Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create controls.yaml for secMgmt #508

Merged
merged 6 commits into from
Jan 20, 2025
Merged

Create controls.yaml for secMgmt #508

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c7d760f
Create controls.yaml for secMgmt
kazmik23 Nov 7, 2024
b807ac1
Merge branch 'main' into patch-24
eddie-knight Jan 20, 2025
221ae5a
Merge branch 'main' into patch-24
mlysaght2017 Jan 20, 2025
5a119f6
Rename secMgmt to secMgmt.yaml
eddie-knight Jan 20, 2025
9f52321
Apply suggestions from code review
eddie-knight Jan 20, 2025
c88d77c
Apply suggestions from code review
eddie-knight Jan 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions services/crypto/secMgmt.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
common_controls:
- CCC.C01 # Prevent unencrypted requests
- CCC.C02 # Ensure data encryption at rest for all stored data
- CCC.C03 # Implement multi-factor authentication (MFA) for access
- CCC.C04 # Log all access and changes
- CCC.C05 # Prevent access from untrusted entities
- CCC.C06 # Prevent deployment in restricted regions
- CCC.C07 # Alert on non-human enumeration
- CCC.C09 # Prevent tampering, deletion, or unauthorized access to access logs
- CCC.C10 # Prevent data replication to destinations outside of defined trust perimeter

controls:
- id: CCC.SecMgmt.C01 # Enforce Automatic Secret Rotation
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
title: Enforce Automatic Secret Rotation
objective: |
Ensure that secrets are automatically rotated on a defined schedule to
reduce the risk of secret compromise and unauthorized access.
control_family: Data Protection
threats:
- CCC.TH01 # Access control is misconfigured
- CCC.TH14 # Older Resource Versions Are Exploited
nist_csf: PR.DS-6 # Integrity checking mechanisms are used
control_mappings:
NIST_800_53:
- SC-12 # Cryptographic Key Establishment and Management
- SC-28 # Protection of Information at Rest
test_requirements:
- id: CCC.SecMgmt.C01.TR01
text: |
Attempt to use an outdated version of a secret after its rotation period
has passed and verify that access is denied.
tlp_levels:
- tlp_red
- tlp_amber

- id: CCC.SecMgmt.C02 # Enforce Secret Replication Policies
eddie-knight marked this conversation as resolved.
Show resolved Hide resolved
title: Enforce Secret Replication Policies
objective: |
Ensure that secrets are replicated only to authorized locations as per
organizational data residency and compliance requirements.
control_family: Data Protection
threats:
- CCC.TH03 # Deployment region network is untrusted
- CCC.TH04 # Data is replicated to untrusted or external locations
nist_csf: PR.DS-5 # Protections against data leaks are implemented
control_mappings:
NIST_800_53:
- AC-3 # Access Enforcement
- SC-7 # Boundary Protection
test_requirements:
- id: CCC.SecMgmt.C02.TR01
text: |
Attempt to retrieve a secret from an unauthorized region and verify that access is denied.
tlp_levels:
- tlp_red
- tlp_amber
Loading