forked from intuitem/ciso-assistant-community
-
Notifications
You must be signed in to change notification settings - Fork 0
/
doc-pol.yaml
737 lines (606 loc) · 20.6 KB
/
doc-pol.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
urn: urn:intuitem:risk:library:doc-pol
locale: en
ref_id: doc-pol
name: Documents and policies
description: Typical documents and policies recommended by intuitem
copyright: "\xA9 intuitem - 2024"
version: 2
provider: intuitem
packager: intuitem
translations:
fr:
name: Documents et politiques
description: "Documents et politiques typiques recommand\xE9s par intuitem"
objects:
reference_controls:
- urn: urn:intuitem:risk:function:doc-pol:doc.overview
ref_id: DOC.OVERVIEW
name: Organization overview document
category: process
description: 'Objectives of the organization
Organigram
ISMS objectives
CISO responsibilities
ISMS Management review'
annotation: '5.1.a
5.1.c'
translations:
fr:
name: "Pr\xE9sentation de l\u2019organisation"
description: "Objectifs organisationnels\nOrganigramme\nObjectifs de l\u2019\
ISMS\nResponsabilit\xE9s du RSSI\nExamen de la direction du SMSI"
- urn: urn:intuitem:risk:function:doc-pol:doc.context
ref_id: DOC.CONTEXT
name: Context of organization document
category: process
description: 'Stakeholders
Authorities
Special interest groups'
annotation: '4.1, 4.2
5.1.a
A.5.6
A.5.5'
translations:
fr:
name: Contexte de l'organisation
description: "Parties prenantes\nAutorit\xE9s\nGroupes d\u2019int\xE9r\xEA\
ts"
- urn: urn:intuitem:risk:function:doc-pol:doc.scope
ref_id: DOC.SCOPE
name: ISMS Scope document
category: process
description: 'Products and services
Products and services requiring certification
Locations
Organization view
Business architecture view
Data architecture view
Application architecture view
Technology architecture view
Network view
Scope statement'
annotation: '4.3'
translations:
fr:
name: "P\xE9rim\xE8tre du SMSI"
description: "Produits et services\nProduits et services n\xE9cessitant une\
\ certification\nLocaux\nVue de l\u2019organisation\nVue de l\u2019architecture\
\ d\u2019entreprise\nVue de l\u2019architecture des donn\xE9es\nVue de l\u2019\
architecture d\u2019application\nVue de l\u2019architecture technologique\n\
Vue r\xE9seau\n\xC9nonc\xE9 du champ d\u2019application"
- urn: urn:intuitem:risk:function:doc-pol:doc.legal
ref_id: DOC.LEGAL
name: legal register
category: process
description: "Legal requirements \nStatutory requirements \nRegulatory requirements\
\ \nContractual requirements \nIntellectual property rights\nEmployment contracts\n\
NDAs"
annotation: 'A.5.31
A.5.32
A.6.5
A.6.6'
translations:
fr:
name: "Registre l\xE9gal"
description: "Exigences l\xE9gales \nExigences l\xE9gales \nExigences r\xE9\
glementaires \nExigences contractuelles \nDroits de propri\xE9t\xE9 intellectuelle\n\
Contrats de travail\nNDA"
- urn: urn:intuitem:risk:function:doc-pol:doc.soa
ref_id: DOC.SOA
name: Statement of Applicabilty document
category: process
translations:
fr:
name: "D\xE9claration d'applicabilit\xE9"
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.controls
ref_id: DOC.CONTROLS
name: Controls accountability matrix
category: process
annotation: 5.1.c
translations:
fr:
name: "Matrice de responsabilit\xE9 des mesures"
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.audit_plan
ref_id: DOC.AUDIT_PLAN
name: Audit plan document
category: process
description: 'Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement
Organizational controls
People controls
Physical controls
Technological controls'
annotation: 5.1.e
translations:
fr:
name: Plan d'audit
description: "Contexte de l\u2019organisation\nLeadership\nPlanification\n\
Soutien\nOp\xE9ration\n\xC9valuation des performances\nAm\xE9lioration\n\
Contr\xF4les organisationnels\nContr\xF4les du personnel\nContr\xF4les physiques\n\
Contr\xF4les technologiques"
- urn: urn:intuitem:risk:function:doc-pol:doc.competency
ref_id: DOC.COMPETENCY
name: Competency matrix
category: process
annotation: 5.1.f
translations:
fr:
name: "Matrice de comp\xE9tence"
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.raci
ref_id: DOC.RACI
name: Responsibility matrix
category: process
description: RACI for ISMS
translations:
fr:
name: "Matrice de responsabilit\xE9"
description: RACI du SMSI
- urn: urn:intuitem:risk:function:doc-pol:doc.com
ref_id: DOC.COM
name: Communication plan document
category: process
annotation: '7.4'
translations:
fr:
name: Plan de communication
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.risk_register
ref_id: DOC.RISK_REGISTER
name: Risk register
category: process
description: 'Risk owner
Impact
Likelihood
Risk level
Evaluation
Priority
Treatment option
Mitigations - recommended security measures'
annotation: "6.1\n6.1.2.c.2 \n6.1.2.d.1 \n6.1.2.d.2\n6.1.2.d.3 \n6.1.2.e.1 \n\
6.1.2.e.2 \n6.1.3.a \n6.1.3.b "
translations:
fr:
name: Registre des risques
description: "Propri\xE9taire du risque\nImpact\nVraisemblance\nNiveau de\
\ risque\n\xC9valuation\nPriorit\xE9\nOption de traitement\nMesures d\u2019\
att\xE9nuation - mesures de s\xE9curit\xE9 recommand\xE9es"
- urn: urn:intuitem:risk:function:doc-pol:doc.so_register
ref_id: DOC.SO_REGISTER
name: Security objectives register
category: process
annotation: '6.2'
translations:
fr:
name: "registre des objectifs de s\xE9curit\xE9"
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.mgmt_review
ref_id: DOC.MGMT_REVIEW
name: Management review plan document
category: process
description: 'Review of risks
Review of security objectives
Review of security incidents
Review of vulnerability management
Review of non-conformities'
annotation: "9.3\n6.1.1.e.1 \n6.2.e"
translations:
fr:
name: Plan de la revue de management
description: "Examen des risques\nExamen des objectifs de s\xE9curit\xE9\n\
Examen des incidents de s\xE9curit\xE9\nExamen de la gestion des vuln\xE9\
rabilit\xE9s\nExamen des non-conformit\xE9s"
- urn: urn:intuitem:risk:function:doc-pol:doc.educ_register
ref_id: DOC.EDUC_REGISTER
name: Training and awareness register
category: process
annotation: '7.2'
translations:
fr:
name: Registre de formation et sensibilisation
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.doc_register
ref_id: DOC.DOC_REGISTER
name: Document register
category: process
description: 'Rules for edition and maintenance
Version control
Register
Continual improvement'
annotation: '7.5'
translations:
fr:
name: Registre des documents
description: "R\xE8gles d\u2019\xE9dition et de maintenance\nContr\xF4le de\
\ version\nRegistre\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:doc.proc_register
ref_id: DOC.PROC_REGISTER
name: Operational procedures register
category: process
description: 'Risk management procdure
Incident management procedure
Problem management procedure
Vulnerability management procedure
HR procedures
Change management procedure
Procedure for externalization
Physical security procedures
Privileged access procedure'
annotation: '8.1
A.6.1
8.1
8.1.
A.7.1
A.8.2'
translations:
fr:
name: "Registre des proc\xE9dures op\xE9rationnelles"
description: "Processus de gestion des risques\nProc\xE9dure de gestion des\
\ incidents\nProc\xE9dure de gestion des probl\xE8mes\nProc\xE9dure de gestion\
\ des vuln\xE9rabilit\xE9s\nProc\xE9dures RH\nProc\xE9dure de gestion du\
\ changement\nProc\xE9dure d\u2019externalisation\nProc\xE9dures de s\xE9\
curit\xE9 physique\nProc\xE9dure d\u2019acc\xE8s privil\xE9gi\xE9"
- urn: urn:intuitem:risk:function:doc-pol:doc.nc_log
ref_id: DOC.NC_LOG
name: Log of non-conformities
category: process
description: "List of non-conformities (incident, problems, \u2026)\nCorrective\
\ action taken"
annotation: '10.1'
translations:
fr:
name: "Registre des non-conformit\xE9s"
description: "Liste des non-conformit\xE9s (incident, probl\xE8mes, ...)\n\
Mesures correctives prises"
- urn: urn:intuitem:risk:function:doc-pol:doc.internal_rules
ref_id: DOC.INTERNAL_RULES
name: Rules of procedure document
category: process
annotation: A.5.4, A.6.2
translations:
fr:
name: "R\xE8glement int\xE9rieur"
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.asset_register
ref_id: DOC.ASSET_REGISTER
name: Registry of assets
category: process
annotation: A.5.9
translations:
fr:
name: Registre des biens
description: null
- urn: urn:intuitem:risk:function:doc-pol:doc.supplier_register
ref_id: DOC.SUPPLIER_REGISTER
name: Registry of suppliers
category: process
description: Risk management
translations:
fr:
name: Registre des fournisseurs
description: Gestion des risques
- urn: urn:intuitem:risk:function:doc-pol:pol.main
ref_id: POL.MAIN
name: Main policy
category: policy
description: 'information security objectives
commitment
Management review
Applicable policies
Management of non conformities
Continual improvement'
annotation: '5.2.b
5.2.c
9.3.1
5.1.g'
translations:
fr:
name: Politique principale
description: "Objectifs de s\xE9curit\xE9 de l\u2019information\nengagement\n\
Revue de direction\nPolitiques applicables\nGestion des non-conformit\xE9\
s\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.educ
ref_id: POL.EDUC
name: Information security awareness and traning policy
category: policy
description: 'implications of not respecting
Security event reporting
Continual improvement'
annotation: '7.3.c
A.6.8
5.1.g'
translations:
fr:
name: "Politique de sensibilisation et de formation \xE0 la s\xE9curit\xE9\
\ de l\u2019information"
description: "cons\xE9quences du non-respect\nRapports sur les \xE9v\xE9nements\
\ de s\xE9curit\xE9\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.work
ref_id: POL.WORK
name: Workstations and teleworking policy
category: policy
description: 'Workstations
Mobile devices
Teleworkding
Password handling
Returning of assets
Continual improvement'
annotation: 'A.6.2.1
A.6.2.2
A.5.11
5.1.g'
translations:
fr:
name: "Politique des postes de travail et de t\xE9l\xE9travail"
description: "Postes\nAppareils mobiles\nT\xE9l\xE9travail\nGestion des mots\
\ de passe\nRestitution des avoirs\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.crypto
ref_id: POL.CRYPTO
name: Cryptographic policy
category: policy
description: 'Key management
Encryption
Continual improvement'
annotation: 5.1.g
translations:
fr:
name: Politique cryptographique
description: "Gestion des cl\xE9s\nChiffrement\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.classif
ref_id: POL.CLASSIF
name: Information classification and handling policy
category: policy
description: 'classification
protection and handling of information
Poritection and handling of PII
clear desk
clear screen
Protection of records
Retention rules
Use of test information
Continual improvement'
annotation: 'A.5.12, A.5.13
A.5.34
A.5.33
A.8.33
5.1.g'
translations:
fr:
name: "Politique de classification et de traitement de l\u2019information"
description: "classification\nProtection et traitement des informations\n\
Conservation et traitement des PII\nbureau d\xE9gag\xE9\n\xE9cran clair\n\
Protection des registres\nR\xE8gles de conservation\nUtilisation des informations\
\ de test\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.audit
ref_id: POL.AUDIT
name: Internal and external audit policy
category: policy
description: Protection of audit information
annotation: A.8.34
translations:
fr:
name: "Politique d\u2019audit interne et externe"
description: "Protection des informations d\u2019audit"
- urn: urn:intuitem:risk:function:doc-pol:pol.bcp
ref_id: POL.BCP
name: Business continuity policy
category: policy
translations:
fr:
name: "Politique de continuit\xE9 d\u2019activit\xE9"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.seg_duty
ref_id: POL.SEG_DUTY
name: Segregation of duties policy
category: policy
translations:
fr:
name: "Politique sur la s\xE9paration des t\xE2ches"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.access
ref_id: POL.ACCESS
name: Access control policy
category: policy
description: 'Identification
authentication
password management
RBAC
Review of access rights
Provisioning
Leavers
Remote access
Privileged access management
Third party access
Monitoring and reporting
Continual improvement'
annotation: 'A.5.15
5.1.g'
translations:
fr:
name: "Politique de contr\xF4le d\u2019acc\xE8s"
description: "Identification\nauthentification\nGestion des mots de passe\n\
RBAC\nR\xE9vision des droits d\u2019acc\xE8s\nFourniture\nSortants\nAcc\xE8\
s \xE0 distance\nGestion des acc\xE8s \xE0 privil\xE8ges\nAcc\xE8s par des\
\ tiers\nSurveillance et rapports\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.malware
ref_id: POL.MALWARE
name: Malware protection policy
category: policy
description: 'antivirus
EDR'
translations:
fr:
name: Politique de protection contre les logiciels malveillants
description: 'antivirus
EDR'
- urn: urn:intuitem:risk:function:doc-pol:pol.risk
ref_id: POL.RISK
name: Risk management policy
category: policy
description: 'Risk management definition
Risk appetite
Risk acceptance criteria
Criteria for risk assessment
Risk identification
Risk assessment
CIAP approach
Risk reporting
Risk review
Risk treatment (mitigation acceptance, transfer)
Risk evaluation
Use of ISO27002 controls
Management of access rights
Continual improvement'
annotation: "6.1.2.a.1 \n6.1.2.a.2 \n6.1.2.b \n6.1.2.c.1 \n6.1.3.c \nA.5.18\n\
5.1.g"
translations:
fr:
name: Politique de gestion des risques
description: "D\xE9finition de la gestion des risques\nApp\xE9tit pour le\
\ risque\nCrit\xE8res d\u2019acceptation des risques\nCrit\xE8res d\u2019\
\xE9valuation des risques\nIdentification des risques\n\xC9valuation du\
\ risque\nApproche CIAP\nRapports sur les risques\nExamen des risques\n\
Traitement des risques (att\xE9nuation, acceptation, transfert)\n\xC9valuation\
\ des risques\nUtilisation des commandes ISO27002\nGestion des droits d\u2019\
acc\xE8s\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.asset
ref_id: POL.ASSET
name: Asset management policy
category: policy
translations:
fr:
name: "Politique de gestion d\u2019actifs"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.backup
ref_id: POL.BACKUP
name: Backup and restore policy
category: policy
translations:
fr:
name: Politique de sauvegarde et de restauration
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.supplier
ref_id: POL.SUPPLIER
name: Third party supplier security policy
category: policy
annotation: A.5.19, A.5.20, A.5.21, A.5.22, A.5.23
translations:
fr:
name: "Politique de s\xE9curit\xE9 des fournisseurs tiers"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.monitor
ref_id: POL.MONITOR
name: Logging and monitoring policy
category: policy
description: Logging
annotation: A.8.15
translations:
fr:
name: Politique de journalisation et de surveillance
description: Journalisation
- urn: urn:intuitem:risk:function:doc-pol:pol.transfer
ref_id: POL.TRANSFER
name: Information transfer policy
category: policy
annotation: A.5.14
translations:
fr:
name: "Politique de transfert d\u2019informations"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.secdev
ref_id: POL.SECDEV
name: Secure development policy
category: policy
translations:
fr:
name: "Politique de d\xE9veloppement s\xE9curis\xE9"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.physical
ref_id: POL.PHYSICAL
name: Physical security policy
category: policy
description: 'Physical security perimeter
Secure areas
Employee access control
Visitors access control
Delivery management
Cabling security
Continual improvement'
annotation: 5.1.g
translations:
fr:
name: "Politique de s\xE9curit\xE9 physique"
description: "P\xE9rim\xE8tre de s\xE9curit\xE9 physique\nZones s\xE9curis\xE9\
es\nContr\xF4le d\u2019acc\xE8s des employ\xE9s\nContr\xF4le d\u2019acc\xE8\
s des visiteurs\nGestion des livraisons\nS\xE9curit\xE9 du c\xE2blage\n\
Am\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.network
ref_id: POL.NETWORK
name: Network security management policy
category: policy
translations:
fr:
name: "Politique de gestion de la s\xE9curit\xE9 du r\xE9seau"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.accept
ref_id: POL.ACCEPT
name: Acceptable use policy
category: policy
annotation: A.5.10
translations:
fr:
name: "Politique d\u2019utilisation acceptable"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.project
ref_id: POL.PROJECT
name: IS project integration policy
category: policy
translations:
fr:
name: "Politique d\u2019int\xE9gration de projets SI"
description: null
- urn: urn:intuitem:risk:function:doc-pol:pol.threat_intel
ref_id: POL.THREAT_INTEL
name: Threat intelligence policy
category: policy
description: 'Known Exploited Vulnerabilities
Threat actors activity
Continual improvement'
annotation: 5.1.g
translations:
fr:
name: Politique de renseignement sur les menaces
description: "Vuln\xE9rabilit\xE9s exploit\xE9es connues\nActivit\xE9 des\
\ acteurs de la menace\nAm\xE9lioration continue"
- urn: urn:intuitem:risk:function:doc-pol:pol.incident
ref_id: POL.INCIDENT
name: IS incident management policy
category: policy
description: 'Security incident management
Vulnerability management'
annotation: A.5.24, A.5.25, A.5.26, A.5.27
translations:
fr:
name: Politique de gestion des incidents du SI
description: "Gestion des incidents de s\xE9curit\xE9\nGestion des vuln\xE9\
rabilit\xE9s"
- urn: urn:intuitem:risk:function:doc-pol:pol.maintenance
ref_id: POL.MAINTENANCE
name: Maintenance policy
category: policy
description: 'Obsolescence management
Maintenance contracts
Change management'
annotation: A.7.13
translations:
fr:
name: Politique de maintenance
description: "Gestion de l\u2019obsolescence\nContrats de maintenance\nGestion\
\ du changement"