- ID:
This column contains the ID of the category being described and its connection with that particular function. e.g. Function: 'PR' points to the category "AA (Identity Management, Authentication, and Access Control)", leading to the ID of that category being "PR.AA".
- CATEGORY:
This column describes the key focus of the organization in that particular category. e.g. For the category 'PR.AA', "Identity Management, Authentication, and Access Control" is the key area of focus.
- METHODOLOGY:
Describes the methods and considerations the organization should carry out its risk assessment pertinet to the category being considered. e.g PR.AA describes the type of assets (phiscal & logical) to be protected
- SUB CATEGORY ID:
List the various sub-categories related to that specific category. e.g PR.AA (category) --> PR.AA-1, PR.AA-2, PR.AA-3, PR.AA-4, PR.AA-5, PR.AA-6(Sub-Category).
- SUB CATEGORY DESCRIPTION:
This column describes each sub-category 'ID' e.g. PR.AA-1 has its own description, which is different from PR.AA-2.
- SUB CATEGORY MODIFICATIONS:
This column, contains the sub-category that "WITHDRAWN", The sub category, that was "NEWLY ADDED OR INTRODUCED" and where the withdrawn category was "MOVED TO".
PROTECT function focuses on safeguarding, through the implementation of relevant security measures, and how the organizations cybersecurity are used.
Below is listed the various Sub-categories of the "Protect Function" in planning your organization's risk assessment for its critical infrastructures.
PR.AC-->PR.AA, PR.IP-->(PR.PS,ID.AM,ID.RA,PR.DSPR.IR,ID.IM,GV.RR), PR.MA-->(ID.AM &PR.PS), PR.PT-->(PR.PS,PR.DS,PR.AA, & PR.IR).
PR.AC: PR.AC-1,PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7.
PR.IP: PR.IP-1,PR.IP-2, PR.IP-3, PR.IP-4,PR.IP-5,PR.IP-6, PR.IP-7, PR.IP-8,PR.IP-9,PR.IP-10, PR.IP-11, PR.IP-12.
PR.MA: PR.MA-1,PR.MA-2.
PR.PT: PR.PT-1,PR.PT-2, PR.PT-3, PR.PT-4, PR.PT-5.
PR.AC:
(PR.AC-1)-->(PR.AA-1 & PR.AA-5),(PR.AC-2)-->(PR.AA-6), (PR.AC-3)-->(PR.AA-3, PR.AA-5, & PR.IR-1), (PR.AC-4)-->(PR.AA-5), (PR.AC-5)-->(PR.IR-1), (PR.AC-6)-->(PR.AA-2), (PR.AC-7)-->(PR.AA-3).
PR.IP:
(PR.IP-1)-->(PR.PS-1),(PR.IP-2)-->(ID.AM-8 & PR.PS-6), (PR.IP-3)-->(ID.RA-7, PR.PS-1), (PR.IP-4)-->(PR.DS-11),(PR.IP-5)-->(PR.IR-2), (PR.IP-6)-->(ID.AM-8), (PR.IP-7)-->(ID.IM-3), (PR.IP-8)-->(ID.IM-3), (PR.IP-9)-->(ID.IM-4), (PR.IP-10)-->(ID.IM-2 & ID.IM-4),
(PR.IP-11)-->(GV.RR-4), (PR.IP-12)-->(ID.RA-1 & PR.PS-2)
PR.MA:
(PR.MA-1)-->(ID.AM-8 & PR.PS-3),(PR.MA-2)-->(ID.AM-8 & PR.PS-2).
PR.PT:
(PR.PT-1)-->(PR.PS-4),(PR.PT-2)-->(PR.DS-1,PR.PS-1), (PR.PT-3)-->(PR.PS-1), (PR.PT-4)-->(PR.AA-6 & PR.IR-1), (PR.PT-5)-->(PR.IR-3).
PR.DS:
(PR.DS-3)-->(ID.AM-8 & PR.PS-3),(PR.DS-4)-->(PR.IR-4),(PR.DS-5)-->(PR.DS-1,PR.DS-2 & PR.DS-10), PR.DS-6-->(PR.DS-1 & DE.CM-9),
(PR.DS-7)-->(PR.IR-1),(PR.DS-8)-->(ID.RA-9 & DE.CM-9).
| ID | CATEGORY | METHODOLOGY | SUB CATEGORY ID | SUB CATEGORY DESCRIPTION | SUB CATEGORY MODIFICATIONS |
| PR.AA | Identity Management, Authentication, and Access Control. | Protecting Assets:
Organizations Assets and infrastrutures facilities (physical and logical assets) associated with it are limited to only authorized users, services, and hardware. Ensuring they are managed appropriately with the assessed risk of unauthorized access. |
PR.AA-1, PR.AA-2, PR.AA-3, PR.AA-4, PR.AA-5, PR.AA-6. |
PR.AA-1: Managing the identities and credentials of authorized users, services, and hardware associated with the organization. PR.AA-2: Identities are proofed and bound to credentials based on the context of interactions. PR.AA-3: Ensuring that users, services, and hardware are authenticated. PR.AA-4: Declared identity are protected, conveyed, and verified. PR.AA-5: The organization defined policy should include access permissions, entitlements,authorization, and how they are managed, enforced, and reviewed, and must incorporate principle of least privilege, and seperation of duties. PR.AA-6: The phyiscal access to the organizations assets is managed, monitored, and enforced consistently with risk. |
WITHDRAWN N/A NEWLY ADDED N/A MOVED TO N/A |
| PR.AT | Awareness and Training. | Cybersecurity Awareness and Training as part of The Protection Plan:
The entire organization's employees, personels, partners, and stakeholders are provided with adequate cybersecurity awareness program and education. They should have a proper training on how to conduct their information security, related duties, and resposibilites. |
PR.AT-1, PR.AT-2. |
PR.AT-1: All users (personels, employees, and stakeholders) are well Informed and trained (awareness training), so that they could possess the knowledge and skills to perform general task, with cybersecurity risks in mind. PR.AT-2: Individuals in specialized roles (Top level executives or Senior managers and teams), are well Informed and trained (awareness training), so that they could possess the knowledge and skills to perform general task, with cybersecurity risks in mind. |
WITHDRAWN PR.AT-3, PR.AT-4, PR.AT-5. NEWLY ADDED (N/A) MOVED TO PR.AT-1, PR.AT-2. |
| PR.DS | Data Security. | Data Protection and Asset Management:
Information and records are properly protected and managed, and it should align consistently with organization's risk strategy to protect the cybersecurity TRIAD (Confidentiality, Integrity, and Availability) of these information. |
PR.DS-1, PR.DS-2, PR.DS-10, PR.DS-11 |
PR.DS-1: All data (payment card information, PII's, or even physical storage file rooms, and more), all these are data at rest should and must be protected. Ensuring their confidentiality, integrity, and availability. PR.DS-2: All Data in Transit (Moving from one location to another) should and must be protected.Ensuring their confidentiality, integrity, and availability. PR.DS-10: All Data in use, should and must be protected.Ensuring their confidentiality, integrity, and availability. PR.DS-11: All Data should have their backups created, protected, maintained, and tested. | WITHDRAWN PR.DS-3,PR.DS-4,PR.DS-5, PR.DS-6,PR.DS-7,PR.DS-8. NEWLY ADDED PR.DS-10,PR.DS-11. MOVED TO Read Top of Page SUBCATEGORIES NOW INCORPORATED INTO. |
| PR.PS | Platform Security | Strategy To Ensure The Protection of All Platforms:
All hardware, softwares (e.g. firmware, operating systems, applications), are to be consistently managed, adhering to the organizations risk strategy, to ensure the protection of their confidentiality, integrity, and availability. |
PR.PS-1, PR.PS-2, PR.PS-3, PR.PS-4, PR.PS-5, PR.PS-6 |
PR.PS-1: Configuration management practises are to be established and applied. PR.PS-2: Software is maintained,replaced, and removed inline with risk. PR.PS-3: Hardware is maintained,replaced, and removed inline with risk. PR.PS-4: Log records are to be generated and made available for continuous monitoring. PR.PS-5: Installation and execution of unauthorized softwares, are prevented. PR.PS-6: Integrating secure software development practises, and their performance monitored throughout the software development life cycle. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |
| PR.IR | Technology Infrastructure Resilience | Managing Security Architecture:
Security architecture are properly managed, with the organization's risk strategy, ensuring the protection of its assets confidentiality, integrity, and availability, and organizational resilience. |
PR.IR-1, PR.IR-2, PR.IR-3, PR.IR-4 |
PR.IR-1: All networks and environments are to be protected from unauthorized logical access, and usage. PR.IR-2: All organization's technology assets are protected from enviromental threats. PR.IR-3: Implementing mechanisms to attain resilience requirements in normal and adverse situations. PR.IR-4: Maintaining availability through the provision of adequate resource capacity. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |