Infrastructure Security Controls

Control IS-01: Implement policies, processes, and controls required for creating, configuring, updating, and operating environments.

Control IS-02: Log and monitor events such as access control, access elevation, permissions modification, and object execution.

Control IS-03: Limit access to only approved endpoints, require multifactor authentication, and integrate with an identity and access management or single sign-on system. Use least-privilege and need-to-know principles for all accounts (e.g., user, admin, service, application).

Control IS-04: Log and monitor all accounts, whether for users or services, for unusual behavior and unwarranted uploads or downloads. Log and monitor all administration account access and actions through security management tools and security operation centers. Continuously monitor downloads for volume and unusual behavior patterns.

Control IS-05: Maintain an asset inventory for all tools, scripts, and APIs used by the development organization. Using origin and provenance information, validate the authenticity and integrity of the information in the asset inventory.

Control IS-06: Maintain patches and updates, where appropriate, for all applications, systems, and environments.

Control IS-07: Identify threats to applications, systems, and environments. Implement mitigating and compensating controls to prevent threats.

Control IS-08: Prioritize logging, monitoring, and patching of production ...