Use this API to publish a template based on its ID.
The user must have the Security Assessment Questionnaire (SAQ) module enabled and have API ACCESS, Access SAQ module, Questionnaire Invite , and Questionnaire Template Publish permissions. The template must be within the API user's scope.
The id (Long) element is required.
API Request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-
"https:// <qualysbaseurl>/qps/rest/1.0/publish/saq/template" < file.xml
Note: "file.xml" contains the request POST data.
Request POST Data
<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
<data>
<Template>
<id>1194619</id>
</Template>
</data>
</ServiceRequest>
Response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.p01.eng.sjc01.qualys.com/qps/xsd/1.0/saq/template.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Template>
<id>1194619</id>
<uuid>28b298ab-28f1-4679-83b3-fe694f379d25</uuid>
<name>Copy of CIS Top 18 Controls Version 8 - IG1</name>
<description>An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel.</description>
<familyId>b36740f6-7729-47cb-9bf1-89adebfffb90</familyId>
<revision>1</revision>
<category>Cybersecurity</category>
<isLibrary>false</isLibrary>
<questionCnt>56</questionCnt>
<state>PUBLISHED</state>
<elements>
<sections>
<list>
<Section>
<name>1 Inventory and Control of Enterprise Assets</name>
<description>Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.</description>
<sections/>
<questions>
<list>
<Question>
<label>1.1</label>
<text>Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprises network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. (Asset Type:Devices, Security Function:Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>1.2</label>
<text>Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. (Asset Type:Devices, Security Function:Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>2 Inventory and Control of Software Assets</name>
<description>Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.</description>
<sections/>
<questions>
<list>
<Question>
<label>2.1</label>
<text>Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. (Asset Type: Application, Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>2.2</label>
<text>Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprises mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. (Asset Type: Application, Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>2.3</label>
<text>Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. (Asset Type: Application, Security Function: Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>3 Data Protection</name>
<description>Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.</description>
<sections/>
<questions>
<list>
<Question>
<label>3.1</label>
<text>Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: Data , Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>3.2</label>
<text>Establish and maintain a data inventory, based on the enterprises data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. (Asset Type: Data , Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>3.3</label>
<text>Configure data access control lists based on a users need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. (Asset Type: Data, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>3.4</label>
<text>Retain data according to the enterprises data management process. Data retention must include both minimum and maximum timelines. (Asset Type: Data, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>3.5</label>
<text>Securely dispose of data as outlined in the enterprises data management process. Ensure the disposal process and method are commensurate with the data sensitivity. (Asset Type: Data, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>3.6</label>
<text>Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker, Apple FileVault, Linux,dm-crypt. (Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>4 Secure Configuration of Enterprise Assets and Software</name>
<description>Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).</description>
<sections/>
<questions>
<list>
<Question>
<label>4.1</label>
<text>Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (Asset Type: Application, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.2</label>
<text>Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.3</label>
<text>Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. (Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.4</label>
<text>Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. (Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.5</label>
<text>Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. (Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.6</label>
<text>Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. (Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>4.7</label>
<text>Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. (Asset Type: Users, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>5 Account Management</name>
<description>Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.</description>
<sections/>
<questions>
<list>
<Question>
<label>5.1</label>
<text>Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. (Asset Type: User, Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>5.2</label>
<text>Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. (Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>5.3</label>
<text>Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. (Asset Type: User, Security Function: Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>5.4</label>
<text>Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. (Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>6 Access Control Management</name>
<description>Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.</description>
<sections/>
<questions>
<list>
<Question>
<label>6.1</label>
<text>Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.(Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>6.2</label>
<text>Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. (Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>6.3</label>
<text>Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. (Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>6.4</label>
<text>Require MFA for remote network access.(Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>6.5</label>
<text>Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.(Asset Type: User, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>7 Continuous Vulnerability Management</name>
<description>Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprises infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.</description>
<sections/>
<questions>
<list>
<Question>
<label>7.1</label>
<text>Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: Application, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>7.2</label>
<text>Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.(Asset Type: Application, Security Function: Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>7.3</label>
<text>Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.(Asset Type: Application, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>7.4</label>
<text>Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.(Asset Type: Application, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>8 Audit Log Management</name>
<description>Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.</description>
<sections/>
<questions>
<list>
<Question>
<label>8.1</label>
<text>Establish and maintain an audit log management process that defines the enterprises logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>8.2</label>
<text>Collect audit logs. Ensure that logging, per the enterprises audit log management process, has been enabled across enterprise assets.(Asset Type: Network, Security Function: Detect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>8.3</label>
<text>Ensure that logging destinations maintain adequate storage to comply with the enterprises audit log management process.(Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>9 Email and Web Browser Protections</name>
<description>Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.</description>
<sections/>
<questions>
<list>
<Question>
<label>9.1</label>
<text>Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.(Asset Type:Application, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>9.2</label>
<text>Use DNS filtering services on all enterprise assets to block access to known malicious domains.(Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>10 Malware Defenses</name>
<description>Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.</description>
<sections/>
<questions>
<list>
<Question>
<label>10.1</label>
<text>Deploy and maintain anti-malware software on all enterprise assets.(Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>10.2</label>
<text>Configure automatic updates for anti-malware signature files on all enterprise assets.(Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>10.3</label>
<text>Disable autorun and autoplay auto-execute functionality for removable media.(Asset Type: Devices, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>11 Data Recovery</name>
<description>Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.</description>
<sections/>
<questions>
<list>
<Question>
<label>11.1</label>
<text>Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (Asset Type: Data, Security Function: Recover)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>11.2</label>
<text>Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.(Asset Type: Data, Security Function: Recover)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>11.3</label>
<text>Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.(Asset Type: Data, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>11.4</label>
<text>Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.(Asset Type: Data, Security Function: Recover)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>12 Network Infrastructure Management Network Infrastructure Management</name>
<description>Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.</description>
<sections/>
<questions>
<list>
<Question>
<label>12.1</label>
<text>Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.(Asset Type: Network, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>14 Security Awareness and Skills Training</name>
<description>Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.</description>
<sections/>
<questions>
<list>
<Question>
<label>14.1</label>
<text>Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprises workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.2</label>
<text>Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating. (Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.3</label>
<text>Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.4</label>
<text>Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.5</label>
<text>Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.6</label>
<text>Train workforce members to be able to recognize a potential incident and be able to report such an incident. (Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.7</label>
<text>Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>14.8</label>
<text>Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.(Asset Type: N/A, Security Function: Protect)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>15 Service Provider Management</name>
<description>Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprises critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. </description>
<sections/>
<questions>
<list>
<Question>
<label>15.1</label>
<text>Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. (Asset Type: N/A, Security Function: Identify)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
<Section>
<name>17 Incident Response Management</name>
<description>Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.</description>
<sections/>
<questions>
<list>
<Question>
<label>17.1</label>
<text>Designate one key person, and at least one backup, who will manage the enterprises incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: N/A, Security Function:Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>17.2</label>
<text>Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.(Asset Type: N/A, Security Function: Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
<Question>
<label>17.3</label>
<text>Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard.(Asset Type: N/A, Security Function: Respond)</text>
<type>multipleChoiceQuestion</type>
<mode>RADIO_GROUP</mode>
<criticality>HIGH</criticality>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
<answers>
<list>
<Answer>
<title>Fully Implemented</title>
<description>Attach relevant support documents.</description>
<value>0</value>
<scoringLabel>LOW</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Partially Implemented</title>
<description>Attach evidence and expected date of completion in comments.</description>
<value>0</value>
<scoringLabel>MEDIUM</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Implemented</title>
<description>State the reason in comments and the expected date of completion.</description>
<value>0</value>
<scoringLabel>HIGH</scoringLabel>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
<Answer>
<title>Not Applicable</title>
<description>State the reason in comments of non -applicability.</description>
<value>0</value>
<requireAttachment>false</requireAttachment>
<requireComment>false</requireComment>
<requireAsset>false</requireAsset>
</Answer>
</list>
</answers>
</Question>
</list>
</questions>
</Section>
</list>
</sections>
<questions/>
</elements>
<scorings>
<list>
<Scoring>
<label>LOW</label>
<value>0</value>
</Scoring>
<Scoring>
<label>MEDIUM</label>
<value>50</value>
</Scoring>
<Scoring>
<label>HIGH</label>
<value>100</value>
</Scoring>
</list>
</scorings>
</Template>
</data>
</ServiceResponse>
<platform API server>qps/xsd/1.0/publish/saq/template.xsd