Prevent

Question 1

PR.AC-1

Answer 1

Identities and credentials are managedfor authorized devices and users

Question 2

PR.AC-2

Answer 2

Physical access to assets is managed and protected

Question 3

PR.AC-3

Answer 3

Remote access is managed

Question 4

PR.AC-4

Answer 4

Access permissions are managed, incorporating the principles of least privilege and separation of duties

Question 5

PR.AC-5

Answer 5

Network integrity is protected, incorporating network segregation where appropriate

Question 6

PR.AT-1

Answer 6

All users are informed and trained

Question 7

PR.AT-2

Answer 7

Privileged users understand roles & responsibilities

Question 8

PR.AT-3

Answer 8

Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities

Question 9

PR.AT-4

Answer 9

Senior executives understand roles & responsibilities

Question 10

PR.AT-5

Answer 10

Physical and information security personnel understand roles & responsibilities

Question 11

PR.DS-1

Answer 11

Data-at-rest is protected

Question 12

PR.DS-2

Answer 12

Data-in-transit is protected

Question 13

PR.DS-3

Answer 13

Assets are formally managed throughout removal, transfers, and disposition

Question 14

PR.DS-4

Answer 14

Adequate capacity to ensure availability is maintained

Question 15

PR.DS-5

Answer 15

Protections against data leaks are implemented

Question 16

PR.DS-6

Answer 16

Integrity checking mechanisms are used to verify software, firmware, and information integrity

Question 17

PR.DS-7

Answer 17

The development and testing environment(s) are separate from the production environment

Question 18

PR.IP-1

Answer 18

A baseline configuration of information technology/industrial control systems is created and maintained

Question 19

PR.IP-2

Answer 19

A System Development Life Cycle to manage systems is implemented

Question 20

PR.IP-3

Answer 20

Configuration change control processes are in place

Question 21

PR.IP-4

Answer 21

Backups of information are conducted, maintained, and tested periodically

Question 22

PR.IP-5

Answer 22

Policy and regulations regarding the physical operating environment for organizational assets are met

Question 23

PR.IP-6

Answer 23

Data is destroyed according to policy

Question 24

PR.IP-7

Answer 24

Protection processes are continuously improved

Question 25

PR.IP-8

Answer 25

Effectiveness of protection technologies is shared with appropriate parties

Question 26

PR.IP-9

Answer 26

Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

Question 27

PR.IP-1

Answer 27

: Response and recovery plans are tested

Question 28

PR.IP-1

Answer 28

: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

Question 29

PR.IP-1

Answer 29

: A vulnerability management plan is developed and implemented

Question 30

PR.MA-1

Answer 30

Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools

Question 31

PR.MA-2

Answer 31

Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

Question 32

PR.PT-1

Answer 32

Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

Question 33

PR.PT-2

Answer 33

Removable media is protected and its use restricted according to policy

Question 34

PR.PT-3

Answer 34

Access to systems and assets is controlled, incorporating the principle of least functionality

Question 35

PR.PT-4

Answer 35

Communications and control networks are protected