💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected

Contextual name: 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected
ID: /frameworks/nist-csf-v2.0/pr-ds/10
Located in: 💼 Data Security (PR.DS)

Description

Remove data that must remain confidential (e.g., from processors and memory) as soon as it is no longer needed
Protect data in use from access by other users and processes of the same platform

Similar

Sections
- /frameworks/nist-csf-v1.1/pr-ds/05
- /frameworks/nist-sp-800-53-r5/ac/02
- /frameworks/nist-sp-800-53-r5/ac/03
- /frameworks/nist-sp-800-53-r5/ac/04
- /frameworks/nist-sp-800-53-r5/au/09
- /frameworks/nist-sp-800-53-r5/au/13
- /frameworks/nist-sp-800-53-r5/ca/03
- /frameworks/nist-sp-800-53-r5/cp/09
- /frameworks/nist-sp-800-53-r5/sa/08
- /frameworks/nist-sp-800-53-r5/sc/04
- /frameworks/nist-sp-800-53-r5/sc/07
- /frameworks/nist-sp-800-53-r5/sc/11
- /frameworks/nist-sp-800-53-r5/sc/13
- /frameworks/nist-sp-800-53-r5/sc/24
- /frameworks/nist-sp-800-53-r5/sc/32
- /frameworks/nist-sp-800-53-r5/sc/38
- /frameworks/nist-sp-800-53-r5/sc/40
- /frameworks/nist-sp-800-53-r5/sc/43
- /frameworks/nist-sp-800-53-r5/si/03
- /frameworks/nist-sp-800-53-r5/si/04
- /frameworks/nist-sp-800-53-r5/si/07
- /frameworks/nist-sp-800-53-r5/si/10
- /frameworks/nist-sp-800-53-r5/si/16

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST SP 800-53 Revision 5 → 💼 AC-2 Account Management	13	20	34
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	89
💼 NIST SP 800-53 Revision 5 → 💼 AU-9 Protection of Audit Information	7	2	4
💼 NIST SP 800-53 Revision 5 → 💼 AU-13 Monitoring for Information Disclosure	3
💼 NIST SP 800-53 Revision 5 → 💼 CA-3 Information Exchange	7
💼 NIST SP 800-53 Revision 5 → 💼 CP-9 System Backup	8		4
💼 NIST SP 800-53 Revision 5 → 💼 SA-8 Security and Privacy Engineering Principles	33		7
💼 NIST SP 800-53 Revision 5 → 💼 SC-4 Information in Shared System Resources	2
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	50
💼 NIST SP 800-53 Revision 5 → 💼 SC-11 Trusted Path	1
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		13
💼 NIST SP 800-53 Revision 5 → 💼 SC-24 Fail in Known State
💼 NIST SP 800-53 Revision 5 → 💼 SC-32 System Partitioning	1
💼 NIST SP 800-53 Revision 5 → 💼 SC-38 Operations Security
💼 NIST SP 800-53 Revision 5 → 💼 SC-40 Wireless Link Protection	4
💼 NIST SP 800-53 Revision 5 → 💼 SC-43 Usage Restrictions
💼 NIST SP 800-53 Revision 5 → 💼 SI-3 Malicious Code Protection	10		5
💼 NIST SP 800-53 Revision 5 → 💼 SI-4 System Monitoring	25	1	8
💼 NIST SP 800-53 Revision 5 → 💼 SI-7 Software, Firmware, and Information Integrity	17	19	43
💼 NIST SP 800-53 Revision 5 → 💼 SI-10 Information Input Validation	6
💼 NIST SP 800-53 Revision 5 → 💼 SI-16 Memory Protection

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (111)

Policy	Logic Count	Flags
📝 AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟢	1	🟢 x6
📝 AWS Account IAM Access Analyzer is not enabled for all regions 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Root User credentials were used is the last 30 days 🟢	1	🟢 x6
📝 AWS Account Root User has active access keys 🟢	1	🟢 x6
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Default Root Object is not configured 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢	1	🟢 x6
📝 AWS CloudTrail is not encrypted with KMS CMK 🟢	1	🟢 x6
📝 AWS CloudTrail Log File Validation is not enabled 🟢	1	🟢 x6
📝 AWS DAX Cluster Server-Side Encryption is not enabled 🟢	1	🟢 x6
📝 AWS DMS Endpoint doesn't use SSL 🟢	1	🟢 x6
📝 AWS DMS Replication Instance is publicly accessible 🟢	1	🟢 x6
📝 AWS DynamoDB Table Point In Time Recovery is not enabled 🟢	1	🟢 x6
📝 AWS EBS Attached Volume is not encrypted 🟢	1	🟢 x6
📝 AWS EBS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟢	1	🟢 x6
📝 AWS EC2 Default Security Group does not restrict all traffic 🟢	1	🟢 x6
📝 AWS EC2 Instance IMDSv2 is not enabled 🟢	1	🟢 x6
📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted DNS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted ICMP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢	1	🟢 x6
📝 AWS EFS File System encryption is not enabled 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM Server Certificate is expired 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢	1	🟢 x6
📝 AWS RDS Instance Encryption is not enabled 🟢	1	🟢 x6
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢	1	🟢 x6
📝 AWS RDS Instance uses default endpoint port 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket Lifecycle Configuration is not enabled 🟢	1	🟢 x6
📝 AWS S3 Bucket Object Lock is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6
📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢	1	🟢 x6
📝 AWS VPC Network ACL exposes admin ports to public internet ports 🟢	1	🟢 x6
📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢	1	🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢	1	🟢 x6
📝 Azure Cosmos DB Account Private Endpoints are not used 🟢	1	🟢 x6
📝 Azure Cosmos DB Account Virtual Network Filter is not enabled 🟢	1	🟢 x6
📝 Azure Cosmos DB Entra ID Client Authentication is not used 🟢		🟢 x3
📝 Azure Diagnostic Setting Logs export to Storage Account not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to HTTP(S) ports 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to RDP port 🟢	1	🟢 x6
📝 Azure Network Security Group allows public access to SSH port 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) 🟢	1	🟢 x6
📝 Azure Storage Account Allow Blob Anonymous Access is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Cross Tenant Replication is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account Trusted Azure Services are not enabled as networking exceptions 🟢	1	🟢 x6
📝 Azure Subscription Network Watcher is not enabled in every available region 🟢	1	🟢 x6
📝 Azure Unattached Managed Disk is not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Azure Virtual Machine OS and Data disks are not encrypted with Customer-managed key 🟢	1	🟢 x6
📝 Consumer Google Accounts are used 🟢		🟢 x3
📝 Google API Key is not restricted for unused APIs 🟢	1	🟢 x6
📝 Google API Key is not rotated every 90 days 🟢	1	🟢 x6
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟢		🟢 x3
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance Automated Backups are not configured 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance external scripts enabled Database Flag is not set to off 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance user options Database Flag is configured 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google GCE Instance is configured to use the Default Service Account with full access to all Cloud APIs 🟢	1	🟢 x6
📝 Google GCE Instance IP Forwarding is not disabled. 🟢	1	🟢 x6
📝 Google GCE Instance OS Login is not enabled 🟢	1	🟢 x6
📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢	1	🟢 x6
📝 Google GCE Subnetwork Flow Logs are not enabled 🟢	1	🟢 x6
📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢		🟢 x3
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Project has API Keys 🟢	1	🟠 x1, 🟢 x5
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (111)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (111)