PR — Protect
22 outcomes in the Protect function
PR.AA-01Identities and credentials for authorized users, services, and hardware are managed by the organization
PR.AA-02Identities are proofed and bound to credentials based on the context of interactions
PR.AA-03Users, services, and hardware are authenticated
PR.AA-04Identity assertions are protected, conveyed, and verified
PR.AA-05Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
PR.AA-06Physical access to assets is managed, monitored, and enforced commensurate with risk
PR.AT-01Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
PR.AT-02Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind
PR.DS-01The confidentiality, integrity, and availability of data-at-rest are protected
PR.DS-02The confidentiality, integrity, and availability of data-in-transit are protected
PR.DS-10The confidentiality, integrity, and availability of data-in-use are protected
PR.DS-11Backups of data are created, protected, maintained, and tested
PR.PS-01Configuration management practices are established and applied
PR.PS-02Software is maintained, replaced, and removed commensurate with risk
PR.PS-03Hardware is maintained, replaced, and removed commensurate with risk
PR.PS-04Log records are generated and made available for continuous monitoring
PR.PS-05Installation and execution of unauthorized software are prevented
PR.PS-06Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
PR.IR-01Networks and environments are protected from unauthorized logical access and usage
PR.IR-02The organization’s technology assets are protected from environmental threats
PR.IR-03Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
PR.IR-04Adequate resource capacity to ensure availability is maintained