How Proofpoint Helps Organizations Meet NIST Cybersecurity ...€¦ · is used to inform cybersecurity roles, responsibilities and risk management decisions.” NIST CSF Requirement

WHITE PAPER

proofpoint.com

How Proofpoint Helps Organizations Meet NIST Cybersecurity Guidelines

HOW PROOFPOINT HELPS ORGANIZATIONS MEET NIST CYBERSECURITY GUIDELINES | WHITE PAPER

2

Proofpoint solutions fit easily into this framework and provide NIST compliance across the following key areas:

• Risk assessment

• Awareness and training

• Data security

• Anomalies and events

• Security continuous monitoring

• Detection processes

• Analysis

• Mitigation

This document explains how Proofpoint can help you meet NIST guidelines and achieve your security goals.

How Proofpoint Can HelpProofpoint Browser Isolation allows your users to browse the web while preventing malicious content from impacting your corporate devices.

Proofpoint Email Protection identifies email fraud at the gateway and prevents it from reaching your employees.

In the face of today’s security threats, it’s important to build a strong defense. The National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.1 was designed to help. It provides you with critical guidance when developing your security programs. You can use it to assess your entire cybersecurity posture, or tailor it to address the specific requirements of your organization.

Introduction

Proofpoint Premium Threat Intelligence Service (PTIS) offers detailed threat reports, analyst observations and access to our threat experts.

Proofpoint Threat Response Auto-Pull (TRAP) automatically removes malicious emails from your user’s inbox.

Proofpoint Cloud App Security Broker (CASB) monitors user/entity behavior and data via APIs.

Proofpoint Enterprise Archive simplifies your legal discovery, regulatory compliance and end-user data access.

Proofpoint Security Awareness Training helps your people understand and protect against threats.

Proofpoint Insider Threat Management (ITM) protects against data loss, malicious acts and brand damage involving insiders acting maliciously, negligently or unknowingly.

Proofpoint Targeted Attack Protection (TAP) provides risk assessment with deep visibility into threats entering your organization.


3

Table of Contents

04 How Proofpoint Addresses NIST CSF Requirements

Asset Management (ID.AM)

Business Environment (ID.BE)

Governance (ID.GV)

Risk Assessment (ID.RA)

Risk Management (ID.RM)

Supply Chain Risk Management (ID.SC)

Identity Management, Authentication and Access Control (PR.AC)

Awareness and Training (PR.AT)

Data Security (PR.DS)

Information Protection Processes and Procedures (PR.IP)

Protective Technology (PR.PT)

Anomalies and Events (DE.AE)

Security Continuous Monitoring (DE.CM)

Detection Processes (DE.DP)

Analysis (RS.AN)

Mitigation (RS.MI)

Recovery Planning (RC.RP)

Introduction 02

Quick Reference Tables29


4

How Proofpoint Addresses NIST CSF Requirements

Asset Management (ID.AM)Overall goal: “The data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.”

NIST CSF Requirement ID.AM-1“Physical devices and systems within the organization are inventoried.”

References:

• CIS CSC V7.1 1

• COBIT 5 BAI09.01, BAI09.02

• ISA 62443-2-1:2009 4.2.3.4

• ISA 62443-2-1:2013 SR 7.8

• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

• NIST SP 800-53 Rev. 4 CM-8, PM-5

• NIST SP 800-53 Rev. 5 CM-8, PM-5

Products that help meet the requirement:

• Insider Threat Management

ITM takes an inventory of hardware and software specs from a system, cataloging such items as the OS version, hardware details, IP addresses and domains the machine has joined. The information can be reported and used to increase audit fidelity for system assets.

NIST CSF Requirement ID.AM-2“Software platforms and applications within the organization are inventoried.”

References:

• CIS CSC V7.1 2

• COBIT 5 BAI09.01, BAI09.02, BAI09.05

• ISA 62443-2-1:2009 4.2.3.4

• ISA 62443-2-1:2013 SR 7.8

• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1

• NIST SP 800-53 Rev. 4 CM-8, PM-5

• NIST SP 800-53 Rev. 5 CM-8, PM-5


5


• CASB


CASB provides shadow IT detection functionality by integrating with enterprise security devices like firewalls/proxy servers.

ITM provides a detailed activity log of assets used by your employees including desktops, servers and applications. The information can be collected through reports and augment information received from identity management or asset management systems. In addition, PDF reports can be provided to functional groups that help you apply individual/applicable risks that may be unique for your business.

NIST CSF Requirement ID.AM-5“Resources (e.g., hardware, devices, data, time, personnel and software) are prioritized based on their classification, criticality and business value.”

References:

• CIS CSC V7.1 2

• COBIT 5 BAI09.01, BAI09.02, BAI09.05

• ISA 62443-2-1:2009 4.2.3.4

• ISA 62443-2-1:2013 SR 7.8

• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1

• NIST SP 800-53 Rev. 4 CM-8, PM-5

• NIST SP 800-53 Rev. 5 CM-8, PM-5


• Enterprise Archive


Enterprise Archive enables classification and retention of any/all messages on either a global policy or granular policy basis.

ITM active time-mapping and user-activity profile can help you identify the criticality and business value of applications (most used and least accessed). PDF reports are available. Risk is associated with users tripping alerts as defined by administrators.

Business Environment (ID.BE)Overall goal: “The organization’s mission, objectives, stakeholders and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities and risk management decisions.”

NIST CSF Requirement ID.BE-1“The organization’s role in the supply chain is identified and communicated.”

References:

• COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05

• ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2

• NIST SP 800-53 Rev. 4 CP-2, SA-12

• NIST SP 800-53 Rev. 5 CP-2, SR-1, SR-8


• PTIS

PTIS provides you with a deeper understanding of the ongoing threat landscape and your organization’s place in it, enabling you to prioritize your security decisions

NIST CSF Requirement ID.BE-2“The organization’s place in critical infrastructure and its industry sector is identified and communicated.”

References:

• COBIT 5 APO02.06, APO03.01

• ISO/IEC 27001:2013 Clause 4.1

• NIST SP 800-53 Rev. 4 PM-8

• NIST SP 800-53 Rev. 5 PM-8


• PTIS

PTIS provides personalized reports that expose who’s targeting you, who in your organization is being targeted, and how you compare to your industry peers.


6

NIST CSF Requirement ID.BE-3“Priorities for organizational mission, objectives and activities are established and communicated.”

References:

• COBIT 5 APO02.01, APO02.06, APO03.01

• ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6

• NIST SP 800-53 Rev. 4 PM-11, SA-14

• NIST SP 800-53 Rev. 5 PM-11, RA-9


• PTIS

PTIS feeds intelligence into your risk assessment process to prioritize cybersecurity activities.

Governance (ID.GV)Overall goal: “The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk.”

NIST CSF Requirement ID.GV-1“Organizational cybersecurity policy is established and communicated.”

References:

• CIS CSC V7.1 19

• COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02

• ISA 62443-2-1:2009 4.3.2.6

• ISO/IEC 27001:2013 A.5.1.1

• NIST SP 800-53 Rev. 4 Controls from all security control families

• NIST SP 800-53 Rev. 5 Controls from all security control families



ITM can be used as a technical distribution method for written and administrative policies. Notifications may be static acceptance messages or sent in real time when an action is performed. For example, acceptable use notifications will flash when something may be amiss, such as when a large number of files is printed/copied.

Risk Assessment (ID.RA)Overall goal: “The organization understands the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals.”

NIST CSF Requirement ID.RA-1“Asset vulnerabilities are identified and documented.”

References:

• CIS CSC V7.1 4

• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02

• ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12

• ISO/IEC 27001:2013 A.12.6.1, A.18.2.3

• NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

• NIST SP 800-53 Rev. 5 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5


• Security Awareness Training

Security Awareness Training offers an optional Weak Network Egress function, which can help detect browser vulnerabilities. It also flags out-of-date (and potentially vulnerable) third-party plug-ins on end-user PCs.

NIST CSF Requirement ID.RA-2“Threat and vulnerability information is received from information-sharing forums and sources.”

References:

• CIS CSC V7.1 4

• COBIT 5 BAI08.01

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

• ISO/IEC 27001:2013 A.6.1.4

• NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16

• NIST SP 800-53 Rev. 5 SI-5, PM-15, PM-16


• Browser Isolation

• CASB


7

• Email Protection

• PTIS


• TAP

Browser Isolation uses the same threat intelligence that protects the Proofpoint ecosystem and corporate email.

CASB leverages Proofpoint’s emerging threat intelligence as well as other external information sources for cyberthreat intelligence.

Email Protection receives shared threat intelligence from internal and external sources for antivirus, malicious file signatures, malicious URLs and spam defenses.

PTIS includes a human effort that both collects info from forums/sources and acts as a source for others.

Security Awareness Training Community offers a forum for information sharing. Managed Security Awareness Training pools knowledge from customer interaction and industry sources.

Shared threat intelligence is received from internal and external sources for malicious file signatures and malicious URLs within TAP.

NIST CSF Requirement ID.RA-3“Threats, both internal and external, are identified and documented.”

References:

• CIS CSC V7.1 4

• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

• ISO/IEC 27001:2013 Clause 6.1.2

• NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16

• NIST SP 800-53 Rev. 5 RA-3, SI-5, PM-12, PM-16



• CASB



• PTIS


• TAP

Browser Isolation policies identify and require potentially malicious URLs to be opened in isolation.

CASB leverages Proofpoint’s rich cross-channel (email, SaaS and social) threat insights and user behavior to detect suspicious activities.

Email Protection antivirus protects against new and existing viruses and other forms of malicious code using signature-based and advanced technology. Our unified DLP approach can provide visibility into common risk indicators. What is tracked includes identification of who is downloading sensitive files, moving sensitive code, installing suspicious software, uploading customer lists to untrusted cloud storage, and copying files to unlisted removeable media.

ITM identifies internal threats with our insider threat library. All activities on systems is documented, regardless of access level or location. External and internal threats associated with user actions will be monitored, documented and made available for review.

PTIS offers detailed threat reports, analyst observations and access to our threat experts.

In Security Awareness Training, phishing simulation and Cyberstrength assessments offer identification of potential internal threats.

The TAP Threat Dashboard provides deep visibility into the threats entering your organization. See who is attacking and how, what they’re after, and which users are targets. You can see data at the organization, threat and user levels. This detail helps you prioritize alerts and act on them.

NIST CSF Requirement ID.RA-4“Potential business impacts and likelihoods are identified.”

References:

• CIS CSC V7.1 4

• COBIT 5 DSS04.02

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

• ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2

• NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11

• NIST SP 800-53 Rev. 5 RA-2, RA-3, RA-9, PM-9, PM-11


• CASB




8

• PTIS

• TAP

CASB’s automated control of third-party apps provides scoring based on vendor reputation and data access.

Email Protection, TAP and PTIS provide insight into how widespread or targeted a threat is, helping you determine your risk. Email DLP can both detect and help prioritize user violations.

ITM provides a risk score for each threat and likelihood of business impact based on role/function/persona, taking account severity into consideration.

PTIS leverages threat data from all of your Proofpoint capabilities; for example, TAP, CASB, Digital Risk, etc.

Using the TAP Threat Dashboard, users have visibility into potentially infected users, including high-value users. With this insight, you can understand the potential impact and prioritize remediation efforts.

NIST CSF Requirement ID.RA-5“Threats, vulnerabilities, likelihoods and impacts are used to determine risk.”

References:

• CIS CSC V7.1 3

• COBIT 5 APO12.02

• ISO/IEC 27001:2013 A.12.6.1

• NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

• NIST SP 800-53 Rev. 5 RA-2, RA-3, PM-16



• CASB



• PTIS

• TAP

• TRAP

With Browser Isolation we can highlight your most attacked people and determine the riskiest URLs that get into your users’ inboxes.

CASB sandboxing and analytics detect potential risks of SaaS apps in your cloud environment.

Email Protection, TAP and PTIS provide insight into how widespread or targeted a threat is, helping you determine your risk. Email DLP rules can be implemented based on the threat to the data managed by the organization.

ITM provides a risk score for each internal threat. This takes into account severity of action, risk of user’s role and business impact of internal threat.

TRAP enables messaging and security administrators to analyze emails and move malicious or unwanted emails to quarantine, after delivery.

NIST CSF Requirement ID.RA-6“Risk responses are identified and prioritized.”

References:

• CIS CSC V7.1 3

• COBIT 5 APO12.05, APO13.02

• ISO/IEC 27001:2013 Clause 6.1.3

• NIST SP 800-53 Rev. 4 PM-4, PM-9

• NIST SP 800-53 Rev. 5 PM-4, PM-9



• CASB



• PTIS

• TAP

• TRAP

Browser Isolation automatically isolates suspicious URLs, especially those sent to your most vulnerable, attacked and privileged users.

CASB facilitates identification of risk responses, as well as prioritization through its extensive incident detection and alerting features. These can be fed into external sources via an API.

Email Protection, PTIS and TAP provide insight into how widespread or targeted a threat is, helping you determine your risk. Email DLP can eliminate the risk inherent in individuals making security and disclosure policy decisions.


9

ITM enables operators to choose between a variety of risk response (based on severity/criticality of the event). The solution can be configured to notify, prevent or deter actions automatically. A few examples are real-time warning notifications, closing an application or logging users out of their sessions.

PTIS includes a human inquiry, research and response effort.

Using TAP, you can see infected users and high-value targets to prioritize your response and manage risk.

TRAP enables messaging and security administrators to analyze emails and move malicious or unwanted emails to quarantine, after delivery.

Risk Management (ID.RM)Overall goal: “The organization’s priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions.”

NIST CSF Requirement ID.RM-2“Organizational risk tolerance is determined and clearly expressed.”

References:


• ISA 6243-2-1 2009 4.3.2.6.5

• ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3

• NIST SP 800-53 Rev. 4 PM-9

• NIST SP 800-53 Rev. 5 PM-9



• ITM aggregates a user’s organizational risk on the dashboard and thresholds are set based on the overall risk policy.

Supply Chain Risk Management (ID.SC)Overall goal: “The organization’s priorities, constraints, risk tolerances and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”

NIST CSF Requirement ID.SC-4“Suppliers and third-party partners are routinely assessed using audits, test results or other forms of evaluations to confirm they are meeting their contractual obligations.”

References:

• COBIT 5 APO12.05, APO13.02

• ISA 62443-2-1:2009 4.3.2.6.7

• ISA 62443-3-3:2013 SR 6.1

• ISO/IEC 27001:2013 A.15.2.1, A.15.2.2

• NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12

• NIST SP 800-53 Rev. 5 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SR-6




Enterprise Archive’s Intelligent Supervision allows organizations to implement a supervisory system to identify, review and address incoming and outgoing email, IM, Bloomberg, voice, SMS, enterprise collaboration and social media communications. It also: maintains audit trails and records of supervisory reviews; monitors and evaluates supervisory procedures to ensure compliance; and retains internal communication and correspondence for the 3- and 6-year retention periods outlined by SEA 17a-4(b).

ITM provides user activity reports that can be downloaded on a daily or weekly basis to evaluate whether contractual obligations are being met.


10

Identity Management, Authentication and Access Control (PR.AC)Overall goal: “Access to physical and logical assets and associated facilities is limited to authorized users, processes and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.”

NIST CSF Requirement PR.AC-1“Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes.”

References:

• CIS CSC V7.1 1, 4, 15, 16

• COBIT 5 DSS05.04, DSS06.03

• ISA 62443-2-1:2009 4.3.3.5.1

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9

• ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3

• NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11

• NIST SP 800-53 Rev. 5 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11




In Enterprise Archive, all searches, message views, exports, retrievals and supervisory activities are tracked with complete audit trails and comprehensive reporting. This provides you with complete visibility into compliance tasks, who performed them, and when. All information submitted for storage is indexed. The indexed information is replicated to each location where data is stored. Data can be exported to a variety of formats.

ITM installed on the authorized devices can monitor authorized user access and control access to the device using secondary authentication and service desk integration.

NIST CSF Requirement PR.AC-3“Remote access is managed.”

References:

• CIS CSC V7.1 12

• COBIT 5 APO13.01, DSS01.04, DSS05.03

• ISA 62443-2-1:2009 4.3.3.6.6

• ISA 62443-3-3:2013 SR 1.13, SR 2.6

• ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1

• NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15

• NIST SP 800-53 Rev. 5 AC-1, AC-17, AC-19, AC-20, SC-15



ITM can be deployed to terminal services, jump servers/boxes, bastion servers and perimeter servers to restrict access based on a hardware access control list.

NIST CSF Requirement PR.AC-4“Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.”

References:

• CIS CSC V7.1 3, 5, 12, 14, 15, 16, 18


• ISA 62443-2-1:2009 4.3.3.7.3

• ISA 62443-3-3:2013 SR 2.1

• ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5

• NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24

• NIST SP 800-53 Rev. 5 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24


• CASB


CASB can update access permissions to files in the SaaS applications it protects, enforcing the principle of least privilege.


11

ITM can alert on violations of segregation of duties policies. For example, when a Salesforce IT administrator approves a quote. By using ticketing integration with ServiceNow, Remedy, and others, access to servers can be restricted only to users that have the Ticket ID.

NIST CSF Requirement PR.AC-5“Network integrity is protected (e.g., network segregation, network segmentation).”

References:

• CIS CSC V7.1 9, 12, 13, 14, 15, 18

• COBIT 5 DSS01.05, DSS05.02

• ISA 62443-2-1:2009 4.3.3.4

• ISA 62443-3-3:2013 SR 3.1, SR 3.8

• ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7

• NIST SP 800-53 Rev. 5 AC-4, AC-10, SC-7



Browser isolation can segregate URL categories that are typically used for personal browsing, from the corporate network.

NIST CSF Requirement PR.AC-6“Identities are proofed and bound to credentials and asserted in interactions.”

References:

• CIS CSC V7.1 6

• COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03

• ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1

• ISO/IEC 27001:2013 A.7.1.1, A.9.2.1

• NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3

• NIST SP 800-53 Rev. 5 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3



ITM leverages directory services to control access. As organizations leverage Kerberos-based authentication with additional controls, they serve as a proof and are bound to credentials and asserted in interactions.

NIST CSF Requirement PR.AC-7“Users, devices and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).”

References:

• CIS CSC V7.1 1, 12, 15, 16

• COBIT 5 DSS05.04, DSS05.10, DSS06.10

• ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10

• ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4

• NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11

• NIST SP 800-53 Rev. 5 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11


• CASB


CASB provides Adaptive Access Control features by integrating with identity providers, providing a risk-based response to access control events.

ITM has role-based access so that operators can be separated into viewers, administrators and configuration administrators. Administrators require secondary authentication to view various sensitive data and de-anonymize user data.


12

Awareness And Training (PR.AT)Overall goal: “The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information-security-related duties and responsibilities consistent with related policies, procedures and agreements.”

NIST CSF Requirement PR.AT-1“All users are informed and trained.”

References:

• CIS CSC V7.1 17, 18

• COBIT 5 APO07.03, BAI05.07

• ISA 62443-2-1:2009 4.3.2.4.2

• ISO/IEC 27001:2013 A.7.2.2

• NIST SP 800-53 Rev. 4 AT-2, PM-13

• NIST SP 800-53 Rev. 5 AT-2, PM-13




ITM notifies employees of the security policy relating to the workstation they are logging in to and requires acknowledgement of reading the policy prior to allowing access to the machine.

Security Awareness Training offers comprehensive end-user security awareness training across a wide range of security topics.

NIST CSF Requirement PR.AT-2“Privileged users understand roles and responsibilities.”

References:

• CIS CSC V7.1 4, 17, 18

• COBIT 5 APO07.02, DSS05.04, DSS06.03

• ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3

• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

• NIST SP 800-53 Rev. 4 AT-3, PM-13

• NIST SP 800-53 Rev. 5 AT-3, PM-13




ITM has role-based access so that operators can be separated into viewers, administrators and configuration. Privileged users receive a message on login regarding responsibilities when using a privileged account. Privileged accounts are granted a higher risk rating and tracked based on security and IT best practices.

Security Awareness Training offers training modules tailored to privileged users and other high-value targets.

NIST CSF Requirement PR.AT-3“Third-party stakeholders (such as suppliers, customers, partners) understand roles and responsibilities.”

References:

• CIS CSC V7.1 17

• COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05

• ISA 62443-2-1:2009 4.3.2.4.2

• ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2

• NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16

• NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16




ITM warning notifications can be used to inform third-party stakeholders of responsibilities while using corporate applications and devices.

Security Awareness Training can help outside vendors and partners understand and protect against threats.


13

NIST CSF Requirement PR.AT-4“Senior executives understand roles and responsibilities.”

References:

• CIS CSC V7.1 17, 19


• ISA 62443-2-1:2009 4.3.2.4.2

• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

• NIST SP 800-53 Rev. 4 AT-3, PM-13

• NIST SP 800-53 Rev. 5 AT-3, PM-13




ITM warning notifications can be used to inform everyone using corporate applications and devices of the corporate acceptable use policy.

Security Awareness Training teaches executives to recognize threats that might affect them and to understand that they are highly targeted.

NIST CSF Requirement PR.AT-5“Physical and information security personnel understand roles and responsibilities.”

References:

• CIS CSC V7.1 17


• ISA 62443-2-1:2009 4.3.2.4.2

• ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

• NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13

• NIST SP 800-53 Rev. 5 IR-2, PM-13, PM-15




ITM warning notifications can be used to inform everyone using corporate applications and devices of the corporate acceptable use policy.

Security Awareness Training offers training modules tailored to security personnel.

Data Security (PR.DS) Overall goal: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information.”

NIST CSF Requirement PR.DS-1“Data at rest is protected.”

References:

• CIS CSC v. 7.1 10, 13, 14

• COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06

• ISA 62443-3-3:2013 SR 3.4, SR 4.1

• ISO/IEC 27001:2013 A.8.2.3

• NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28

• NIST SP 800-53 Rev. 5 AC-16, MP-8, SC-12, SC-28



• CASB



Browser Isolation allows you to set policies to manage potentially risky actions, such as downloads, uploads, copy and paste or key inputs.

CASB implements the same proven DLP detectors applied across email, data at rest and supported cloud applications.

With Proofpoint DoubleBlind™ Key Architecture in Enterprise Archive, all messages, files and other content are encrypted with keys controlled by the customer before archive data reaches Proofpoint data centers.

ITM monitors access to data both unstructured or within applications, can alert on misuse and provide proof of who viewed the data.


14

NIST CSF Requirement PR.DS-2“Data in transit is protected”

References:

• CIS CSC V7.1 10, 13, 14

• COBIT 5 APO01.06, DSS05.02, DSS06.06

• ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2

• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12

• NIST SP 800-53 Rev. 5 AC-16, SC-8, SC-11, SC-12


• CASB




• TAP

CASB has policy-based rules that can automatically enforce risk-appropriate responses to data in transit via integration with its browser isolation technology.

Email Protection can automatically encrypt messages and attachments with complete transparency. Our unified DLP approach can identify and protect sensitive data from being downloaded to untrusted cloud storage, network and unlisted removeable media locations. Customers may also enable functionality to mitigate the risk of data loss in outbound email communications.

Enterprise Archive data in transport is protected by TLS before being stored in Proofpoint cloud.

ITM installed on desktops will capture data transfer to and from applications, file shares and websites. This allows effective enforcement of information transfer policies and procedures.

TAP data in transit is protected by FIPS 140-2 compatible encryption.

NIST CSF Requirement PR.DS-4“Adequate capacity to ensure availability is maintained.”

References:

• CIS CSC V7.1 6, 10, 13

• COBIT 5 APO13.01, BAI04.04

• ISA 62443-3-3:2013 SR 7.1, SR 7.2

• ISO/IEC 27001:2013 A.12.1.3, A.17.2.1

• NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5

• NIST SP 800-53 Rev. 5 AU-4, CP-2, SC-5



Enterprise Archive allows archived messages to be available even if the customer’s email infrastructure is taken offline. It also supports disaster recovery (DR) to help during catastrophic events.

NIST CSF Requirement PR.DS-5“Protections against data leaks are implemented.”

References:

• CIS CSC V7.1 13

• COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02

• ISA 62443-3-3:2013 SR 5.2

• ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

• NIST SP 800-53 Rev. 5 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4



• CASB


Browser Isolation policies can restrict use of upload, download, copy and paste functionality, and key inputs.


15

CASB guards against leaks of private and confidential information in cloud SaaS applications with highly accurate detection and prevention using smart identifiers and managed dictionaries. If sensitive data is detected, policies can be enforced to prevent data from being accessed or shared, except by intended recipients.

With the ITM library, detection can be enabled to respond to data-loss and sabotage incidents. The solution monitors access to both unstructured data, or data within applications. It can also provide proof of who accessed and viewed data.

NIST CSF Requirement PR.DS-6“Integrity checking mechanisms are used to verify software, firmware and information integrity.”

References:

• CIS CSC V7.1 2, 5

• COBIT 5 APO01.06, BAI06.01, DSS06.02

• ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8

• ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4

• NIST SP 800-53 Rev. 4 SC-16, SI-7

• NIST SP 800-53 Rev. 5 SC-16, SI-7



Ongoing integrity is maintained by a digital fingerprinting process that ensures MD5 values match those stored at the time of archiving.

NIST CSF Requirement PR.DS-7“The development and testing environment(s) are separate from the production environment.”

References:

• CIS CSC v. 7.1 18, 20

• COBIT 5 BAI03.08, BAI07.04

• ISO/IEC 27001:2013 A.12.1.4

• NIST SP 800-53 Rev. 4 CM-2

• NIST SP 800-53 Rev. 5 CM-2



• CASB




• TAP

• TRAP

Proofpoint solutions can be deployed in different environments to separate production, development testing, etc.

With ITM, ticketing integration can enforce separation of access only to permitted users. Developers who are not permitted to log into a production system will not be able to access it. ITM installed on a jump server can monitor access to production environments that separate environments while allowing “break glass” access for maintenance and troubleshooting purposes.

Information Protection Processes and Procedures (PR.IP)Overall goal: “Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”

NIST CSF Requirement PR.IP-1“A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality).”

References:

• CIS CSC V7.1 3, 9, 11

• COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05

• ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

• ISA 62443-3-3:2013 SR 7.6

• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

• NIST SP 800-53 Rev. 5 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10


16




Browser Isolation destroys the used browser at the end of the browsing session. A new browser using baseline configuration is provided for new browser sessions.

ITM is integrated into service management tools such as Remedy and ServiceNow to require an approved ticket before providing access to systems. The ITM application fully audits all administrative changes, health events and attempts to tamper with the agent. ITM alerts can be set on specific configuration files to notify and record any changes made to these files.

NIST CSF Requirement PR.IP-3“Configuration change control processes are in place.”

References:

• CIS CSC v. 7.1 3, 11

• COBIT 5 BAI01.06, BAI06.01

• ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

• ISA 62443-3-3:2013 SR 7.6

• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

• NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

• NIST SP 800-53 Rev. 5 CM-3, CM-4, SA-10



ITM reports are set up to track configuration changes and make sure that change control processes are effective and controlled.

NIST CSF Requirement PR.IP-4“Backups of information are conducted, maintained and tested.”

References:

• CIS CSC v. 7.1 10

• COBIT 5 APO13.01, DSS01.01, DSS04.07

• ISA 62443-2-1:2009 4.3.4.3.9

• ISA 62443-3-3:2013 SR 7.3, SR 7.4

• ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3

• NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

• NIST SP 800-53 Rev. 5 CP-4, CP-6, CP-9



• CASB



• Insider Threat


• TAP

• TRAP

Automated backup systems are in place to perform scheduled backups of Proofpoint-hosted production data and systems at predefined times.

NIST CSF Requirement PR.IP-6“Data is destroyed according to policy.”

References:

• COBIT 5 BAI09.03, DSS05.06

• ISA 62443-2-1:2009 4.3.4.4.4

• ISA 62443-3-3:2013 SR 4.2

• ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

• NIST SP 800-53 Rev. 4 MP-6

• NIST SP 800-53 Rev. 5 MP-6



Enterprise Archive helps firms to meet regulatory requirements by archiving all messages and content according to compliance retention policies.


17

NIST CSF Requirement PR.IP-7“Protection processes are improved”

References:

• COBIT 5 BAI09.03, DSS05.06

• ISA 62443-2-1:2009 4.3.4.4.4

• ISA 62443-3-3:2013 SR 4.2

• ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

• NIST SP 800-53 Rev. 4 MP-6

• NIST SP 800-53 Rev. 5 MP-6




Browser Isolation protects users from phishing and malware attacks that are delivered through the web browser.

Email Protection leverages user bulk mail actions to improve the accuracy of future detection and classification.

NIST CSF Requirement PR.IP-11“Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening).”

References:

• CIS CSC V7.1 5, 16

• COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05

• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3

• ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4

• NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21

• NIST SP 800-53 Rev. 5 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21



Security Awareness Training integrates with HR training initiatives, specifically new-hire onboarding and ongoing training and assessment activities.

Protective Technology (PR.PT)Overall goal: “Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures and agreements.”

NIST CSF Requirement PR.PT-1“Audit/log records are determined, documented, implemented and reviewed in accordance with policy”

References:

• CIS CSC V7.1 1, 3, 5, 6, 14, 15, 16

• COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01

• ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4

• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12

• ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1

• NIST SP 800-53 Rev. 4 AU Family

• NIST SP 800-53 Rev. 5 AU Family


• CASB




• TAP

CASB provides contextual log record data containing user, location, device, network and login time, and performs behavioral analytics to monitor for unusual or suspicious use activity.

Email Protection log files are exported to SIEM tools. Network activity is monitored for unusual activity.

Enterprise Archive tracks all searches, message views, exports, retrievals and supervisory activities with complete audit trails and comprehensive reporting.

Enterprise Archive’s Intelligent Supervision allows organizations to implement a supervisory system to identify, review and address incoming and outgoing email, IM, Bloomberg, voice, SMS, enterprise collaboration and social media communications. It also: maintains audit trails and records of supervisory reviews; monitors and evaluates supervisory procedures to ensure compliance; and retains internal communication and correspondence for the 3- and 6-year retention periods outlined by SEA 17a-4(b).


18

ITM records all user activity on desktops, in applications and on servers. Applications that do not produce logs are also audited.

TAP system log files (including network activity) are exported to SIEM tools, which monitor for unusual activity.

NIST CSF Requirement PR.PT-2“Removable media is protected, and its use restricted according to policy.”

References:

• CIS CSC V7.1 8, 13

• COBIT 5 APO13.01, DSS05.02, DSS05.06

• ISA 62443-3-3:2013 SR 2.3

• ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9

• NIST SP 800-53 Rev. 4 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8

• NIST SP 800-53 Rev. 5 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8




Email Protection can enforce DLP and encryption rules to protect sensitive data in email from being downloaded to unlisted removeable media.

ITM detects the utilization of removable media and restricts it according to policies.

NIST CSF Requirement PR.PT-3“The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.”

References:

• CIS CSC V7.1 3, 11, 14

• COBIT 5 DSS05.02, DSS05.05, DSS06.06

• ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7

• ISO/IEC 27001:2013 A.9.1.2

• NIST SP 800-53 Rev. 4 AC-3, CM-7

• NIST SP 800-53 Rev. 5 AC-3, CM-7



• CASB




• TAP

Browser Isolation enables risk-based isolation for URL clicks within corporate emails.

CASB disables user functions based on policies and behavioral analytics.

Email Protection restricts access to restricted file types.

Enterprise Archive only allows access to email and supervision data to assigned users, according to company policies.

ITM integration with ticketing systems limits access based on an active approved service ticket. Secondary authentication and blocking messages enhance access controls on the network. Also, ITM implementation on a jump server allows you to restrict access to network devices to only go through the jump server. All access would be recorded.

TAP uses re-written URLs to restrict access to malicious sites.

NIST CSF Requirement PR.PT-4“Communications and control networks are protected.”

References:

• CIS CSC V7.1 8, 12, 15

• COBIT 5 DSS05.02, APO13.01

• ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6

• ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3

• NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43

• NIST SP 800-53 Rev. 5 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43


19



ITM records all activity on the systems, ICA, RDP, VPN, SSH and Telnet protocols including granular recording of SFTP communications and commands. This allows for effective enforcement of information transfer policies and procedures.

NIST CSF Requirement PR.PT-5“Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.”

References:

• COBIT 5 BAI04.01, BAI04.02, BAI04.03, BAI04.04, BAI04.05, DSS01.05

• ISA 62443-2-1:2009 4.3.2.5.2

• ISA 62443-3-3:2013 SR 7.1, SR 7.2

• ISO/IEC 27001:2013 A.17.1.2, A.17.2.1

• NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6

• NIST SP 800-53 Rev. 5 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6


• CASB






• TAP

• TRAP

Our solutions use a cloud architecture with jurisdictional assurance when needed, via paired and geographically distributed data centers located in the United States, Canada, the Netherlands and Germany.

Anomalies and Events (DE.AE)Overall goal: “Anomalous activity is detected in a timely manner and the potential impact of events is understood.”

NIST CSF Requirement DE.AE-1“A baseline of network operations and expected data flows for users and systems is established and managed.”

References:

• CIS CSC V7.1 1, 4, 6, 12, 13, 15, 16


• ISA 62443-2-1:2009 4.4.3.3

• ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2

• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4

• NIST SP 800-53 Rev. 5 AC-4, CA-3, CM-2, SI-4


• CASB




CASB and Email Protection DLP features provide visibility and protection across sensitive data in transit, at rest or in use. Examples include alerting when users upload sensitive data to cloud applications, SharePoint sites, and attempting to exfiltrate via email.

ITM collects data from endpoints (applications IT infrastructure) creating indexed searchable activity logs and recorded sessions that can be used to establish a baseline via our “user mode” agent. You can deploy the solution without out-of-the-box alerts to see user behavior with files, systems and applications. This data can be sent to a SIEM or other tools for further analysis.

Security Awareness Training detects whether someone is susceptible to phishing.


20

NIST CSF Requirement DE.AE-2“Detected events are analyzed to understand attack targets and methods.”

References:

• CIS CSC V7.1 13, 14

• COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06

• ISA 62443-3-3:2013 SR 3.4, SR 4.1

• ISO/IEC 27001:2013 A.8.2.3




• CASB


• PTIS


• TAP

CASB applies threat intelligence to detect attack targets and methods.

Email Protection examines body and file attachments to detect known malware threats and quarantine emails/files. Email DLP features allow detection and prevention of sensitive data transfer.

ITM alerts clearly specify the applications, files or servers that were involved in user actions leading to an alert. In addition, alerts can be configured to detect attack methods and targets. For example, alerting on SU and SUDO abuse, suspicious FTP, RDP or SSH connections, etc.

PTIS provides even deeper individualized context from security analysts about specific targeted attacks.

Security Awareness Training detects and reports on which user targets are susceptible to specific attack types.

TAP examines email body and file attachments to detect known and zero-day threats with file signatures, file sandboxing and URL analysis.

NIST CSF Requirement DE.AE-3“Event data are aggregated and correlated from multiple sources and sensors.”

References:

• CIS CSC V7.1 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16

• COBIT 5 BAI08.02

• ISA 62443-3-3:2013 SR 6.1

• ISO/IEC 27001:2013 A.12.4.1, A.16.1.7

• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4

• NIST SP 800-53 Rev. 5 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4





• PTIS


• TAP

Email Protection collects events from email firewall, antivirus and spam modules.

Enterprise Archive provides a single, unified interface for electronic communications including email, IM, Bloomberg, voice, SMS, enterprise collaboration and social content.

ITM collects event data (user activity) from sensors on various endpoints including Windows, Macintosh and Linux/UNIX machines. The information can also be exported into an aggregator tool such as a SIEM or UBA tool.

PTIS provides even deeper individualized context from security analysts about specific targeted attacks.

Security Awareness Training reporting is available for training and simulated phishing activities.

TAP events are collected from file signature, file sandboxing and URL analysis modules.


21

NIST CSF Requirement DE.AE-4“Impact of events is determined.”

References:

• CIS CSC V7.1 6

• COBIT 5 APO12.06, DSS03.01

• ISO/IEC 27001:2013 A.16.1.4

• NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4

• NIST SP 800-53 Rev. 5 CP-2, IR-4, RA-3, SI-4




• PTIS

• TAP

Email Protection uses TAP to filter content and URLs for benign or malicious intent.

ITM scores events (including description of the impact and required action) based on alert rules that are provided out of the box. It can also be modified according to the customer’s environment.

PTIS utilizes human effort to discuss system, network and operational impact risks with customers as detected and unmitigated threats are reviewed.

NIST CSF Requirement DE.AE-5“Incident alert thresholds are established.”

References:

• CIS CSC V7.1 6, 19

• COBIT 5 APO12.06, DSS03.01

• ISA 62443-2-1:2009 4.2.3.10

• ISO/IEC 27001:2013 A.16.1.4

• NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

• NIST SP 800-53 Rev. 5 IR-4, IR-5, IR-8


• CASB




• TAP

CASB allows rules to be tuned for alert thresholds, for example, when a specific number of DLP policy violations have occurred.

Email policies are configurable to determine disposition of benign or malicious content.

Enterprise Archive alerts are configured to fire:

• if no email has been archived or received within a certain amount of time

• for messages that cannot be archived correctly

• for archiving queue sizes that have grown too large.

ITM provides severity of alert thresholds out of the box. This can be modified by the operator for each user, user group, application and alert. User activity profile baselines user activities and provides insights and thresholds for application usage, web access and account/machine use.

TAP alerts administrators when it discovers a potential threat.

Security Continuous Monitoring (DE.CM)Overall goal: “The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.”

NIST CSF Requirement DE.CM-1“The network is monitored to detect potential cybersecurity events.”

References:

• CIS CSC V7.1 1, 7, 8, 12, 13, 15, 16

• COBIT 5 DSS01.03, DSS03.05, DSS05.07

• ISA 62443-3-3:2013 SR 6.2

• NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4




• CASB


• TAP


22

Browser Isolation enables risk-based isolation for URL clicks within corporate emails.

CASB provides the capability to monitor activity on the customer cloud SaaS environment for cybersecurity events such as suspicious logins, malware and anomalous activity.

Email Protection and TAP monitor the network for unusual email activity.

NIST CSF Requirement DE.CM-2“The physical environment is monitored to detect potential cybersecurity events”

References:

• COBIT 5 A.11.1.1, A.11.1.2

• ISA 62443-2-1:2009 4.3.3.3.8

• ISO/IEC 27001:2013 A.11.1.1, A.11.1.2

• NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20

• NIST SP 800-53 Rev. 5 CA-7, PE-3, PE-6, PE-20



ITM provides host-based intelligence for physical and virtual user access platforms.

NIST CSF Requirement DE.CM-3“Personnel activity is monitored to detect potential cybersecurity events.”

References:

• CIS CSC V7.1 1, 7, 8, 12, 13, 15, 16

• COBIT 5 DSS01.03, DSS03.05, DSS05.07

• ISA 62443-3-3:2013 SR 6.2





• CASB




• TAP

Browser Isolation can run in anonymous mode to meet privacy requirements or monitor personnel activity.

CASB monitors activity by personnel in SaaS applications. It can detect cybersecurity events such as staging internal attacks with compromised accounts.

Email Protection and TAP log and archive administrative activity.

ITM monitors all user activity on endpoints and detects risky activity based on insider threat alerts. Endpoints include desktops, servers and within applications.

Security Awareness Training phishing simulation data can be used to detect potential real-world events.

NIST CSF Requirement DE.CM-4“Malicious code is detected.”

References:

• CIS CSC V7.1 5, 7, 14, 16

• COBIT 5 DSS01.04, DSS01.05

• ISA 62443-2-1:2009 4.3.3.3.8

• ISO/IEC 27001:2013 A.11.1.1, A.11.1.2

• NIST SP 800-53 Rev. 4 4 CA-7, PE-3, PE-6, PE-20

• NIST SP 800-53 Rev. 5 4 CA-7, PE-3, PE-6, PE-20



• CASB


• TAP

Browser Isolation can identify malicious code located in email or web applications.

CASB is integrated with TAP sandboxing technology for malware detection.

Email Protection detects malicious code in email with antivirus software using file signature analysis and file sandboxing.


23

NIST CSF Requirement DE.CM-5“Unauthorized mobile code is detected.”

References:

• CIS CSC V7.1 7, 8


• ISA 62443-2-1:2013 SR 2.4

• ISO/IEC 27001:2013 A.12.5.1, A.12.6.2

• NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44

• NIST SP 800-53 Rev. 5 SC-18, SI-4, SC-44


• CASB


• TAP

CASB can detect third-party applications that maintain access to protected SaaS applications via an Oauth token, as commonly installed on mobile devices.

Email Protection and TAP detect malicious code in email with antivirus software, using file signature analysis and file sandboxing.

NIST CSF Requirement DE.CM-6“External service provider activity is monitored to detect potential cybersecurity events.”

References:


• ISO/IEC 27001:2013 A.14.2.7, A.15.2.1

• NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4

• NIST SP 800-53 Rev. 5 CA-7, PS-7, SA-4, SA-9, SI-4


• CASB



DLP features in CASB and Email Protection provide visibility and protection across sensitive data in transit.

ITM monitors all activity by third-party personnel and vendors using endpoints or virtualized environments provided by first-party organizations. The solution also detects risky activity based on insider threat alerts. The typical deployment is done by monitoring external service provider machines either through ingress machines or egress services.

NIST CSF Requirement DE.CM-7“Monitoring for unauthorized personnel, connections, devices and software is performed.”

References:

• CIS CSC V7.1 1, 2, 3, 5, 9, 12, 13, 15, 16

• COBIT 5 DSS05.02, DSS05.05

• ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1

• NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4

• NIST SP 800-53 Rev. 5 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4




Email Protection can block emails to and from invalid or unknown recipients.

ITM can send insider threat alerts focused on unauthorized software usage and privilege escalation and abuse. This provides visibility on unauthorized and authorized personnel and access/software.

NIST CSF Requirement DE.CM-8“Vulnerability scans are performed.”

References:

• CIS CSC V7.1 4, 20

• COBIT 5 BAI03.10, DSS05.01

• ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7

• ISO/IEC 27001:2013 A.12.6.1

• NIST SP 800-53 Rev. 4 RA-5

• NIST SP 800-53 Rev. 5 RA-5


24



• TAP

In Security Awareness Training, vulnerability detection is available when executing phishing simulations. Plugin detection provides options for scanning Java, Silverlight, QuickTime, Adobe Flash, Windows Media Player, Adobe PDF and RealPlayer

TAP analyzes file attachments and URLs for known and unknown vulnerabilities.

Detection Processes (DE.DP)Overall goal: “Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.”

NIST CSF Requirement DE.DP-2“Detection activities comply with all applicable requirements.”

References:

• COBIT 5 DSS06.01, MEA03.03, MEA03.04

• ISA 62443-2-1:2009 4.4.3.2

• ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3

• NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14

• NIST SP 800-53 Rev. 5 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14



• CASB



• PTIS


• TAP

• TRAP

Proofpoint solutions allow for customized configurations to meet applicable business requirements.

NIST CSF Requirement DE.DP-3“Detection processes are tested”

References:

• COBIT 5 APO13.02, DSS05.02

• ISA 62443-2-1:2009 4.4.3.2

• ISA 62443-3-3:2013 SR 3.3

• ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3

• NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14

• NIST SP 800-53 Rev. 5 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14



• CASB





• TAP

• TRAP

During the deployment phase, Proofpoint Professional Services helps tune and validate that detection scenarios are functioning as expected.

NIST CSF Requirement DE.DP-4“Event detection information is communicated to appropriate parties.”

References:

• CIS CSC V7.119

• COBIT 5 APO08.04, APO12.06, DSS02.05

• ISA 62443-2-1:2009 4.3.4.5.9

• ISA 62443-3-3:2013 SR 6.1

• ISO/IEC 27001:2013 A.16.1.2, A.16.1.3

• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4

• NIST SP 800-53 Rev. 5 AU-6, CA-2, CA-7, RA-5, SI-4


25


• CASB




• TAP

CASB facilitates the communication of event detection information using automatically generated reports or an API feed.

Email Protection events are sent to TAP dashboard and log files, which can be exported to SIEM tools.

Enterprise Archive’s Intelligent Supervision detects fraud and various other activity within the company’s email infrastructure.

ITM can provide end users with alternatives to complete their jobs based on the violation and increase awareness of relevant security policies.

NIST CSF Requirement DE.DP-5“Detection processes are continuously improved.”

References:

• COBIT 5 APO12.06, DSS04.05

• ISA 62443-2-1:2009 4.4.3.4

• ISO/IEC 27001:2013 A.16.1.6

• NIST SP 800-53 Rev. 4 CA-2, CA-7, PL-2, RA-5, SI-4, PM-14

• NIST SP 800-53 Rev. 5 CA-2, CA-7, PL-2, RA-5, SI-4, PM-14


• CASB




• TAP

By using CASB on an ongoing basis, the maturity can be enhanced using auto remediating to provide risk-appropriate responses.

Email Protection antivirus and spam signatures are continuously improved and updated.

Enterprise Archive’s Intelligent Supervision reviews detected information for increased training.

ITM teams provide additional insider threat analyst services to help operators improve their detection.

TAP adds newly identified malicious files to the shared file reputation database.

Analysis (RS.AN)Overall goal: “Analysis is conducted to ensure adequate response and support recovery activities.”

NIST CSF Requirement RS.AN-1“Notifications from detection systems are investigated.”

References:

• CIS CSC V7.1 4, 6, 8, 19

• COBIT 5 DSS02.04, DSS02.07

• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

• ISA 62443-3-3:2013 SR 6.1

• ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5

• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4

• NIST SP 800-53 Rev. 5 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4


• CASB



• TAP

• TRAP

CASB contains management and investigation features for incidents detected in protected cloud SaaS applications.

With Email Protection, customer administrators receive detection alerts through the TAP dashboard and SIEM log files. Security administrators use these event notifications in their incident response processes.

Alerts from ITM are sent to administrators (or SIEM), who can review timelines of file movement, email exchanges and user activity to investigate the alerts. Reports can be automated to support investigation.

TRAP alerts contain relevant threat information for investigation purposes.


26

NIST CSF Requirement RS.AN-2“The impact of the incident is understood.”

References:


• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

• ISO/IEC 27001:2013 A.16.1.4, A.16.1.6

• NIST SP 800-53 Rev. 4 CP-2, IR-4

• NIST SP 800-53 Rev. 5 CP-2, IR-4


• CASB



• TAP

• TRAP

CASB provides multiple, easy to navigate views from the user, file, alert and activity perspective to easily analyze an incident. This enhances the understanding of the impact and speeds up analysis of events.

Email Protection administrators receive detection alerts through the TAP dashboard and SIEM log files. Security administrators use these event notifications in their incident response processes.

ITM provides context of user actions. Alerts are configured to include the description of the impact of the event and the required response plan.

TRAP alerts contain relevant threat information on impact for investigation purposes.

NIST CSF Requirement RS.AN-3“Forensics are performed.”

References:

• COBIT 5 APO12.06, DSS03.02, DSS05.07

• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1

• ISO/IEC 27001:2013 A.16.1.7

• NIST SP 800-53 Rev. 4 AU-7, IR-4

• NIST SP 800-53 Rev. 5 AU-7, IR-4





• PTIS

• TAP

• TRAP


Enterprise Archive lets you search communications to investigate issues.

ITM’s recorded sessions and logs are stored securely and provide unrepudiated, forensic evidence on exactly what happened during an incident.

PTIS provides sandbox forensics for comparison with endpoint or SIEM.

TRAP alerts contain relevant threat information on impact for investigation purposes.

NIST CSF Requirement RS.AN-4“Incidents are categorized consistent with response plans.”

References:

• CIS CSC VER. 7.119


• ISA 62443-2-1:2009 4.3.4.5.6

• ISO/IEC 27001:2013 A.16.1.7

• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8



• CASB



• PTIS

• TAP

• TRAP


27

CASB allows incidents to be categorized as suspicious login, suspicious activity, data and data leakage incidents.


ITM helps you quickly understand user activity and data movement for high risk users. Accelerate incident response by leveraging context to understand the who, what, where, when, why of alerts.

PTIS provides sandbox forensics for comparison with endpoint or SIEM. It also utilizes human effort to communicate at-risk targets receiving unmitigated threats.

TRAP allows you to leverage Proofpoint Threat Intelligence as well as third-party threat intelligence such as STIX/TAXII feeds, WHOIS, VirusTotal, Soltra and MaxMind. All of this helps you understand the “who, what and where” of attacks, quickly triage and prioritize incoming events, and off-load repetitive tasks.

NIST CSF Requirement RS.AN-5“Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins or security researchers).”

References:



• ISA 62443-2-1:2009 4.3.4.5.6

• ISO/IEC 27001:2013 A.16.1.7






Alerts can be configured with information (includes notifications) and additional context provided by ITM to help with investigations.

Security Awareness Training phishing simulation reporting provides internal data for determining vulnerabilities to phishing.

Mitigation (RS.MI)Overall goal: “Activities are performed to prevent expansion of an event, mitigate its effects and eradicate the incident.”

NIST CSF Requirement RS.MI-1“Incidents are contained.”

References:



• ISA 62443-2-1:2009 4.3.4.5.6

• ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4

• ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

• NIST SP 800-53 Rev. 4 IR-4

• NIST SP 800-53 Rev. 5 IR-4



• CASB



• TAP

• TRAP

Browser Isolation contains the potentially malicious code in the browser that are in the isolation platform. Potentially malicious code execution is not transmitted to the user’s computer.

CASB provides auto remediation as well as manual containment of suspicious login, suspicious activity and data leakage incidents.

Email Protection identifies and blocks threats at the gateway.

ITM enables operators to choose between a variety of risk response options. These range from simple alerts to security teams, to real-time warning notifications, to closing an application or logging users out of their sessions.

In TAP, malicious emails are sent to quarantine for analysis by security administrators.

When a malicious email is detected, TRAP will analyze emails and automatically remove any malicious messages. TRAP also moves unwanted emails to quarantine that have reached end-user inboxes.


28

NIST CSF Requirement RS.MI-2“Incidents are mitigated.”

References:

• CIS CSC VER. 7.14, 19


• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10

• ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

• NIST SP 800-53 Rev. 4 IR-4

• NIST SP 800-53 Rev. 5 IR-4



• CASB



• TAP

• TRAP

Browser Isolation destroys the used browser at the end of the browsing session. A new browser using baseline configuration is provided for new browser sessions.

CASB provides auto and manual mitigation of suspicious login, suspicious activity and data leakage incidents.

Email Protection automatically removes malicious emails from inboxes if email threats are detected. Optional email encryption features enable emails leaving the organization that contain sensitive data to be automatically encrypted using policy-based encryption.

ITM enables operators to choose between a variety of risk response options. These range from simple alerts to security teams to real-time warning notifications, to closing an application or logging users out of their sessions. The audit reports capture the activity, alert and respond by default. This can be used for risk mitigation and compliance purposes.

TAP removes and quarantines malicious content from emails before forwarding.

TRAP analyzes emails and automatically removes any malicious messages. TRAP also moves unwanted emails to quarantine that have reached end user inboxes.

NIST CSF Requirement RS.MI-3“Newly identified vulnerabilities are mitigated or documented as accepted risks.”

References:



• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10

• ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

• NIST SP 800-53 Rev. 4 IR-4

• NIST SP 800-53 Rev. 5 IR-4



• TAP

ITM is updated and as part of the alerts being updated, new vulnerabilities or social engineering patterns are identified. These can be leveraged to update alerts.

TAP adds newly identified malicious files to the shared file reputation database.

Recovery Planning (RC.RP)Overall goal: “Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.”

NIST CSF Requirement RC.RP-1“Recovery plan is executed during or after a cybersecurity incident.”

References:

• CIS CSC VER. 7.1 10

• COBIT 5 APO12.06, DSS02.05, DSS03.04

• ISO/IEC 27001:2013 A.16.1.5

• NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8

• NIST SP 800-53 Rev. 5 CP-10, IR-4, IR-8



ITM integration capabilities (such as ServiceDesk) are triggered by alerts and can initiate a recovery plan.


29

Quick Reference TablesThe charts below demonstrate how Proofpoint products fit into the NIST Framework Core Functions: Identify, Protect, Detect, Respond, Recover.

IDENTIFY“Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.”

SUBCATEGORY BROWSER ISOLATION CASB EMAIL

PROTECTIONENTERPRISE

ARCHIVEINSIDER THREAT PTIS

SECURITY AWARENESS

TRAININGTAP TRAP

ID.AM-1: Physical devices and systems within the organization are inventoried

N N N N Y N N N N

ID.AM-2: Software platforms and applications within the organization are inventoried

N Y N N Y N N N N

ID.AM-3: Organizational communication and data flows are mapped

N N N N N N N N N

ID.AM-4: External information systems are catalogued

N N N N N N N N N

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel and software) are prioritized based on their classification, criticality and business value

N N N Y Y N N N N

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

N N N N N N N N N

ID.BE-1: The organization’s role in the supply chain is identified and communicated

N N N N Y Y N N N

ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

N N N N N Y N N N


30




SECURITY AWARENESS

TRAININGTAP TRAP

ID.BE-3: Priorities for organizational mission, objectives and activities are established and communicated

N N N N N Y N N N

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

N N N N N N N N N

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations)

N N N N N N N N N

ID.GV-1: Organizational cybersecurity policy is established and communicated

N N N N Y N N N N

ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners

N N N N N N N N N

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

N N N Y N N N N N

ID.GV-4: Governance and risk management processes address cybersecurity risks

N N N N N N N N N

ID.RA-1: Asset vulnerabilities are identified and documented

N N N N N N Y N N

ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

Y Y Y N N Y Y Y N

ID.RA-3: Threats, both internal and external, are identified and documented

Y Y Y N Y Y Y Y N

ID.RA-4: Potential business impacts and likelihoods are identified

N Y Y N Y Y N Y N

ID.RA-5: Threats, vulnerabilities, likelihoods and impacts are used to determine risk

Y Y Y N Y Y N Y Y

ID.RA-6: Risk responses are identified and prioritized

Y Y Y N Y Y N Y Y


31




SECURITY AWARENESS

TRAININGTAP TRAP

ID.RM-1: Risk management processes are established, managed and agreed to by organizational stakeholders

N N N N N N N N N

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

N N N N Y N N N N

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

N N N N N N N N N

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed and agreed to by organizational stakeholders

N N N N N N N N N

ID.SC-2: Suppliers and third-party partners of information systems, components and services are identified, prioritized and assessed using a cyber supply chain risk assessment process

N N N N N N N N N

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

N N N N N N N N N

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results or other forms of evaluations to confirm they are meeting their contractual obligations.

N N N Y Y N N N N

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers

N N N N N N N N N


32

PROTECT“Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.”




SECURITY AWARENESS

TRAININGTAP TRAP

PR.AC-1: Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes

N N N Y Y N N N N

PR.AC-2: Physical access to assets is managed and protected

N N N N N N N N N

PR.AC-3: Remote access is managed N N N N Y N N N N

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

N Y N N Y N N N N

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

Y N N N N N N N N

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

N N N N Y N N N N

PR.AC-7: Users, devices and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

N Y N N Y N N N N

PR.AT-1: All users are informed and trained

N N N N Y N Y N N

PR.AT-2: Privileged users understand their roles and responsibilities

N N N N Y N Y N N

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

N N N N Y N Y N N

PR.AT-4: Senior executives understand their roles and responsibilities

N N N N Y N Y N N


33




SECURITY AWARENESS

TRAININGTAP TRAP

PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities

N N N N Y N Y N N

PR.DS-1: Data at rest is protected

Y Y N Y Y N N N N

PR.DS-2: Data in transit is protected

N Y Y Y Y N N N N

PR.DS-3: Assets are formally managed throughout removal, transfers and disposition

N N N N N N N N N

PR.DS-4: Adequate capacity to ensure availability is maintained

N N N Y N N N N N

PR.DS-5: Protections against data leaks are implemented

Y Y N N Y N N N N

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware and information integrity

N N N Y N N N N N

PR.DS-7: The development and testing environment(s) are separate from the production environment

N N N Y Y N N N N

PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity

N N N N N N N N N

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g., concept of least functionality)

Y N N N Y N N N N

PR.IP-2: A System Development Life Cycle to manage systems is implemented

N N N N N N N N N

PR.IP-3: Configuration change control processes are in place

N N N N Y N N N N

PR.IP-4: Backups of information are conducted, maintained and tested

Y Y Y Y Y N N Y Y

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met

N N N N N N N N N

PR.IP-6: Data is destroyed according to policy

N N N Y N N N N N


34




SECURITY AWARENESS

TRAININGTAP TRAP

PR.IP-7: Protection processes are improved

Y N Y N N N N N N

PR.IP-8: Effectiveness of protection technologies is shared

N N N N N N N N N

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

N N N N N N N N N

PR.IP-10: Response and recovery plans are tested N N N N N N N N N

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

N N N N N N Y N N

PR.IP-12: A vulnerability management plan is developed and implemented

N N N N N N N N N

PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools

N N N N N N N N N

PR.MA-2: Remote maintenance of organizational assets is approved, logged and performed in a manner that prevents unauthorized access

N N N N N N N N N

PR.PT-1: Audit/log records are determined, documented, implemented and reviewed in accordance with policy

N Y Y Y Y N N Y N

PR.PT-2: Removable media is protected and its use restricted according to policy

N N N N Y N N N N

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

Y Y Y Y Y N N Y N

PR.PT-4: Communications and control networks are protected N N N N Y N N N N

PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations

Y Y Y Y Y N Y Y Y


35

DETECT“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.”




SECURITY AWARENESS

TRAININGTAP TRAP

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

N Y Y N Y N Y N N

DE.AE-2: Detected events are analyzed to understand attack targets and methods

N Y Y N Y Y Y Y N

DE.AE-3: Event data are collected and correlated from multiple sources and sensors

N N Y Y Y Y Y Y N

DE.AE-4: Impact of events is determined

N N Y N Y Y N Y N

DE.AE-5: Incident alert thresholds are established

N Y Y Y Y N N Y N

DE.CM-1: The network is monitored to detect potential cybersecurity events

Y Y Y N Y N N Y N

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events

N N N N Y N N N N

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

Y Y Y N Y N Y Y N

DE.CM-4: Malicious code is detected Y Y Y N N N N Y N

DE.CM-5: Unauthorized mobile code is detected

N Y Y N N N N Y N

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

N N N N Y N N N N

DE.CM-7: Monitoring for unauthorized personnel, connections, devices and software is performed

N N Y N Y N N N N

DE.CM-8: Vulnerability scans are performed N N N N N N Y Y N


36




SECURITY AWARENESS

TRAININGTAP TRAP

DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability

N N N N N N N N N

DE.DP-2: Detection activities comply with all applicable requirements

Y Y Y Y Y Y Y Y Y

DE.DP-3: Detection processes are tested

N Y Y Y Y N Y N N

DE.DP-4: Event detection information is communicated Y Y Y Y Y N N Y N

DE.DP-5: Detection processes are continuously improved N Y Y Y Y N N Y N


37

RESPOND“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.”




SECURITY AWARENESS

TRAININGTAP TRAP

RS.RP-1: Response plan is executed during or after an incident

N N N N N N N N N

RS.CO-1: Personnel know their roles and order of operations when a response is needed

N N N N N N N N N

RS.CO-2: Incidents are reported consistent with established criteria

N N N N N N N N N

RS.CO-3: Information is shared consistent with response plans

N N N N N N N N N

RS.CO-4: Coordination with stakeholders occurs consistent with response plans

N N N N N N N N N

RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

N N N N N N N N N

RS.AN-1: Notifications from detection systems are investigated

N Y Y N Y N N Y Y

RS.AN-2: The impact of the incident is understood N Y Y N Y N N Y Y

RS.AN-3: Forensics are performed N N Y Y Y Y N Y Y

RS.AN-4: Incidents are categorized consistent with response plans

N Y Y N Y Y N Y Y

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g., internal testing, security bulletins or security researchers)

N N N N Y N Y N N

RS.MI-1: Incidents are contained Y Y Y N Y N N Y Y

RS.MI-2: Incidents are mitigated Y Y Y N Y N N Y Y

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

N N N N Y N N Y N

RS.IM-1: Response plans incorporate lessons learned

N N N N N N N N N

RS.IM-2: Response strategies are updated

N N N N N N N N N

ABOUT PROOFPOINT

Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

©Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. Proofpoint.com


LEARN MORETo learn more about how Proofpoint can help you comply with the NIST cybersecurity framework, visit proofpoint.com.

0301-002-01-01 5/20

RECOVER“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.”




SECURITY AWARENESS

TRAINING TAP TRAP

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

N N N N Y N N N N

RC.IM-1: Recovery plans incorporate lessons learned

N N N N N N N N N

RC.IM-2: Recovery strategies are updated

N N N N N N N N N

RC.CO-1: Public relations are managed

N N N N N N N N N

RC.CO-2: Reputation is repaired after an incident

N N N N N N N N N

RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

N N N N N N N N N

https://www.proofpoint.com/us

https://www.proofpoint.com/us

http://proofpoint.com/us/products/data-discover

Documents

How Proofpoint Helps Organizations Meet NIST Cybersecurity ...€¦ · is used to inform cybersecurity roles, responsibilities and risk management decisions.” NIST CSF Requirement