generated from finos/standards-project-blueprint
-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add in threat catalog example for object storage service
- Loading branch information
1 parent
7d6012c
commit 0f940ec
Showing
2 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
93 changes: 93 additions & 0 deletions
93
src/oscal/examples/catalog/yaml/OSCAL_CCC_Catalog_logical.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
--- | ||
catalog: | ||
uuid: 0069c46e-6fd1-4b72-bc64-fd4e6d4a2190 | ||
metadata: | ||
title: FINOS CCC Sample Catalog | ||
published: 2024-02-01T00:00:00+01:00 | ||
last-modified: 2024-02-01T01:00:00+01:00 | ||
version: 0.0.1 | ||
oscal-version: 1.1.1 | ||
props: | ||
- name: keywords | ||
value: "control, cloud, security, risk" | ||
roles: | ||
- id: publisher | ||
title: FINOS | ||
- id: author | ||
title: FINOS | ||
- id: contact | ||
title: Contact | ||
parties: | ||
- uuid: 4bc82884-5a0c-486b-94d5-cc5195615ad3 | ||
type: organization | ||
name: FINOS | ||
addresses: | ||
- addr-lines: | ||
- FINOS | ||
- some address | ||
- more address | ||
country: UK | ||
responsible-parties: | ||
- role-id: publisher | ||
party-uuids: | ||
- 4bc82884-5a0c-486b-94d5-cc5195615ad3 | ||
- role-id: author | ||
party-uuids: | ||
- 4bc82884-5a0c-486b-94d5-cc5195615ad3 | ||
- role-id: contact | ||
party-uuids: | ||
- 4bc82884-5a0c-486b-94d5-cc5195615ad3 | ||
groups: | ||
- id: M10 | ||
title: Threat Mitigations | ||
controls: | ||
- id: M1047 | ||
class: mitigation | ||
title: Audit | ||
parts: | ||
- id: M1047_stm | ||
name: statement | ||
prose: Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources. | ||
- id: M1041 | ||
class: mitigation | ||
title: Encrypt Sensitive Information | ||
parts: | ||
- id: M1041_stm | ||
name: statement | ||
prose: Encrypt data stored at rest in cloud storage. | ||
- id: M1047_gdn | ||
name: guidance | ||
prose: |- | ||
Managed encryption keys can be rotated by most providers. | ||
At minimum ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications. | ||
- id: M1032 | ||
class: p1-mitigations | ||
title: Multi-factor Authentication | ||
parts: | ||
- id: M1032_stm | ||
name: statement | ||
prose: "Use two or more pieces of evidence to authenticate to a system, such as username and password in addition to a token from a physical smart card or token generator." | ||
- id: M1026 | ||
class: p1-mitigations | ||
title: Privileged Account Management | ||
parts: | ||
- id: M1026_stm | ||
name: statement | ||
prose: "Manage the creation, modification, use, and permissions associated to privileged accounts." | ||
- id: M1018 | ||
class: p1-mitigations | ||
title: User Account Management | ||
parts: | ||
- id: M1018_stm | ||
name: statement | ||
prose: "Manage the creation, modification, use, and permissions associated to non-privileged user accounts." | ||
- id: CCC | ||
title: Policy name and identification | ||
controls: | ||
- id: CCC.M1 | ||
class: p1-mitigations | ||
title: Organization level Authorization Origin Policy | ||
parts: | ||
- name: statement | ||
prose: Define actions that are allowed for cloud accounts subscribed to an organization. Ensure policy set to enforce MFA for console and API actions for IAM principles. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
| Key | Value | | ||
|----------|----------| | ||
| Threat Id | CCC.OS.T1 | | ||
| Name | Intercept data in transit to an external bucket | | ||
| Description | Object storage service allows communication over HTTP. An attacker can intercept the traffic you send to an external bucket, in order to read or modify the data. | | ||
| Service Taxonomy ID | CCC-020115 | |