| ๐ผ CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | 13 | | | |
| ย ย ย ย ๐ผ CC6.1-1 Identifies and Manages the Inventory of Information Assets | | | | |
| ย ย ย ย ๐ผ CC6.1-2 Assesses New Architectures | | | | |
| ย ย ย ย ๐ผ CC6.1-3 Restricts Logical Access | | 1 | 2 | |
| ย ย ย ย ๐ผ CC6.1-4 Identifies and Authenticates Users | | 4 | 4 | |
| ย ย ย ย ๐ผ CC6.1-5 Considers Network Segmentation | | 1 | 1 | |
| ย ย ย ย ๐ผ CC6.1-6 Manages Points of Access | | 5 | 6 | |
| ย ย ย ย ๐ผ CC6.1-7 Restricts Access to Information Assets | | 12 | 12 | |
| ย ย ย ย ๐ผ CC6.1-8 Manages Identification and Authentication | | 18 | 21 | |
| ย ย ย ย ๐ผ CC6.1-9 Manages Credentials for Infrastructure and Software | | 3 | 3 | |
| ย ย ย ย ๐ผ CC6.1-10 Uses Encryption to Protect Data | | 6 | 6 | |
| ย ย ย ย ๐ผ CC6.1-11 Protects Encryption Keys | | 6 | 8 | |
| ย ย ย ย ๐ผ CC6.1-12 Restricts Access to and Use of Confidential Information for Identified Purposes | | | | |
| ย ย ย ย ๐ผ CC6.1-13 Restricts Access to and the Use of Personal Information | | | | |
| ๐ผ CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. | 3 | | | |
| ย ย ย ย ๐ผ CC6.2-1 Creates Access Credentials to Protected Information Assets | | | | |
| ย ย ย ย ๐ผ CC6.2-2 Reviews Appropriateness of Access Credentials | | | | |
| ย ย ย ย ๐ผ CC6.2-3 Prevents the Use of Credentials When No Longer Valid | | | | |
| ๐ผ CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity's objectives. | 4 | | | |
| ย ย ย ย ๐ผ CC6.3-1 Creates or Modifies Access to Protected Information Assets | | | | |
| ย ย ย ย ๐ผ CC6.3-2 Removes Access to Protected Information Assets | | | | |
| ย ย ย ย ๐ผ CC6.3-3 Uses Access Control Structures | | 1 | 1 | |
| ย ย ย ย ๐ผ CC6.3-4 Reviews Access Roles and Rules | | | | |
| ๐ผ CC6.4 The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity's objectives. | 4 | | | |
| ย ย ย ย ๐ผ CC6.4-1 Creates or Modifies Physical Access | | | | |
| ย ย ย ย ๐ผ CC6.4-2 Removes Physical Access | | | | |
| ย ย ย ย ๐ผ CC6.4-3 Recovers Physical Devices | | | | |
| ย ย ย ย ๐ผ CC6.4-4 Reviews Physical Access | | | | |
| ๐ผ CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives. | 1 | | | |
| ย ย ย ย ๐ผ CC6.5-1 Removes Data and Software From Entity Control | | | | |
| ๐ผ CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | 4 | | | |
| ย ย ย ย ๐ผ CC6.6-1 Restricts Access | | 15 | 15 | |
| ย ย ย ย ๐ผ CC6.6-2 Protects Identification and Authentication Credentials | | | | |
| ย ย ย ย ๐ผ CC6.6-3 Requires Additional Authentication or Credentials | | 4 | 4 | |
| ย ย ย ย ๐ผ CC6.6-4 Implements Boundary Protection Systems | | | | |
| ๐ผ CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. | 4 | | | |
| ย ย ย ย ๐ผ CC6.7-1 Restricts the Ability to Perform Transmission | | | | |
| ย ย ย ย ๐ผ CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data | | 3 | 4 | |
| ย ย ย ย ๐ผ CC6.7-3 Protects Removal Media | | | | |
| ย ย ย ย ๐ผ CC6.7-4 Protects Endpoint Devices | | | | |
| ๐ผ CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. | 5 | | | |
| ย ย ย ย ๐ผ CC6.8-1 Restricts Installation and Modification of Application and Software | | | | |
| ย ย ย ย ๐ผ CC6.8-2 Detects Unauthorized Changes to Software and Configuration Parameters | | | | |
| ย ย ย ย ๐ผ CC6.8-3 Uses a Defined Change Control Process | | | | |
| ย ย ย ย ๐ผ CC6.8-4 Uses Antivirus and Anti-Malware Software | | | | |
| ย ย ย ย ๐ผ CC6.8-5 Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software | | | | |