Skip to main content

💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles

  • ID: /frameworks/nist-csf-v2.0/id-am/08

Stats

not available

Description

  1. Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
  2. Integrate cybersecurity considerations into product life cycles
  3. Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT)
  4. Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface
  5. Properly configure and secure systems, hardware, software, and services prior to their deployment in production
  6. Update inventories when systems, hardware, software, and services are moved or transferred within the organization
  7. Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
  8. Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
  9. Offer methods for destroying paper, storage media, and other physical forms of data storage

Similar

  • Sections
    • /frameworks/nist-csf-v1.1/pr-ds/03
    • /frameworks/nist-csf-v1.1/pr-ma/01
    • /frameworks/nist-csf-v1.1/pr-ma/02
    • /frameworks/nist-csf-v1.1/pr-ip/06
    • /frameworks/nist-sp-800-53-r5/cm/09
    • /frameworks/nist-sp-800-53-r5/cm/13
    • /frameworks/nist-sp-800-53-r5/ma/02
    • /frameworks/nist-sp-800-53-r5/ma/06
    • /frameworks/nist-sp-800-53-r5/pl/02
    • /frameworks/nist-sp-800-53-r5/pm/23
    • /frameworks/nist-sp-800-53-r5/pm/22
    • /frameworks/nist-sp-800-53-r5/sa/03
    • /frameworks/nist-sp-800-53-r5/sa/04
    • /frameworks/nist-sp-800-53-r5/sa/08
    • /frameworks/nist-sp-800-53-r5/sa/22
    • /frameworks/nist-sp-800-53-r5/si/12
    • /frameworks/nist-sp-800-53-r5/si/18
    • /frameworks/nist-sp-800-53-r5/sr/05
    • /frameworks/nist-sp-800-53-r5/sr/12

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition8no data
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy5no data
💼 NIST CSF v1.1 → 💼 PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled toolsno data
💼 NIST CSF v1.1 → 💼 PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access11no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-9 Configuration Management Plan18no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-13 Data Action Mappingno data
💼 NIST SP 800-53 Revision 5 → 💼 MA-2 Controlled Maintenance2no data
💼 NIST SP 800-53 Revision 5 → 💼 MA-6 Timely Maintenance3no data
💼 NIST SP 800-53 Revision 5 → 💼 PL-2 System Security and Privacy Plans3no data
💼 NIST SP 800-53 Revision 5 → 💼 PM-22 Personally Identifiable Information Quality Managementno data
💼 NIST SP 800-53 Revision 5 → 💼 PM-23 Data Governance Bodyno data
💼 NIST SP 800-53 Revision 5 → 💼 SA-3 System Development Life Cycle34no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-4 Acquisition Process12no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8 Security and Privacy Engineering Principles338no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-22 Unsupported System Components1no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention38no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-18 Personally Identifiable Information Quality Operations5no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-5 Acquisition Strategies, Tools, and Methods2no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-12 Component Disposalno data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (28)

PolicyLogic CountFlagsCompliance
🛡️ AWS Backup Vault contains unencrypted Recovery Points🟢1🟢 x6no data
🛡️ AWS CodeBuild Project Bitbucket Source Location URL contains credentials🟢1🟢 x6no data
🛡️ AWS DynamoDB Table does not have on-demand backups in the past 90 days🟢1🟢 x6no data
🛡️ AWS DynamoDB Table Point In Time Recovery is not enabled🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢1🟢 x6no data
🛡️ AWS ElastiCache Redis Cluster automatic backups are not enabled🟢1🟢 x6no data
🛡️ AWS EMR Cluster encryption is disabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ AWS RDS Cluster Backup Retention Period is less than 7 days🟢1🟢 x6no data
🛡️ AWS RDS Instance automated backups are not enabled🟢1🟢 x6no data
🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢1🟠 x1, 🟢 x6no data
🛡️ AWS S3 Bucket Versioning is not enabled🟢1🟢 x6no data
🛡️ Google API Key is not restricted for unused APIs🟢1🟢 x6no data
🛡️ Google API Key is not rotated every 90 days🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud Asset Inventory API is not enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪🟢 x2, ⚪ x1no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢1🟢 x6no data
🛡️ Google Project has a default network🟢1🟢 x6no data
🛡️ Google Project has a legacy network🟢1🟢 x6no data
🛡️ Google Project has API Keys🟢1🟠 x1, 🟢 x5no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data