Collective Assessment Tool v2023

Collective Control Catalog (CCC) Asse
Description: Maturity level: Score:

Policies Complete Level One 0.00
Priority 1 Controls Implemented Level Two 0.00
Priority 2 Controls Implemented Level Three 0.00
Priority 3 Controls Implemented Level Four 0.00
Priority 4 Controls Implemented Level Five 0.00
Maturity Rating*: 0.00 0.00

Level Five
*Rating is on a 0-5 scale.
CCC Governance Category Policy Score: Implementation Score:

Cybersecurity Governance 0% 0%
Threat Management 0% 0% 0
Security Policy Management 0% 0%
Cybersecurity Governance 0%
Education and Awareness 0% 0% Threat Management 0%
Project Management 0% 0% Security Policy Management 0%
Change and Exception Management 0% 0% Education and Awareness 0%
Measure and Metrics Management 0% 0% Project Management 0%
Audit Management 0% 0% Change and Exception Management 0%
Measure and Metrics Management 0%
Third Party Management 0% 0%
Audit Management 0%
Risk Reporting 0% 0%
Third Party Management 0%
Personnel Management 0% 0% Risk Reporting
0%
Physical Security 0% 0% Personnel Management 0%
Business Continuity 0% 0% Physical Security
0%
Incident Management 0% 0% Business Continuity
0%
Data Privacy 0% 0% Incident Management 0%
Data Privacy
0%
Total Percent Compliant: 0% 0%
CCC Technical Category Policy Score: Implementation Score:

Asset Inventory and Discovery 0% 0%
Software Inventory and Discovery 0% 0%
0%
Application Control 0% 0%
Patch Management 0% 0% Asset Inventory and Discovery
0%
Vulnerability Management 0% 0% Software Inventory and Discovery
0%
Application Control
0%
Configuration Management 0% 0%
Patch Management
0%
Endpoint Protection 0% 0%
Vulnerability Management
0%
Removable Media Protection 0% 0% Configuration Management
0%
Mobile Device Protection 0% 0% Endpoint Protection
0%
Removable Media Protection
0%
Mobile Device Protection
0%
Backup and Recovery
0%
Log Management0%
Patch Management
0%
0%
Configuration Management
0%
Endpoint Protection
0%
Backup and Recovery 0% 0% Removable Media Protection
0%
Log Management 0% 0% Mobile Device Protection
0%
File Integrity Management 0% 0% Backup and Recovery
0%
Identity Management 0% 0% Log Management0%
File Integrity Management
0%
Data Inventory 0% 0%
Identity Management
0%
Access Management 0% 0%
Data Inventory
0%
Privileged Account Management 0% 0%
Access Management 0%
Network Device Management 0% 0% Privileged Account Management
0%
Boundary Filtering 0% 0% Network Device Management
0%
Remote Access 0% 0% Boundary Filtering
0%
Web Filtering 0% 0% Remote Access 0%
Email Filtering 0% 0% Web Filtering
0%
Network Segmentation and Control 0% 0% Email Filtering
0%
Network Segmentation and Control
0%
Wireless Access 0% 0%
Wireless Access
0%
Software Development 0% 0%
Software Development
0%
Static Code Analysis 0% 0%
Static Code Analysis
0%
Total Percent Compliant: 0% 0%
This work is licensed under the AuditScripts.com Terms of Service, which can be found at h
log (CCC) Assessment Tool (v2023)
Collective Controls Catalog Maturity Scores

1.00
0.80
0.60
0.40
0.20
0.00
0.00
Level Five 0.00
Level Four 0.00
Level Three 0.00
Level Two 0.00
Level One
Collective Controls Catalog Governance Scores

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Cybersecurity Governance 0%
Threat Management 0%
ecurity Policy Management 0%
Education and Awareness 0%
Project Management 0%
nd Exception Management 0%
and Metrics Management 0%
Audit Management 0%
Third Party Management 0%
Risk Reporting
0%
Personnel Management 0%
Physical Security
0%
Business Continuity
0%
Incident Management 0%
Data Privacy
0%
Collective Controls Catalog Technical Scores

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
et Inventory and Discovery

0%
re Inventory and Discovery
0%
Application Control
0%
Patch Management
0%
0%
onfiguration Management
0%
Endpoint Protection
0%
movable Media Protection
0%
0%
Backup and Recovery
0%
Log Management0%
Patch Management
0%
0%
onfiguration Management
0%
Endpoint Protection
0%
movable Media Protection
0%
0%
Backup and Recovery
0%
Log Management0%
File Integrity Management
0%
Identity Management
0%
Data Inventory
0%
Access Management 0%
ged Account Management
0%
work Device Management
0%
Boundary Filtering
0%
Remote Access 0%
Web Filtering
0%
Email Filtering
0%
Segmentation and Control
0%
Wireless Access
0%
Software Development
0%
Static Code Analysis
0%
which can be found at http://www.auditscripts.com/terms/. For Authorized Use Only.

1.00
0.80
0.60
0.40
0.20
0.00
Collective Control Cata
NIST CyberSecurity Framework (v1.1) Categories Policy Score:

Asset Management (ID.AM) 0%
Business Environment (ID.BE) 0%
Governance (ID.GV) 0%
Risk Assessment (ID.RA) 0%
Risk Management Strategy (ID.RM) 0%
Supply Chain Risk Management (ID.SC) 0%
Identity Management, Authentication and Access Control (PR.AC) 0%
Awareness and Training (PR.AT) 0%
Data Security (PR.DS) 0%
Information Protection Processes and Procedures (PR.IP) 0%
Maintenance (PR.MA) 0%
Protective Technology (PR.PT) 0%
Anomalies and Events (DE.AE) 0%
Security Continuous Monitoring (DE.CM) 0%
Detection Processes (DE.DP) 0%
Response Planning (RS.RP) 0%
Communications (RS.CO) 0%
Analysis (RS.AN) 0%
Mitigation (RS.MI) 0%
Improvements (RS.IM) 0%
Recovery Planning (RC.RP) 0%
Improvements (RC.IM) 0%
Communications (RC.CO) 0%
Total Percent Compliant: 0%
This work is licensed under the AuditScripts.com Terms of Service,

llective Control Catalog (CCC) Assessment Tool (v2023)
Implementation Score:
0% NIST CyberSecurity Framework (v1.1) Sco
0%
0% 10% 20% 30% 40%
0%
0% Asset Management (ID.AM) 0%
Business Environment (ID.BE)0%
0%
Governance (ID.GV)0%
0%
Risk Assessment (ID.RA)0%
0% Risk Management Strategy (ID.RM) 0%
0% Supply Chain Risk Management (ID.SC) 0%
0% Identity Management, Authentication and Access Control (PR.AC) 0%
0% Awareness and Training (PR.AT) 0%
0% Data Security (PR.DS)
0%
0% Information Protection Processes and Procedures (PR.IP)0%
Maintenance (PR.MA) 0%
0%
Protective Technology (PR.PT)
0%
0%
Anomalies and Events (DE.AE) 0%
0%
Security Continuous Monitoring (DE.CM) 0%
0% Detection Processes (DE.DP)
0%
0% Response Planning (RS.RP)0%
0% Communications (RS.CO) 0%
0% Analysis (RS.AN)
0%
0% Mitigation (RS.MI)
0%
0% Improvements (RS.IM) 0%
Recovery Planning (RC.RP)0%
0%
Improvements (RC.IM) 0%
0%
Communications (RC.CO) 0%
0%
uditScripts.com Terms of Service, which can be found at http://www.auditscripts.com/terms/. For Authorized Use Only.
amework (v1.1) Scores
% 20% 30% 40% 50% 60% 70% 80% 90% 100%
e Only.
ISO 27002:2013 Categories Policy Score:

A.5 - Information Security Policies 0%
A.6 - Organization of information security 0%
A.7 - Human resource security 0%
A.8 - Asset management 0%
A.9 - Access control 0%
A.10 - Cryptography 0%
A.11 - Physical and environmental security 0%
A.12 - Operations security 0%
A.13 - Communications security 0%
A.14 - System acquisition, development and maintenance 0%
A.15 - Supplier relationships 0%
A.16 - Information security incident management 0%
A.17 - Information security aspects of business continuity management 0%
A.18 - Compliance 0%
ISO 27002:2022 Categories Policy Score:

5 - Organizational 0%
6 - People 0%
7 - Physical 0%
8 - Technological 0%

0% ISO 27002:2013 Scores
0% 0% 10% 20% 30% 40% 5
0%
A.5 - Information Security Policies
0%
0% 0%
0% A.7 - Human resource security 0%
0% 0%
0% A.9 - Access control
0%
0% 0%
A.11 - Physical and environmental security 0%
0%
0%
0% A.13 - Communications security 0%
0% 0%
0% A.15 - Supplier relationships
0%
0% 0%
0% A.17 - Information security aspects of business continuity management 0%
0%
0%
0% ISO 27002:2022 Scores
0% 0% 10% 20% 30% 40% 50% 60%
0% 5 - Organizational
0%
0% 6 - People
0%
0%
7 - Physical
0%
8 - Technological
0%
27002:2013 Scores
20% 30% 40% 50% 60% 70% 80% 90% 100%
2022 Scores
50% 60% 70% 80% 90% 100%
e Only.
CIS Controls v7.0 / 7.1 Category Policy Score:

Inventory of Authorized and Unauthorized Devices 0%
Inventory of Authorized and Unauthorized Software 0%
Continuous Vulnerability Assessment and Remediation 0%
Controlled Use of Administrative Privileges 0%
Secure Configurations for Hardware and Software 0%
Maintenance, Monitoring, and Analysis of Audit Logs 0%
Email and Web Browser Protections 0%
Malware Defenses 0%
Limitation and Control of Network Ports 0%
Data Recovery Capabilities 0%
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 0%
Boundary Defense 0%
Data Protection 0%
Controlled Access Based on the Need to Know 0%
Wireless Access Control 0%
Account Monitoring and Control 0%
Implement a Security Awareness and Training Program 0%
Application Software Security 0%
Incident Response and Management 0%
Penetration Tests and Red Team Exercises 0%
CIS Controls v8.0 Category

Inventory and Control of Enterprise Assets 0%
Inventory and Control of Software Assets 0%
Data Protection 0%
Secure Configuration of Enterprise Assets and Software 0%
Account Management 0%
Access Control Management 0%
Continuous Vulnerability Management 0%
Audit Log Management 0%
Malware Defenses 0%
Data Recovery 0%
Network Infrastructure Management 0%
Network Monitoring and Defense 0%
Security Awareness and Skills Training 0%
Service Provider Management 0%
Application Software Security 0%
Incident Response Management 0%
Penetration Testing 0%

0% CIS Controls (v7.0 / 7.1) Scores
0%
0% 10% 20% 30%
0%
Inventory of Authorized and Unauthorized Devices0%
0%
Inventory of Authorized and Unauthorized Software 0%
0%
Continuous Vulnerability Assessment and Remediation 0%
0% Controlled Use of Administrative Privileges
0%
0% Secure Configurations for Hardware and Software0%
0% Maintenance, Monitoring, and Analysis of Audit Logs0%
0% Email and Web Browser Protections0%
0% Malware Defenses 0%
0% Limitation and Control of Network Ports
0%
Data Recovery Capabilities
0%
0%
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches0%
0%
Boundary Defense0%
0% Data Protection
0%
0% Controlled Access Based on the Need to Know 0%
0% Wireless Access Control
0%
0% Account Monitoring and Control
0%
0% Implement a Security Awareness and Training Program 0%
0% Application Software Security
0%
Incident Response and Management 0%
0%
Penetration Tests and Red Team Exercises 0%
0%
Score:
0% CIS Controls (v8.0)Scores
0% 0% 10% 20% 30% 40% 50%
0%
Inventory and Control of Enterprise Assets
0%
0%
Inventory and Control of Software Assets
0%
0% Data Protection
0%
0% Secure Configuration of Enterprise Assets and Software0%
0% Account Management 0%
0% Access Control Management 0%
0% Continuous Vulnerability Management 0%
Audit Log Management 0%
0%
0%
Malware Defenses0%
0% Data Recovery
0%
0% Network Infrastructure Management 0%
0% Network Monitoring and Defense 0%
0% Security Awareness and Skills Training
0%
Service Provider Management 0%
Application Software Security
0%
Penetration Testing
0%
Data Recovery
0%
Network Infrastructure Management 0%
Network Monitoring and Defense 0%
Security Awareness and Skills Training
0%
0% Service Provider Management 0%
0% Application Software Security
0%
0%
Penetration Testing
0%
0%
7.0 / 7.1) Scores
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Devices0%
ftware0%
diation0%
vileges0%
ftware0%
it Logs
0%
ections0%
fenses0%
k Ports
0%
bilities
0%
witches0%
efense0%
tection
0%
o Know 0%
Control0%
Control0%
ogram 0%
ecurity
0%
ement 0%
ercises0%
(v8.0)Scores
% 30% 40% 50% 60% 70% 80% 90% 100%
e Only.
Collective Control Catalog (CCC): G
Total Implementation of Governance Controls
ID
GOV-01
GOV-02
GOV-03
GOV-04
GOV-05
GOV-06
GOV-07
GOV-08
GOV-09
GOV-10
GOV-11
GOV-12
GOV-13
This work is licensed under the AuditScripts.com Terms of Service, which can be found at
Collective Control Catalog (CCC): Governa
Total Implementation of Governance Controls
CCC Control Detail
Create an information assurance charter that articulates the organization’s commitment to data protection and its goals towa
integrity and availability of data.
Establish the authority of a committee to define the organization's information assurance program strategy and administer the
Define the key stakeholders that will serve as members of the organization's information Assurance program committee.
Establish that an senior executive leadership representative with authority will always be a member of this organization’s com
Define additional leadership roles and responsibilities for the organization's information security program and committee.
Ensure that the organization's information security program committee is composed of key stakeholders from a cross-section
simply technology workforce members.
Ensure that the organization's information assurance program charter defines the organization's approach to addressing cyber
Ensure that the organization's information assurance program charter defines the specific regulatory requirements, contractu
standards that the organization's assurance program shall achieve.
Define the frequency the information assurance program committee will meet, rules of order, rules for decision making, and o
logistics.
Define the program's scope and applicability to the individual business units, subsidiaries, or sites within the organization.
Ensure that the senior levels of executive leadership formally approve the organization's information security program charter
Formally assign information security leadership responsibilities for the organization as a whole as well as to a specific group of
responsible for leadership and program management.
Formally assign information security leadership responsibilities inside each business unit within the organization.
This work is licensed under the AuditScripts.com Terms of Service, which can be found at http://ww
rols
Risk Addressed: 0%
Risk Accepted: 100%
Policy Defined Control Implemented
Question Not Answered Question Not Answered

com/terms/. For Authorized Use Only.

Collective Control Catalog (CCC): Threa
Total Implementation of Threat Management

Controls
ID
THR-01
THR-02
THR-03
THR-04
THR-05
THR-06
THR-07
Collective Control Catalog (CCC): Threat Mana
Total Implementation of Threat Management

Controls
CCC Control Detail
Identify and join industry specific associations that will provide the organization up-to-date threat intelligence on threats to th
information systems.
Subscribe to threat intelligence feeds that will provide the organization up-to-date threat intelligence on threats to the organi
systems.
Document a detailed threat catalog of all threat actions that could cause harm to the organization's information systems.
Define a list of threat characteristics for the organization's threat modeling and prioritization.
Prioritize or score all threats defined in the organization's threat catalog.
Map each of the threats in the organization's threat catalog to controls intended to address the threat.
Regularly review and update the organization's threat catalog, threat model, and prioritization documentation.
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Sec
Total Implementation of Policy Controls
ID
POL-01
POL-02
POL-03
POL-04
POL-05
POL-06
POL-07
POL-08
POL-09
POL-10
Collective Control Catalog (CCC): Security P
Total Implementation of Policy Controls
CCC Control Detail
Document information security and privacy policies that define the controls the organization intends to implement to achieve
Document information security and privacy frameworks or regulations to clarify information security policies through specific
requirements.
Ensure that all information assurance documents define a full catalog of the organization's security and privacy strategies and
their current capabilities.
Ensure that all information assurance documentation clearly defines the scope and applicability of the documentation.
Ensure that all information assurance documentation clearly defines the sanctions that will be imposed if the controls are not
Define the process by which all information assurance documentation will be approved.
Ensure that all information assurance documentation has completed that defined approval process.
Ensure that all information assurance documentation is mapped to the regulations and standards defined in the organization's
program charter.
Ensure that the organization's security and privacy policies define the acceptable use of the organization's information system
Perform regular reviews of all information security and privacy documentation to ensure it continues to meet the organization
ntrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Educatio
Total Implementation of Education Controls
ID
EDU-01
EDU-02
EDU-03
EDU-04
EDU-05
EDU-06
EDU-07
EDU-08
EDU-09
EDU-10
EDU-11
EDU-12
EDU-13
EDU-14
EDU-15
EDU-16
EDU-17
Collective Control Catalog (CCC): Education and
Total Implementation of Education Controls
CCC Control Detail
Publish approved versions of the organization's information security and privacy intentions (charter, policies, standards) to ap
members.
Ensure that all new workforce members understand the information security policies and standards as appropriate for his or h
Ensure that all new workforce members are provided information security awareness training as appropriate for their job role
Define the specific information security knowledge requirements appropriate for all job roles in the organization.
Regularly ensure that all workforce members receive appropriate information security and privacy education as appropriate b
organization.
Perform a gap analysis between defined and actual workforce knowledge in order to maintain an appropriate education plan
organization.
Utilize a system for tracking educational progress towards the organization's education plan.
Regularly perform information security awareness training as appropriate for all job roles in the organization.
Ensure that the organization's information security awareness program educates workforce members on how to securely auth
Ensure that the organization's information security awareness program educates workforce members on how to identify socia
Ensure that the organization's information security awareness program educates workforce members on how to handle the o
data.
Ensure that the organization's information security awareness program educates workforce members on the mostly likely cau
Ensure that the organization's information security awareness program educates workforce members on the most common in
and how to report an incident.
Ensure that the organization's information security awareness program educates workforce members on how to detect if auto
not work as intended (such as software updates).
Ensure that the organization's information security awareness program educates workforce members on how to communicate
networks.
Report on a regular basis to key stakeholders on status of the organization's information security and privacy education plan.
Regularly provide practical awareness exercises to ensure the effectiveness of the program and report the results of such exer
leadership stakeholders.
ss Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Projec
Total Implementation of Project Management

Controls
ID
PM-01
PM-02
PM-03
PM-04
PM-05
PM-06
PM-07
PM-08
PM-09
Collective Control Catalog (CCC): Project Man
Total Implementation of Project Management

Controls
CCC Control Detail
Establish a Project Management Office (PMO) to track all information security and privacy projects in the organization.
Implement a PMO project tracking tool to formally track all information security projects in the organization.
Utilize the organization's PMO tool to prioritize all information security projects in the organization.
Utilize the organization's PMO tool to track the status of all information security projects in the organization.
Identify the capital resource costs for the implementation of each information security project and ensure that it is tracked in
tool.
Identify the human resource requirements for the implementation of each information security project and ensure that it is tr
organization's PMO tool.
Identify the capital resource costs for the ongoing maintenance and operation of each information security project and ensure
organization's PMO tool.
Identify the human resource requirements for the ongoing maintenance and operation of each information security project an
in the organization's PMO tool.
Assign appropriate resources to all projects, systems, and operational programs defined in the organization's information secu
programs.
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Chang
Total Implementation of Change Management

Controls
ID
CHM-01
CHM-02
CHM-03
CHM-04
CHM-05
CHM-06
CHM-07
Collective Control Catalog (CCC): Change Man
Total Implementation of Change Management

Controls
CCC Control Detail
Document the process that the organization will follow to approve exceptions to their information security and privacy policie
Document the process that the organization will follow to approve changes to their information security systems.
Document an approved list of blanket exceptions that are temporarily applied to the entire organization.
Determine who is authorized to approve exceptions to the organization's information security and privacy controls.
Implement a Governance, Risk, and Compliance (GRC) system (a tracking system) to track all exceptions to the organization's d
security and privacy controls.
Perform a regular review of all approved exceptions (at least annually) to determine whether the exception is still valid for the
Regularly report all approved exceptions to the organization's senior leadership for approval and ultimate acceptance of risk.
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Measu
Total Implementation of Measure and Metric

Controls
ID
MET-01
MET-02
MET-03
MET-04
MET-05
MET-06
MET-07
MET-08
MET-09
MET-10
MET-11
MET-12
Collective Control Catalog (CCC): Measure and
Total Implementation of Measure and Metric

Controls
CCC Control Detail
Define quantifiable measures for all defined information security and privacy controls in the organization's control library.
Prioritize all information security and privacy measures based on the importance defined for each of the controls.
Ensure that there are consistent data types defined for each of the measures that are documented.
Determine which quality management methodologies the organization will use to measure the maturity of the information se
Map each of the information security and privacy measures to a technology sensor that can automatically gather the necessar
Define specific data sets which should be retrieved from each of the defined technology sensors.
Define common information tags for data fields that are vendor agnostic and can be aggregated into a common database for a
Define a common data schema to aggregate information security and privacy data from each of the technology sensors define
Deploy a database engine (such as a CMDB or GRC) to aggregate the defined data sets.
Aggregate data from each of the technology sensors into the database engine (such as a CMDB or GRC).
Define if there is additional data that must be manually collected and added into the database engine (such as a CMDB or GRC
Manually collect additional data sets as necessary and add them to the database engine (such as a CMDB or GRC).
Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC
Total Implementation of Audit Controls
ID
AUD-01
AUD-02
AUD-03
AUD-04
AUD-05
AUD-06
AUD-07
AUD-08
AUD-09
AUD-10
AUD-11
AUD-12
AUD-13
AUD-14
AUD-15
Collective Control Catalog (CCC): Audi
Total Implementation of Audit Controls
CCC Control Detail
Establish a comprehensive, multi-year audit plan which defines all audit and risk management scopes to be assessed by the or
Define the necessary resources (personnel and capital) that will be required for each audit in the audit plan to be performed.
Ensure that the organization realistically plans for the number of audits that can be performed annually based on resource ava
Determine which resources will perform audits such as internal resources (self-assessments, internal audits) or external, indep
(external audits).
Define specific audit personnel resources responsible for each audit in organization's audit plan.
Ensure that the organization includes penetration tests as a part of the organization's overall audit plan (testing both internall
systems).
Ensure that the organization includes red team penetration testing as a part of the organization's overall audit plan.
Ensure that the organization's penetration tests include tests for unprotected system information that could be disclosed to an
Ensure that the organization's penetration tests include tests performed against a test lab environment for those systems too
production systems.
Ensure that the organization's penetration tests include testing with vulnerability management tools in addition to manual tes
Ensure that the organization's penetration tests are documented using a common, open, machine-readable format (such as SC
risks to information systems.
Ensure that the organization monitors all user accounts and systems used during a penetration test to ensure that such system
protected from potential abuse as a result of the testing.
Complete each audit defined in organization's audit plan on the schedule defined.
Enter the results of each information security and privacy audit, including corrective actions, into the organization's GRC datab
Monitor all corrective actions identified as a results of the organization's audit program to ensure that all corrective actions ar
manner.
s
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Third
Total Implementation of Third Party Controls
ID
TPM-01
TPM-02
TPM-03
TPM-04
TPM-05
TPM-06
TPM-07
TPM-08
TPM-09
TPM-10
TPM-11
TPM-12
TPM-13
TPM-14
TPM-15
TPM-16
This work is licensed under the AuditScripts.com Terms of Service, which can be fou
Collective Control Catalog (CCC): Third Party
Total Implementation of Third Party Controls
CCC Control Detail
Inventory all of the organization's third parties information security and privacy business partners.
Define specific contract language that will be required for each of the organization's third party business partners.
Identify and document each of the organization's third parties that accesses, stores, or processes the organization's data.
Inventory the data and the stated purpose or use for which each third party accesses, stores, or processes the data.
Define which security and privacy controls documented in the organization's security policy library are required for third party
Determine whether the specific information security and privacy controls required for third party business partners will be con
mandatory.
Ensure that each of the organization's third party business partners sign the appropriate contract terms.
Define a process to assess third party partners that have not been granted access to the organization's data.
Define a process to assess third party partners that has been granted access to the organization's data.
Perform an assessment of each third party partner to determine whether they are following the prescribed information securi
Monitor each of the organization's third party partners for events which could impact the security of organization or its data.
Ensure that all third party business partners notify the organization in a timely manner if they experience a security incident eff
Establish a rating system for all third party partners to indicate the level of risk associated with doing business with that partne
Record the results of the third party partner information security and privacy impact assessments in the organization's GRC da
Ensure that all third party business partners develop software applications and manage data using methods that facilitate the
systems between partners.
Establish a process for decommissioning third party service providers.
This work is licensed under the AuditScripts.com Terms of Service, which can be found at http:
ment Controls
Risk Addressed: 0%
Risk Accepted: 100%

ipts.com/terms/. For Authorized Use Only.

Collective Control Catalog (CCC): Ris
Total Implementation of Risk Reporting Controls
ID
RR-01
RR-02
RR-03
RR-04
RR-05
RR-06
RR-07
RR-08
RR-09
RR-10
RR-11
Collective Control Catalog (CCC): Risk Repo
Total Implementation of Risk Reporting Controls
CCC Control Detail
Implement a Governance, Risk, and Compliance (GRC) or Business Intelligence (BI) tool that the organization will use to track t
and metrics.
Identify a set of relevant information security and privacy risk reports to create in the risk reporting system.
Establish appropriate thresholds for quality based on the quality management methodology adhered to by the organization.
Ensure that information security risk is reported by each of the organization's primary business units.
Ensure that information security and privacy risk is reported by each of the organization's primary data owners.
Ensure that information security risk is reported by each of the organization's primary data custodians.
Report information security risk with approved exceptions considered in the report.
Report information security risk without approved exceptions considered in the report.
Ensure that the information security risk results are available to appropriate key stakeholders.
Ensure that the information security risk results are available to all tactical technology leadership personnel to facilitate better
Ensure that the information security and privacy risk results are available to all executive leadership personnel to facilitate bett
ntrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Personn
Total Implementation of Personnel Management

Controls
ID
PER-01
PER-02
PER-03
PER-04
PER-05
Collective Control Catalog (CCC): Personnel Ma
Total Implementation of Personnel Management

Controls
CCC Control Detail
Define information security specific roles and responsibilities for all workforce members.
Ensure that the principle of separation of duties is applied to each of the roles and responsibilities defined for the organization
Implement a process for screening all workforce members prior to granting them access to the organization's information syst
Define information security and privacy specific terms and conditions of service for all workforce members.
Implement a process to ensure all of the organization's assets are returned to the organization upon termination of a workforc
t Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Phy
Total Implementation of Physical Security Con-

trols
ID
PHY-01
PHY-02
PHY-03
PHY-04
PHY-05
PHY-06
PHY-07
PHY-08
PHY-09
PHY-10
PHY-11
PHY-12
PHY-13
PHY-14
PHY-15
PHY-16
PHY-17
Collective Control Catalog (CCC): Physical Se
Total Implementation of Physical Security Con-

trols
CCC Control Detail
Implement a physical security program in the organization which defines clear business goals for physically protecting the data
the organization.
Define physical security policies which outline specific physical security controls that will be implemented to support the organ
goals.
Monitor access to the organization's facilities to detect any violations of the organization's physical security policies.
Implement a process to properly dispose of all physical assets to ensure that data is not inadvertently disclosed in the process
Ensure that the organization's physical security program implements controls for entering the facility and protecting the physi
Ensure that the organization's physical security program implements controls for clearly authorizing, identifying, and monitori
Ensure that the organization's physical security program implements controls for physically security internal facility spaces.
Ensure that the organization's physical security program implements controls for maintaining control of all physical access dev
cards).
Ensure that the organization's physical security program implements controls for physically marking all physical devices contai
information.
Ensure that the organization's physical security program implements controls for ensuring proper environmental controls are
Ensure that the organization's physical security program implements controls for protecting all information assets and infrastr
Ensure that the organization's physical security program implements controls for only removing information assets from the o
after proper authorization.
Ensure that the organization's physical security program implements controls for physically securing unattended spaces, includ
Ensure that the organization's physical security program implements controls for physically securing printers, photocopiers, or
devices.
Ensure that the organization's physical security program implements controls for logging all physical access to the organization
Perform an assessment of the organization's physical security program and ensure that it is validated by an independent third
Ensure that the organization's physical security program implements controls for remotely wiping mobile devices if they are lo
ontrols
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Busin
Total Implementation of Business Continuity Con-

trols
ID
BCP-01
BCP-02
BCP-03
BCP-04
Collective Control Catalog (CCC): Business Co
Total Implementation of Business Continuity Con-

trols
CCC Control Detail
Implement a program to ensure the organization is able to appropriate achieve business continuity or perform disaster recove
Ensure that the organization's business continuity and disaster recovery program is updated after every incident to incorporat
the incident.
Ensure that the organization's business continuity and disaster recovery program is actively maintained and updated on at lea
Validate or a regular basis that the organization's information systems are able to achieve the goals of the organization's busin
disaster recovery program.
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Incid
Total Implementation of Incident Management

Controls
ID
IM-01
IM-02
IM-03
IM-04
IM-05
IM-06
IM-07
IM-08
IM-09
IM-10
IM-11
IM-12
IM-13
IM-14
IM-15
IM-16
IM-17
This work is licensed under the AuditScripts.com Terms of Service, which can be foun
Collective Control Catalog (CCC): Incident M
Total Implementation of Incident Management

Controls
CCC Control Detail
Implement a written incident management program to address cyber security and privacy incidents in the organization.
Implement a written cyber security forensics program to technically assist the organization in addressing cyber security inciden
Ensure that the organization's written cyber security forensics program defines a process for carefully creating forensics image
incident.
Ensure that the organization's written incident management program defines roles and responsibilities for workforce member
Ensure that the organization's written incident management program defines management and decision making responsibiliti
during an incident.
Ensure that the organization's written incident management program defines how the organization will communicate with wo
an incident.
Ensure that the organization's written incident management program defines how workforce members and others outside the
report an incident if one is suspected.
Ensure that the organization's written incident management program defines how to engage outside groups (such as partners
insurance providers) if the case of an incident.
Ensure that the organization's written incident management program defines how to notify those impacted by an incident and
mechanisms to those impacted.
Implement technical incident detection systems to facilitate the organization's incident management program.
Test the organization's technical incident detection systems on a regular basis to ensure continuous improvement.
Maintain a dedicated security operations center and security incident response team in order to facilitate a 24/7 incident dete
capability.
Conduct regular incident handling exercises to test the organization's program and ensure continuous improvement of the inc
program.
Document all events that are determined to be incidents in an incident management reporting system.
Classify all documented incidents in accordance with an agreed upon incident classification system.
Document the root cause of all incidents to ensure better defense against future incidents.
Report to the organization's leadership stakeholders on the incidents occurring in the organization on a regular basis.
This work is licensed under the AuditScripts.com Terms of Service, which can be found at http://
nt Controls
Risk Addressed: 0%
Risk Accepted: 100%

pts.com/terms/. For Authorized Use Only.

Collective Control Catalog (CCC)
Total Implementation of Privacy Controls
ID
PRV-01
PRV-02
PRV-03
PRV-04
PRV-05
PRV-06
PRV-07
PRV-08
PRV-09
PRV-10
PRV-11
PRV-12
PRV-13
PRV-14
PRV-15
This work is licensed under the AuditScripts.com Terms of Service, which can be found a
Collective Control Catalog (CCC): Privac
Total Implementation of Privacy Controls
CCC Control Detail
Implement an organization-wide privacy program that defines transparent business goals for the privacy of data stored or pro
organization.
Define data security and privacy policies which outline specific privacy controls that will be implemented to support the organ
goals.
Ensure that the organization's security and privacy policies define the process for authorizing, maintaining, and revoking data
Ensure that the organization's security and privacy policies define the process for reviewing, transferring, disclosing, modifying
Ensure that the organization's security and privacy policies define the process for recording and maintaining an individual's pri
Ensure that the organization's security and privacy policies define the process for recording and maintaining and reviewing sta
privacy.
Ensure that the organization's security and privacy policies define the process for evaluating the organization's use of data for
Ensure that the organization's security and privacy policies define and recording the process for recording and evaluating data
Ensure that the organization's security and privacy policies define the process for limiting the identification or inference of ind
data.
Ensure that the organization's security and privacy policies define the process for replacing attribute values with attribute refe
Implement a process to inform customers and external business partners on how their data is being used and the organization
Implement a process to obtain feedback from individuals regarding the organization's use of data and the associated privacy r
Implement a system, such as a GRC, to record all data disclosures or data sharing performed by the organization.
Ensure that the organization's data disclosure or sharing information can be appropriately shared with individuals outside of th
Ensure that the organization can communicate data corrections or deletions to all appropriate or affected parties as necessary
ls
Risk Addressed: 0%
Risk Accepted: 100%

om/terms/. For Authorized Use Only.

Collective Control Catalog (CCC): A
Total Implementation of Asset Inventory Controls
ID
AID-01
AID-02
AID-03
AID-04
AID-05
AID-06
Collective Control Catalog (CCC): Asset In
Total Implementation of Asset Inventory Controls
CCC Control Detail
Maintain an information systems asset inventory system of each of the organization's systems with the ability to store or proc
Ensure that the organization's asset inventory system records essential demographic information including the systems' name
network address, and other similar demographic information.
Ensure that the organization's asset inventory system records the systems' asset owner, business unit, business criticality, and
approved for use by the organization.
Utilize an active discovery system to identify all devices connected to the organization's network.
Utilize a passive discovery system to identify all devices connected to the organization's network.
Implement a process to ensure that unauthorized devices are removed from the organization's network on a regular basis.
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Softw
Total Implementation of Software Inventory Con-

trols
ID
SID-01
SID-02
SID-03
SID-04
SID-05
SID-06
Collective Control Catalog (CCC): Software Inv
Total Implementation of Software Inventory Con-

trols
CCC Control Detail
Maintain a software application inventory of each software application authorized to execute on the organization's informatio
Ensure that the organization's software application inventory system records essential demographic information including the
publisher, install date, and other similar demographic information.
Ensure that the organization's software application inventory system records the software installed on each system as well as
to have the software.
Ensure that all software applications authorized to execute on the organization's information systems are still maintained and
software application's vendor.
Utilize a software application discovery system to identify all software applications present on the organization's information s
Implement a process to ensure that all unauthorized software is removed from the organization's information systems in a tim
ontrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Appl
Total Implementation of Application Control Con-

trols
ID
AC-01
AC-02
AC-03
AC-04
AC-05
AC-06
Collective Control Catalog (CCC): Application
Total Implementation of Application Control Con-

trols
CCC Control Detail
Implement a software application control system to ensure that only authorized application binaries are allowed to execute on
Configure the organization's software application control system to ensure that only authorized software libraries (such as *.d
be utilized on the organization's information systems.
Configure the organization's software application control system to ensure that only authorized scripts (such as *.ps1, *.py, *.v
utilized on the organization's information systems.
Configure the organization's software application control system to ensure that only authorized shell environments (such as P
CMD, Python, etc) are allowed to be utilized on the organization's information systems.
Configure the organization's software application control system to ensure that only authorized web browsers are allowed to
organization's information systems.
Configure the organization's software application control system to ensure that only authorized web browser plugins are allow
ontrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Patch
Total Implementation of Patch Management Con-

trols
ID
PAT-01
PAT-02
PAT-03
Collective Control Catalog (CCC): Patch Mana
Total Implementation of Patch Management Con-

trols
CCC Control Detail
Ensure that all operating system security updates are installed on a regular basis.
Ensure that all software application security updates are installed on a regular basis.
Implement a service level agreement that defines how quickly software updates must be installed, based on the severity of th
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Vulner
Total Implementation of Vulnerability Man-

agement Controls
ID
VM-01
VM-02
VM-03
VM-04
VM-05
VM-06
VM-07
VM-08
VM-09
Collective Control Catalog (CCC): Vulnerability
Total Implementation of Vulnerability Man-

agement Controls
CCC Control Detail
Implement a vulnerability management system to scan the organization's information systems and identify potential weaknes
Configure the organization's vulnerability management system to utilize agents or to perform authenticated scans with a dedi
each of the organization's information systems.
Configure the organization's vulnerability management system to prioritize the vulnerabilities detected by the scans in order t
remediation of discovered vulnerabilities.
Configure the organization's vulnerability management system to compare the results of consecutive scans in order to ensure
vulnerabilities are being remediated in a timely manner.
Configure the organization's vulnerability management system to scan for configuration vulnerabilities on each of the organiza
systems.
Configure the organization's vulnerability management system to scan for open network ports on each of the organization's in
(whether the systems are private or publically facing).
Configure the organization's vulnerability management system to alert if it detects open network ports on systems not previou
organization.
Implement a reporting process to ensure that all discovered vulnerabilities are reported to the systems' stakeholders in a time
Implement a remediation process to ensure that all discovered vulnerabilities are remediated in a timely manner on each of th
ment Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Configu
Total Implementation of Configuration Man-

agement Controls
ID
CM-01
CM-02
CM-03
CM-04
CM-05
CM-06
CM-07
CM-08
CM-09
CM-10
CM-11
CM-12
CM-13
CM-14
CM-15
CM-16
CM-17
CM-18
CM-19
CM-20
CM-21
Collective Control Catalog (CCC): Configuration
Total Implementation of Configuration Man-

agement Controls
CCC Control Detail
Maintain detailed security configuration benchmarks for each operating system supported by the organization.
Maintain detailed security configuration benchmarks for each software application supported by the organization.
Maintain detailed security configuration benchmarks for each relational database management system supported by the orga
Maintain detailed security configuration benchmarks for all directory services systems (such as Microsoft Active Directory) sup
organization.
Maintain full system images, of all workstations and servers, reflecting all security configuration benchmarks agreed upon by t
Monitor and protect each of the organization's system images to ensure that no unauthorized changes are made to the agree
Implement configuration management tools to enforce the agreed upon security configuration benchmarks on all operating sy
applications.
Ensure that all systems connected to the organization's network, whether onsite, connected remotely, and regardless of owne
using the organization's configuration management system.
Regularly scan each of the organization's systems, using an SCAP compliant tool, to ensure that they are in compliance with th
configuration benchmarks.
Report the results of regular security configuration scans to key business stakeholders to ensure they are aware of the risk ass
misconfigurations.
Ensure that the organization's security configuration standard defines which scripting languages are authorized to execute in w
unnecessary scripting languages are to be disabled.
Ensure that the organization's security configuration standard requires the use of anti-exploitation features, such as Data Exec
Address Space Layout Randomization (ASLR), and Windows User Account Control for all operating systems.
Ensure that the organization's security configuration standard defines to block the use of auto-run on all removable media.
Ensure that the organization's security configuration standard requires the use of encryption for all sensitive data in transit.
Ensure that the organization's security configuration standard defines that the organization's systems shall be blocked from co
wireless networks.
wireless networks.
Bluetooth or Near Field Communications (NFC) systems.
Ensure that the organization's security configuration standard requires the use of machine screen locks if the system is idle for
Ensure that the organization's security configuration standard defines that only authorized use of NetBIOS or SMB should be a
unauthorized access to these services is blocked.
Ensure that the organization's security configuration standard requires the use of secure system boot mechanisms to verify th
operating system during the boot up process.
Ensure that the organization's security configuration standard requires the use of secure utilization of all Voice over IP (VoIP) t
ment Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): End
Total Implementation of Endpoint Protection

Controls
ID
END-01
END-02
END-03
END-04
END-05
END-06
END-07
END-08
END-09
END-10
END-11
END-12
END-13
Collective Control Catalog (CCC): Endpoint P
Total Implementation of Endpoint Protection

Controls
CCC Control Detail
Implement endpoint detection and response software on each of the organization's workstations and servers that regularly sc
malicious code.
Configure the organization's endpoint detection and response software to be centrally managed.
Configure the organization's endpoint detection and response software engine and signatures to be updated on a regular basi
Configure the organization's endpoint detection and response software to ensure that non-privileged users are not able to dis
Configure the organization's endpoint detection and response software to scan all removable devices connected to one of the
workstations or servers.
Configure the organization's endpoint detection and response software to centrally alert the organization's security staff if ma
Implement host based firewalls on each of the organization's workstations and servers.
Configure the organization's host based firewalls with a default deny access control list to block all traffic not specifically allow
Implement whole disk encryption on all mobile workstations.
Implement host based Data Loss Prevention (DLP) software on each of the organization's workstations and servers.
Configure all workstations without a need for wireless network access, to disable wireless on the device.
Require the organization's personnel to utilize a virtualized (sandboxed) machine with separate enterprise spaces when perfor
Implement host based intrusion detection and intrusion prevention on each of the organization's information systems.
n Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Rem
Total Implementation of Removable Media Con-

trols
ID
REM-01
REM-02
REM-03
REM-04
REM-05
Collective Control Catalog (CCC): Removable

trols
CCC Control Detail
Ensure that the organization's information systems are only authorized to read or execute data from authorized removable m
Ensure that the organization's information systems are only authorized to write data to authorized removable media devices t
encrypted.
Maintain an inventory of all removable devices authorized to connect to the organization's information systems.
Assign accountable data owners to all removable media devices and paper containing the organization's sensitive information
Physically control access to all removable media devices or paper containing the organization's sensitive information.
ontrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): M

trols
ID
MDM-01
MDM-02
MDM-03
MDM-04
MDM-05
MDM-06
MDM-07
MDM-08
Collective Control Catalog (CCC): Mobile D

trols
CCC Control Detail
Implement a Mobile Device Management (MDM) system to inventory and manage the organization's mobile devices (such as
similar systems).
Ensure that all mobile device operating system security updates are installed on a regular basis.
Ensure that all mobile device application security updates are installed on a regular basis.
Ensure that all mobile devices require at least a six character Personal Identification Number (PIN) or device biometrics in orde
Ensure that the organization's Mobile Device Management (MDM) system has the capability to remotely wipe lost or stolen en
devices.
Ensure that the organization's Mobile Device Management (MDM) system has the capability to require containerized business
browsers, email clients, etc) for personally owned mobile devices accessing the organization's resources.
Ensure that the organization's Mobile Device Management (MDM) system has the capability to alert on and block any jailbrok
Ensure that the organization's Mobile Device Management (MDM) system has the capability to block mobile devices from util
application stores.
ntrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC)
Total Implementation of Backup Controls
ID
BAC-01
BAC-02
BAC-03
BAC-04
BAC-05
Collective Control Catalog (CCC): Backu
Total Implementation of Backup Controls
CCC Control Detail
Implement a backup system to ensure that all data and information systems are backed up on a regular basis.
Implement a backup system to create full backup images of all critical information system assets on a regular basis.
Implement a process to ensure that all backups are tested on a regular basis.
Implement a process to physically protect or encrypt all information system backups.
Ensure that there is at least one immutable backup available for all information system backups that cannot be deleted, even
personnel.
ls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Log
Total Implementation of Log Management Con-

trols
ID
LOG-01
LOG-02
LOG-03
LOG-04
LOG-05
LOG-06
LOG-07
LOG-08
LOG-09
LOG-10
LOG-11
LOG-12
LOG-13
LOG-14
LOG-15
LOG-16
LOG-17
LOG-18
LOG-19
LOG-20
LOG-21
Collective Control Catalog (CCC): Log Manag
Total Implementation of Log Management Con-

trols
CCC Control Detail
Ensure that all systems are configured to use at least three consistent, centralized time services.
Enable appropriate local operating system logging on each of the organization's systems.
Enable appropriate local network device logging on each of the organization's systems.
Enable appropriate local application logging on each of the organization's systems (whether onsite or at a remote service prov
Aggregate all appropriate local logs to a common, centralized log management system.
Utilize an automated system to regularly review the organization's centrally aggregated logs to identify potential threats to th
Implement a process to regularly tune the organization's log management system to identify the most relevant and appropria
Configure the organization's central log management system to alert key personnel when serious threats to the organization a
Configure appropriate access controls to the organization's central log management system to ensure that only authorized ind
the logs.
Configure the organization's central log management system to alert when appropriate logs are not being received from one o
systems.
Ensure that all of the organization's logs are retained for at least an agreed upon period of time (PCI - 12 months, Australian G
CIS - 3 months).
Utilize a central platform, such as a Security Information and Event Management (SIEM) or Security Orchestration, Automation
platform, to centrally track the organization's response to cybersecurity alerts.
Enable logging and alerting for when changes are made to data or information systems.
Enable logging and alerting for when data is transmitted or disclosed to third parties.
Enable logging and alerting for when data is deleted from information systems.
Enable DHCP logging on each of the organization's DHCP servers.
Enable logging and alerting for when unauthorized users are added to sensitive or elevated administrative groups.
Enable logging and alerting for unsuccessful logon events to sensitive or elevated administrative user accounts.
Enable logging and alerting for all logon attempts to deactivated user accounts.
Enable logging and alerting for all logon events which do not match the normal behavior of individual user accounts (such as lo
system).
Enable Microsoft PowerShell advanced logging on all Microsoft Windows systems.
ontrols
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Fi
Total Implementation of File Integrity Controls
ID
FIM-01
FIM-02
FIM-03
Collective Control Catalog (CCC): File Integ
Total Implementation of File Integrity Controls
CCC Control Detail
Implement a file integrity monitoring system to alert the organization to changes in software, critical configuration files or syst
Implement a file integrity monitoring system to alert the organization to changes in critical application data or files.
Ensure that the organization's file integrity monitoring system is configured to log all events and alerts to the organization's se
event management system.
rols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Identi
Total Implementation of Identity Management

Controls
ID
IDM-01
IDM-02
IDM-03
IDM-04
IDM-05
IDM-06
IDM-07
IDM-08
IDM-09
IDM-10
IDM-11
IDM-12
IDM-13
IDM-14
IDM-15
IDM-16
Collective Control Catalog (CCC): Identity Man
Total Implementation of Identity Management

Controls
CCC Control Detail
Maintain an inventory of each of the identity database systems used to authenticate users to the organization's information sy
managed by a third party).
Maintain an inventory of all user accounts that should be present in each of the organization's identity database systems.
Regularly evaluate the inventory of identity database systems used by the organization and minimize the number of systems n
possible.
Regularly evaluate the user accounts that are present in each of the organization's identity database systems to ensure that on
exist.
Require Multi Factor Authentication (MFA) when authenticating any user to one of the organization's information systems.
Ensure that each of the organization's authentication systems store any credentials it manages utilizing encryption hashes with
Ensure that each of the organization's authentication systems only transmit the credentials it manages over encrypted networ
Implement an automated process to provision user accounts in the appropriate identity databases necessary for the user to p
Implement an automated process to deprovision user accounts in the appropriate identity databases necessary for the user to
functions.
Implement an automated process to disable all user accounts that have not been access for a set period of time.
Configure expiration dates on all user accounts so they automatically expire on the date configured.
Configure all authentication systems to require the use of strong passwords (utilizing long, complex passwords that are not reu
user accounts based on something they know.
Implement a system to manage cryptographic keys and secrets shared between workforce members.
Do not allow the use of generic user identities or passwords that are shared between workforce members, do not allow concu
nor reuse identifiers within a set period of time.
Configure the organization's authentication platform to lock out user accounts after a defined number of failed authentication
Ensure that if the organization assigns a user account a temporary password that the system is configured to immediately req
the password once they login to the system for the first time.
Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): D
Total Implementation of Data Inventory Controls
ID
DI-01
DI-02
DI-03
DI-04
DI-05
DI-06
DI-07
DI-08
DI-09
DI-10
DI-11
DI-12
DI-13
DI-14
Collective Control Catalog (CCC): Data In
Total Implementation of Data Inventory Controls
CCC Control Detail
Maintain an inventory of all the organization's data stored or processed on onsite information systems (including specific data
Maintain an inventory of all the organization's data stored or processed on external, third party, or cloud information systems
elements).
Define the categories of individuals whose data is being stored or processed by the organization's information systems.
Define the purpose for why specific pieces of data is being stored or processed by the organization's information systems.
Classify the criticality and sensitivity of all of the organization's data.
Define the business stakeholders who are the data owners for all data sets identified in the organization's data inventory.
Document the flow (movement) of data through all systems storing or processing the organization's data.
Utilize inventory tools to discover all of the organization's data stored or processed on onsite information systems.
Utilize inventory tools to label all of the organization's data stored or processed on onsite information systems.
Utilize inventory tools to discover all of the organization's data stored or processed on external, third party, or cloud informati
Utilize inventory tools to label all of the organization's data stored or processed on external, third party, or cloud information s
Limit the data that the organization collects to only that data necessary for approved business activities.
Implement a process to archive or destroy all data no longer necessary for the organization's business processes.
Implement a process to only request or store information necessary for the organization's business processes and to mask sen
Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Acces
Total Implementation of Access Management

Controls
ID
AM-01
AM-02
AM-03
AM-04
AM-05
AM-06
AM-07
AM-08
AM-09
AM-10
Collective Control Catalog (CCC): Access Mana
Total Implementation of Access Management

Controls
CCC Control Detail
Configure appropriate access controls on each of the organization's system and data objects (including databases and director
only authorized individuals are granted access to the objects necessary for the user to do their job.
Configure appropriate access controls on each of the organization's system functions and privileges to ensure that only author
granted access to the functions necessary for the user to do their job.
Configure appropriate access controls on all of the organization's software code to ensure that only authorized individuals are
software code necessary for the user to do their job.
Utilize role based access controls when assigning permissions to objects, assigning access based on group memberships rather
Encrypt appropriate information at rest.
Encrypt appropriate information in transit.
Ensure that each of the organization's information systems is properly managed throughout the system's lifecycle, including p
systems.
Implement access control policies to ensure the principal of segregation of duties.
Implement a process to ensure that all user account access is reviewed on a regular basis in order to ensure that only authoriz
access to what is necessary for the user to do their job.
Prevent sensitive information from being posted to inappropriate public locations (such as websites, blogs, or social media).
Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Priv
Total Implementation of Privileged Access Con-

trols
ID
PAM-01
PAM-02
PAM-03
PAM-04
PAM-05
PAM-06
PAM-07
PAM-08
PAM-09
PAM-10
PAM-11
PAM-12
PAM-13
Collective Control Catalog (CCC): Privileged A
Total Implementation of Privileged Access Con-

trols
CCC Control Detail
Maintain an inventory of all privileged user accounts authorized on the organization's workstations and servers.
Maintain an inventory of all privileged user accounts authorized on the organization's network devices and appliances.
Maintain an inventory of all privileged user accounts authorized on the organization's application systems (whether onsite or m
Utilize an automated system to alert key personnel if privileged user accounts are added or removed from the system.
Ensure that all default accounts on a system are using a dedicated, non-default password to authenticate.
Ensure that only authorized workforce members are granted the rights to be a privileged user in the organization.
Ensure that all privileged accounts assigned to workforce members are unique accounts (not-shared) and dedicated to privileg
standard accounts are not used for privileged activities (including emergency access).
Educate all workforce members with privileged accounts on the roles and responsibilities of having such access.
Ensure that all local privileged accounts on workstations and servers are not using the same password to authenticate.
Ensure that all local privileged accounts on network devices and appliances are not using the same password to authenticate.
Ensure that all local privileged accounts on databases are not using the same password to authenticate.
Ensure that all privileged user accounts are required to use Multi Factor Authentication to authenticate.
Ensure that no privileged user accounts are authorized to remotely authenticate to a system directly over the Internet or acce
privileged user accounts.
ontrols
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Network D
Total Implementation of Network Device

Management Controls
ID
NDM-01
NDM-02
NDM-03
NDM-04
NDM-05
NDM-06
NDM-07
Collective Control Catalog (CCC): Network Device M
Total Implementation of Network Device

Management Controls
CCC Control Detail
Maintain an information systems asset inventory system of each of the organization's authorized network devices (including s
etc).
Maintain an authorized hardening standard for each of the organization's authorized network devices (for each vendor and de
Maintain an authorized list of access control list rules in place for each of the organization's authorized network devices.
Implement a system that compares on a regular basis each network device firmware and configuration to the authorized netw
configuration baseline and then alert on any differences between the two configurations.
Implement a system to ensure that each of the organization's network devices are running the latest software or firmware sec
from the vendor.
Configure each of the organization's boundary network devices to record NetFlow statistics for all data observed by the device
Configure each of the organization's authorized network devices to only allow for encrypted sessions when managing the devi
ment Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Bou
Total Implementation of Boundary Device Con-

trols
ID
BD-01
BD-02
BD-03
BD-04
BD-05
BD-06
BD-07
BD-08
BD-09
BD-10
BD-11
BD-12
Collective Control Catalog (CCC): Boundary D
Total Implementation of Boundary Device Con-

trols
CCC Control Detail
Maintain an inventory system of each of the organization's network boundaries (including internet, third party connection, etc
Implement boundary network firewalls at each of the organization's network boundaries to block potentially unauthorized ne
Configure the organization's boundary network firewalls to block connections to unauthorized IP addresses (such as malicious
unnecessary for business, etc IP addresses).
Configure the organization's boundary network firewalls to block connections to unauthorized cloud storage or email service p
Configure the organization's boundary network firewalls to block inbound and outbound connections to unauthorized networ
Implement network based Data Loss Prevention (DLP) systems at each of the organization's network boundaries to block pote
network traffic.
Implement application aware firewalls to filter all network traffic to critical network services (such as databases and web appli
Implement Intrusion Detection Systems (IDSs) at each of the organization's network boundaries to detect potentially unautho
Configure the organization's Intrusion Detection Systems (IDSs) to alert when it detects unauthorized, encrypted traffic at the
boundary.
Implement Intrusion Prevention Systems (IPSs) at each of the organization's network boundaries to block potentially unauthor
Implement a network packet capture system to record all traffic passing through one of the organization's network boundarie
Implement technical deception mechanisms to confuse or mislead potential adversaries.
ontrols
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Re
Total Implementation of Remote Access Controls
ID
RA-01
RA-02
RA-03
RA-04
RA-05
RA-06
RA-07
RA-08
RA-09
RA-10
RA-11
Collective Control Catalog (CCC): Remote A
Total Implementation of Remote Access Controls
CCC Control Detail
Limit and maintain an inventory of all remote access points that can be used to access the organization's information systems
Maintain an inventory of all workforce members authorized to access the organization's information systems remotely.
Ensure that only authorized workforce members are provided remote access to the organization's information systems.
Ensure that only authorized computing devices are provided remote access to the organization's information systems.
Ensure that only authorized workforce members are able to perform elevated, privileged activities from remote systems.
Ensure that all remote access to the organization's information systems require multi-factor authentication prior to providing
Enable user behavior analytics as a factor for authenticating workforce members accessing the organization's information syst
factors such as time of day, geographic location, or similar factors when authenticating access.
Ensure that all remote access to the organization's information systems require encrypted data in transit between the remote
Maintain logs of all remote access to the organization's information systems from remote systems.
Disable remote systems from remotely accessing the organization's information systems and the local network of remote syst
known as split-tunneling.
Terminate remote access sessions to the organization's information systems after a defined period of inactivity.
ntrols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): W
Total Implementation of Web Filtering Controls
ID
WF-01
WF-02
WF-03
WF-04
WF-05
WF-06
WF-07
WF-08
Collective Control Catalog (CCC): Web Filte
Total Implementation of Web Filtering Controls
CCC Control Detail
Utilize Uniform Resource Locator (URL) based filtering to ensure that the organization's systems only connect to authorized ex
Subscribe to a Uniform Resource Locator (URL) categorization service to ensure that the organization's systems only connect t
systems.
Utilize content based web filtering (block scripting languages, downloads, etc) to ensure systems do not download harmful con
systems.
Utilize an allow list for all external websites to ensure that the organization's systems only connect to authorized external syst
Intercept and examine all encrypted Transport Layer Security (TLS) sessions to ensure that all traffic is filtered from external sy
Log the Uniform Resource Locator (URL) for all external system connections to identify systems attempting to access unautho
systems.
Utilize Domain Name System (DNS) based filtering to block access to malicious systems.
Log all Domain Name System (DNS) queries to identify systems attempting to access unauthorized or malicious systems.
trols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Em
Total Implementation of Email Filtering Controls
ID
EF-01
EF-02
EF-03
EF-04
EF-05
Collective Control Catalog (CCC): Email Filt
Total Implementation of Email Filtering Controls
CCC Control Detail
Implement all appropriate Domain Name System (DNS) records to help provide reputation services to organizations receiving
organization (such as SPF, DKIM, DMARC).
Implement email content filtering systems to prevent malicious content from entering the organization's email systems.
Block all unnecessary attachments (file extensions, scripts, etc) from entering the organization's email systems.
Utilize tools to analyze inbound email attachments in a sandboxed (detonation chamber) system to prevent harmful content f
organization's email systems.
Configure all email servers to require the use of Transport Layer Security (TLS) to encrypt mail between mail servers.
trols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Netwo
Total Implementation of Network Segmentation

Controls
ID
NSC-01
NSC-02
NSC-03
NSC-04
NSC-05
NSC-06
NSC-07
NSC-08
Collective Control Catalog (CCC): Network Segm
Total Implementation of Network Segmentation

Controls
CCC Control Detail
Implement port level authentication (802.1x) on all network switches to ensure that only authorized devices are able to conne
wired network.
Configure the organization's port level authentication (802.1x) system to require machine certificates in order to authenticate
wired network.
Create and document dedicated Virtual Local Area Networks (VLANs) for each logical grouping of endpoint workstations (inclu
privileged administrative accounts).
Create and document dedicated Virtual Local Area Networks (VLANs) for each logical grouping of server systems.
Create and document dedicated Virtual Local Area Networks (VLANs) for each logical grouping of network device managemen
Document and approve all information data flows between systems on the organization's network and those to third-party or
Define and enforce Access Control Lists (ACLs) between all Virtual Local Area Networks (VLANs) on the organization's network
Disable all workstation to workstation communication on Virtual Local Area Networks (VLANs) dedicated to workstations.
n Controls
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC):
Total Implementation of Wireless Controls
ID
WIR-01
WIR-02
WIR-03
WIR-04
WIR-05
WIR-06
WIR-07
WIR-08
Collective Control Catalog (CCC): Wirele
Total Implementation of Wireless Controls
CCC Control Detail
Maintain an inventory of all wireless access points authorized to connect to the organization's network (whether used for inte
Regularly scan the organization's wired network to ensure that only authorized wireless access points are connected to the ne
Regularly scan the organization's physical locations to ensure that only authorized wireless access points are located in the org
Implement a process to ensure that unauthorized wireless access points are removed from the organization's on a regular bas
Ensure that all wireless access points connecting to the organization's internal network utilize certificate based authentication
authenticate to the organization's internal wireless networks.
Ensure that all wireless access points connecting to the organization's internal network utilize AES-CCMP to encrypt data in tra
networks.
Create a separate, dedicated wireless network for untrusted wireless devices (such as those that are not owned or managed b
block all communications from this network to the organization's internal network.
Maintain an inventory of all wireless devices authorized to connect to the organization's information systems.
ols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Control Catalog (CCC): Softwa
Total Implementation of Software Development

Controls
ID
SDS-01
SDS-02
SDS-03
SDS-04
SDS-05
SDS-06
SDS-07
SDS-08
SDS-09
SDS-10
SDS-11
SDS-12
SDS-13
Collective Control Catalog (CCC): Software Deve
Total Implementation of Software Development

Controls
CCC Control Detail
Maintain a documented software development lifecycle that each software application development effort will follow when c
applications.
Maintain documented secure software development practices for each coding language employed by the organization to deve
Ensure that the organization's software development practices include guidance for validating input that is processed by the o
applications.
Ensure that the organization's software development practices include guidance for only using approved, industry reviewed en
Ensure that the organization's software development practices include guidance for only using approved, industry reviewed d
and formats.
Ensure that the organization's software development practices include guidance for including privacy values in each software
Ensure that all software libraries and third party modules that are used by the organization in their application development p
use in the organization.
date with the latest security updates.
maintained and supported by the vendor.
Maintain a separate development environment for each of the software application's maintained by the organization that is se
production systems.
Ensure that application developers are only granted access to the organization's development environments, and never to the
systems.
Ensure that all test data used in a development environment has been sanitized of all sensitive or personally identifiable inform
defensive controls are used to protect the development environment.
Ensure that the organization's software development practices include guidance for proper error handling and output handlin
software applications.
t Controls
Risk Addressed: 0%
Risk Accepted: 100%


Collective Control Catalog (CCC): Co
Total Implementation of Code Analysis Controls
ID
SCA-01
SCA-02
SCA-03
SCA-04
SCA-05
SCA-06
SCA-07
Collective Control Catalog (CCC): Code Ana
Total Implementation of Code Analysis Controls
CCC Control Detail
Utilize application code analysis tools to scan custom developed application code for potential weaknesses.
Implement a process to allow individuals (inside and outside of the organization) to report potential security weaknesses in cu
application code.
Implement a program to regularly perform application penetration testing for each of the organization's custom developed so
Utilize the organization's software development issue tracking software to track and prioritize all security weaknesses discover
application code.
Implement a service level agreement which defines how quickly security weaknesses in custom developed application code m
on the severity of the security weakness.
Remediate all security weaknesses discovered in application code in a timely manner.
Regularly report to all relevant stakeholders on the security weaknesses present in all of the organization's custom developed
trols
Risk Addressed: 0%
Risk Accepted: 100%

Collective Assessment Tool v2023

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Collective Assessment Tool v2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Collective Assessment Tool v2023

Uploaded by

Copyright:

Available Formats

Collective Control Catalog (CCC) Asse

Description: Maturity level: Score:

Maturity Rating*: 0.00 0.00

CCC Governance Category Policy Score: Implementation Score:

CCC Technical Category Policy Score: Implementation Score:

Collective Controls Catalog Maturity Scores

Collective Controls Catalog Governance Scores

Collective Controls Catalog Technical Scores

et Inventory and Discovery

which can be found at http://www.auditscripts.com/terms/. For Authorized Use Only.

NIST CyberSecurity Framework (v1.1) Categories Policy Score:

This work is licensed under the AuditScripts.com Terms of Service,

ISO 27002:2013 Categories Policy Score:

ISO 27002:2022 Categories Policy Score:

This work is licensed under the AuditScripts.com Terms of Service,

CIS Controls v7.0 / 7.1 Category Policy Score:

CIS Controls v8.0 Category

This work is licensed under the AuditScripts.com Terms of Service,

Total Implementation of Governance Controls

Total Implementation of Governance Controls

CCC Control Detail

Risk Accepted: 100%

Policy Defined Control Implemented

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

com/terms/. For Authorized Use Only.

Total Implementation of Threat Management

Total Implementation of Threat Management

CCC Control Detail

Prioritize or score all threats defined in the organization's threat catalog.

Risk Accepted: 100%

Policy Defined Control Implemented

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

com/terms/. For Authorized Use Only.

Total Implementation of Policy Controls

Total Implementation of Policy Controls

CCC Control Detail

Risk Accepted: 100%

Policy Defined Control Implemented

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered

Question Not Answered Question Not Answered