareness and training among
relevant personnel?
Data Security (PR.DS): Data are managed consistent with the organization’s risk
Category strategy to protect the confidentiality, integrity, and availability of information
NIST CSF 2.0 AUDIT CHECKLIST

Subcategory Audit Questionnaire Compliance Status


PR.DS-01: The 1. Does the organization have processes and
confidentiality, integrity, controls in place to protect the confidentiality,
and availability of data-at- integrity, and availability of data-at-rest?
rest are protected 2. What types of data are considered "data-at-rest"
(e.g., data stored on servers, databases, storage
systems, backups, archives)?
3. How does the organization classify and identify
sensitive or critical data-at-rest that requires
additional protection measures?
4. What mechanisms are used to protect the
confidentiality of data-at-rest (e.g., encryption,
access controls, data masking)?
5. What mechanisms are used to protect the integrity
of data-at-rest (e.g., digital signatures, hash
functions, access controls)?
6. What mechanisms are used to ensure the
availability of data-at-rest (e.g., redundancy, fault
tolerance, backup and recovery processes)?
7. Are there defined processes for securely managing
and rotating encryption keys or other data
protection mechanisms for data-at-rest?
8. How does the organization monitor and detect
unauthorized access or modifications to data-at-
rest?
9. Are there defined roles and responsibilities for the
management and protection of data-at-rest
across the organization?
PR.DS-02: The 1. Does the organization have processes and
confidentiality, integrity, controls in place to protect the confidentiality,
and availability of data-in- integrity, and availability of data-in-transit?
transit are protected 2. What types of data flows are considered "data-in-
transit" (e.g., network communications, file
transfers, remote access, cloud services)?
3. How does the organization identify and classify
sensitive or critical data-in-transit that requires
additional protection measures?
4. What mechanisms are used to protect the
confidentiality of data-in-transit (e.g., encryption,
secure protocols, access controls)?
5. What mechanisms are used to protect the integrity
of data-in-transit (e.g., digital signatures, message
authentication codes, secure protocols)?
6. What mechanisms are used to ensure the
availability of data-in-transit (e.g., load balancing,
redundancy, failover mechanisms)?
7. Are there defined processes for securely managing
and rotating encryption keys or other data
protection mechanisms for data-in-transit?
8. How does the organization monitor and detect
NIST CSF 2.0 AUDIT CHECKLIST

unauthorized access or modifications to data-in-


transit?
9. Are there defined roles and responsibilities for the
management and protection of data-in-transit
across the organization?
PR.DS-10: The 1. Does the organization have processes and
confidentiality, integrity, controls in place to protect the confidentiality,
and availability of data-in- integrity, and availability of data-in-use?
use are protected 2. What types of data are considered "data-in-use"
(e.g., data processed by applications, memory-
resident data, data used in computations)?
3. How does the organization identify and classify
sensitive or critical data-in-use that requires
additional protection measures?
4. What mechanisms are used to protect the
confidentiality of data-in-use (e.g., secure
execution environments, memory protection,
access controls)?
5. What mechanisms are used to protect the integrity
of data-in-use (e.g., secure execution
environments, input validation, access controls)?
6. What mechanisms are used to ensure the
availability of data-in-use (e.g., redundancy, fault
tolerance, failure isolation)?
7. Are there defined processes for securely managing
and protecting data-in-use throughout its lifecycle
(e.g., secure coding practices, secure runtime
environments)?
8. How does the organization monitor and detect
unauthorized access or modifications to data-in-
use?
9. Are there defined roles and responsibilities for the
management and protection of data-in-use across
the organization?
NIST CSF 2.0 AUDIT CHECKLIST

PR.DS-11: Backups of 1. Does the organization have processes and


data are created, controls in place for creating, protecting,
protected, maintained, maintaining, and testing backups of data?
and teste 2. What types of data are included in the backup
processes (e.g., databases, file systems,
configurations, application data)?
3. How does the organization determine the
appropriate frequency and retention periods for
data backups based on criticality and recovery
requirements?
4. What mechanisms are used to protect the
confidentiality and integrity of backup data (e.g.,
encryption, access controls, secure storage)?
5. Are backup data stored in secure locations, both
on-site and off-site, to ensure availability in case
of disasters or incidents?
6. How does the organization monitor and ensure the
successful completion of backup processes,
including the verification of backup data integrity?
7. Are there defined processes for testing and
validating the restoration of backup data on a
regular basis?
8. Does the organization maintain documentation
and procedures for executing backup and
restoration processes?
9. Are there defined roles and responsibilities for the
management and oversight of backup and data
protection processes across the organization?
10. How does the organization's leadership ensure the
effectiveness and continuous improvement of
backup and data protection measures?
Category Platform Security (PR.PS): The hardware, software (e.g., firmware, operating systems,
applications), and services of physical and virtual platforms are managed consistent
with the organization’s risk strategy to protect their confidentiality, integrity, and
availability
Subcategory Audit Questionnaire Compliance Status
PR.PS-01: Configuration 1. Does the organization have documented
management practices configuration management practices and
are established and procedures?
applied 2. How does the organization ensure that
configuration management practices are
consistently applied across all hardware,
software, and service platforms?
3. What processes are in place for establishing and
maintaining secure baseline configurations for
systems, applications, and services?
4. Are there mechanisms to detect and report
deviations from approved configurations?
5. How does the organization manage and approve
changes to configurations, including testing and
NIST CSF 2.0 AUDIT CHECKLIST

validation processes?
6. Are configuration management activities and
changes documented and tracked in a centralized
repository or system?
7. Does the organization provide training and
guidance to personnel involved in configuration
management activities?
8. How does the organization ensure that
configuration management practices are aligned
with its risk management strategy and security
requirements?
9. Are there processes in place to periodically
review and update configuration management
practices to address changes in the threat
landscape, technology, or organizational needs?
PR.PS-02: Software is 1. Does the organization have processes in place for
maintained, replaced, maintaining, replacing, and removing software
and removed components (e.g., operating systems,
commensurate with risk applications, firmware)?
2. How does the organization determine when
software needs to be updated, replaced, or
removed based on risk considerations?
3. What processes are in place to ensure that
software updates and replacements are tested,
validated, and approved before deployment?
4. Are there mechanisms to detect and prevent the
installation or execution of unauthorized or
malicious software?
5. How does the organization manage and track
software licenses, versions, and end-of-life
cycles?
6. Are there documented procedures for securely
removing or decommissioning software
components, including data sanitization and
secure disposal?
7. Does the organization provide training and
guidance to personnel involved in software
maintenance, replacement, and removal
activities?
8. How does the organization ensure that software
maintenance, replacement, and removal
practices are aligned with its risk management
strategy and security requirements?
9. Are there processes in place to periodically
review and update software maintenance,
replacement, and removal practices to address
changes in the threat landscape, technology, or
organizational needs?
NIST CSF 2.0 AUDIT CHECKLIST

PR.PS-03: Hardware is 1. Does the organization have processes in place for


maintained, replaced, maintaining, replacing, and removing hardware
and removed components (e.g., servers, workstations, network
commensurate with risk devices)?
2. How does the organization determine when
hardware needs to be updated, replaced, or
removed based on risk considerations?
3. What processes are in place to ensure that
hardware updates and replacements are tested,
validated, and approved before deployment?
4. Are there mechanisms to detect and prevent the
installation or connection of unauthorized or
compromised hardware?
5. How does the organization manage and track
hardware assets, including maintenance
schedules and end-of-life cycles?
6. Are there documented procedures for securely
removing or decommissioning hardware
components, including data sanitization and
secure disposal?
7. Does the organization provide training and
guidance to personnel involved in hardware
maintenance, replacement, and removal
activities?
8. How does the organization ensure that hardware
maintenance, replacement, and removal
practices are aligned with its risk management
strategy and security requirements?
9. Are there processes in place to periodically
review and update hardware maintenance,
replacement, and removal practices to address
changes in the threat landscape, technology, or
organizational needs?
PR.PS-04: Log records 1. Does the organization have processes in place for
are generated and made generating and making log records available for
available for continuous continuous monitoring?
monitoring 2. What types of log records are generated and
collected (e.g., system logs, application logs,
security logs, network logs)?
3. How does the organization ensure that log
records are generated and collected consistently
across all hardware, software, and service
platforms?
4. Are there mechanisms in place to protect the
integrity and confidentiality of log records?
5. How does the organization manage and store log
records, including retention periods and archiving
processes?
6. Are log records continuously monitored for
security events, incidents, or anomalies?
7. Does the organization have processes for
NIST CSF 2.0 AUDIT CHECKLIST

analyzing and correlating log records from


multiple sources to identify potential security
issues?
8. Are there mechanisms in place to ensure that log
records are available and accessible for analysis,
reporting, and investigations?
9. Does the organization provide training and
guidance to personnel involved in log
management and monitoring activities?
PR.PS-05: Installation 1. Does the organization have mechanisms in place
and execution of to prevent the installation and execution of
unauthorized software are unauthorized software?
prevented 2. What technologies or controls are used to
enforce software whitelisting or application
control policies?
3. How does the organization define and maintain
an approved list of authorized software for
different user groups or system types?
4. Are there processes for granting exceptions or
temporary approvals for installing or executing
specific software?
5. How does the organization monitor and detect
attempts to install or execute unauthorized
software?
6. Are there mechanisms in place to automatically
block or quarantine unauthorized software
installations or executions?
7. Does the organization provide training and
awareness programs to educate users about the
risks of unauthorized software and the
importance of adhering to software policies?
8. How does the organization ensure that software
whitelisting or application control policies are
consistently enforced across all hardware,
software, and service platforms?
9. Are there processes in place to periodically
review and update the approved software lists
and whitelisting policies to address changes in
the threat landscape, technology, or
organizational needs?
PR.PS-06: Secure 1. Does the organization have processes in place to
software development integrate secure software development practices
practices are integrated, throughout the software development life cycle?
and their performance is 2. What secure software development
monitored throughout the methodologies, frameworks, or best practices are
software development life followed (e.g., secure coding practices, code
cycle reviews, security testing)?
3. How does the organization ensure that secure
software development practices are consistently
applied across all software development
projects?
NIST CSF 2.0 AUDIT CHECKLIST

4. Are there mechanisms in place to monitor and


assess the performance and effectiveness of
secure software development practices?
5. How does the organization identify and address
any gaps or weaknesses in the secure software
development practices?
6. Are there processes for incorporating feedback
and lessons learned from security incidents or
vulnerabilities into the secure software
development practices?
7. Does the organization provide training and
guidance to software developers, testers, and
project managers on secure software
development practices?
8. How does the organization ensure that secure
software development practices are aligned with
its risk management strategy and security
requirements?
9. Are there processes in place to periodically
review and update the secure software
development practices to address changes in the
threat landscape, technology, or organizational
needs?
Category Technology Infrastructure Resilience (PR.IR): Security architectures are managed
with the organization’s risk strategy to protect asset confidentiality, integrity, and
availability, and organizational resilience
Subcategory Audit Questionnaire Compliance Status
PR.IR-01: Networks and 1. Does the organization have implemented controls
environments are and mechanisms to protect its networks and
protected from environments from unauthorized logical access
unauthorized logical and usage?
access and usage 2. What types of controls are in place to prevent
unauthorized access to the organization's
networks and environments (e.g., firewalls, access
control lists, network segmentation, virtual private
networks)?
3. How does the organization ensure that access to
networks and environments is granted only to
authorized users, devices, and services?
4. Are there processes in place to monitor and detect
unauthorized or suspicious network and
environment access attempts or activities?
5. Does the organization maintain logs or records of
network and environment access activities for
auditing and forensic purposes?
6. How does the organization ensure that the
network and environment access controls are
consistently applied across different locations,
systems, and infrastructure components?
7. Are there defined procedures for reviewing and
updating the network and environment access
NIST CSF 2.0 AUDIT CHECKLIST

controls to address evolving threats and changes


in the organization's risk landscape?
8. Does the organization provide training or guidance
to personnel on the proper use and protection of
networks and environments?
9. Are there clear roles and responsibilities assigned
for the management and oversight of network and
environment access controls?
PR.IR-02: The 1. Does the organization have measures in place to
organization’s technology protect its technology assets from environmental
assets are protected from threats (e.g., power outages, natural disasters,
environmental threats extreme temperatures, humidity)?
2. What types of environmental controls or
safeguards are implemented (e.g., uninterruptible
power supplies, backup generators, climate
control systems, fire suppression systems)?
3. How does the organization assess and mitigate
the potential impact of environmental threats on
its technology assets and operations?
4. Are there processes in place to monitor and detect
environmental conditions that may pose a threat
to technology assets?
5. Does the organization maintain contingency plans
or procedures for responding to environmental
incidents or disruptions?
6. How does the organization ensure that the
environmental controls and safeguards are
consistently applied across different locations and
facilities?
7. Are there defined procedures for testing,
maintaining, and updating the environmental
controls and safeguards?
8. Does the organization provide training or guidance
to personnel on the proper handling and
protection of technology assets from
environmental threats?
9. Are there clear roles and responsibilities assigned
for the management and oversight of
environmental controls and safeguards?
PR.IR-03: Mechanisms 1. Does the organization have mechanisms
are implemented to implemented to achieve resilience requirements
achieve resilience in normal and adverse situations?
requirements in normal 2. What types of resilience mechanisms are
and adverse situations implemented (e.g., redundancy, failover, load
balancing, backup and recovery, incident
response planning)?
3. How does the organization determine the
appropriate resilience requirements based on its
risk assessment and business continuity
objectives?
4. Are there processes in place to monitor and
NIST CSF 2.0 AUDIT CHECKLIST

validate the effectiveness of the implemented


resilience mechanisms?
5. Does the organization maintain documentation or
records of the resilience mechanisms and their
associated requirements?
6. How does the organization ensure that the
resilience mechanisms are consistently applied
across different systems, applications, and
infrastructure components?
7. Are there defined procedures for testing and
validating the resilience mechanisms in simulated
or controlled environments?
8. Does the organization provide training or guidance
to personnel on the proper implementation and
use of resilience mechanisms?
9. Are there clear roles and responsibilities assigned
for the management and oversight of resilience
mechanisms?
PR.IR-04: Adequate 1. Does the organization have processes in place to
resource capacity to maintain adequate resource capacity to ensure
ensure availability is availability of its systems and services?
maintained 2. What types of resources are considered in the
capacity planning process (e.g., computing power,
storage, network bandwidth, software licenses,
personnel)?
3. How does the organization assess and determine
the required resource capacity based on current
and projected workloads, usage patterns, and
growth expectations?
4. Are there mechanisms in place to monitor and
track resource utilization and capacity levels?
5. Does the organization maintain contingency plans
or procedures for responding to resource capacity
shortages or spikes in demand?
6. How does the organization ensure that resource
capacity is consistently managed across different
systems, applications, and infrastructure
components?
7. Are there defined procedures for provisioning,
scaling, and decommissioning resources to
maintain adequate capacity levels?
8. Does the organization provide training or guidance
to personnel on the proper management and
optimization of resource capacity?
9. Are there clear roles and responsibilities assigned
for the management and oversight of resource
capacity planning and maintenance?
NIST CSF 2.0 AUDIT CHECKLIST

You might also like