Control catalog: control objectives
This document gives details about the control objectives from the AWS Control Tower Control Catalog.
| Number | Objective | Explanation |
|---|---|---|
| 1 | Asset inventory management | This control objective focuses on maintaining an accurate and up-to-date inventory of assets, including hardware, software, and data, to protect organization investments from harm or loss. |
| 2 | Asset classification | This control objective focuses on classifying assets based on their value, sensitivity, and criticality to the organization to manage investment risk and unauthorized access to assets and information. |
| 3 | Asset maintenance | This control objective focuses on maintaining the availability and integrity of assets, including performance management, regular maintenance, and repairs to protect and extract the maximum value of the organization's IT investments. |
| 4 | Asset lifecycle management | This control objective focuses on managing assets throughout their entire lifecycle, including acquisition, deployment, use, and retirement. This helps manage risks associated with asset costs by ensuring optimum asset productivity, performance, efficiency, and profitability. |
| 5 | Asset loss prevention, response, and recovery | This control objective focuses on preventing asset loss, and responding to and recovering lost, stolen, or damaged assets to contribute to the organization's profitability by reducing losses. |
| 6 | Business continuity | This control objective focuses on developing and maintaining plans, procedures, and protocols that support an organization's ability to recover critical business functions in the event of a disruption, including backup and recovery and business impact analysis. |
| 7 | Disaster recovery | This control objective focuses on the steps and technologies necessary to recover critical information resources in the event of a natural disaster, security event and/or incident, and/or system outage and ensure critical business functions can continue. |
| 8 | Crisis and emergency management | This control objective focuses on the development and maintenance of plans and procedures to mitigate the effects of and recover from a crisis or emergency, and ensure that critical business functions can continue. |
| 9 | Data classification and handling | This control objective focuses on the classification of data based on its sensitivity and implementation of appropriate controls for handling and protecting data based on its classification. This includes data handling procedures, access controls, and data loss prevention (DLP) solutions to minimize the risk of data loss, corruption, or compromise. |
| 10 | Data integrity | This control objective focuses on data integrity, such as data validation, checksum verification, and digital signing, to ensure data is reliable and traceable to origin. |
| 11 | Data retention and disposal | This control objective focuses on the implementation of policies for retaining and disposing of data in a secure and compliant manner. This includes securely deleting data from storage devices, wiping data from devices before disposal, and establishing retention periods for different types of data. |
| 12 | Data backup and recovery | This control objective focuses on the implementation of backup and recovery procedures to ensure that data can be restored in the event of a data loss incident. This includes regular backups, offsite storage, and testing of backup and recovery procedures. |
| 13 | Data encryption | This control objective focuses on the use of encryption to protect data both in transit and at rest minimize the risk of data loss, corruption, or compromise. This includes using encryption for email, file transfer, and storage encryption. |
| 14 | Cryptographic key management | This control objective focuses on processes for managing cryptographic keys throughout their lifecycle, from creation to destruction, to minimize the risk of data loss, corruption, or compromise. |
| 15 | Data anonymization, tokenization, masking, and redaction | This control objective focuses on data anonymization, tokenization, masking, and redaction to protect sensitive data to minimize the risk of unauthorized access to data, and data loss, corruption, or compromise. This includes truncating and replacing sensitive information with realistic data, but fictitious data or tokens to represent sensitive data for other purposes, such as data analytics. |
| 16 | Identity management | This control objective focuses on the management of digital identities, including the creation, maintenance, verification, and retirement of user accounts, enforcement of authentication and authorization policies, and use of federated identities to reduce the risk of unauthorized access to resources and data. |
| 17 | Authentication and access control | This control objective focuses on user and system authentication, password management policies, privileged account management, and access controls restrictions. |
| 18 | Identity governance and administration (IGA) | This control objective focuses on the policies, procedures, and technologies used to manage user identities and access entitlements throughout their lifecycle. |
| 19 | Incident response planning | This control objective focuses on developing and maintaining incident response plans, assimilating an incident response team, defining roles and responsibilities, and conducting incident response training and exercises. This enables the organization to act quickly and respond efficiently in the event of a threat. |
| 20 | Incident containment and mitigation | This control objective focuses on containing and limiting the impact of security incidents, and mitigating the root cause of an incident to prevent further damage to the organization and assets. |
| 21 | Incident investigation and response | This control objective focuses on investigating security incidents, including preserving and analyzing evidence, conducting interviews, performing root cause analysis, and implementing remediation measures. This enables organizations to take corrective actions to prevent recurrence and demonstrates the organization's commitment to protect the well-being of people. |
| 22 | Incident reporting and communication | This control objective focuses on reporting potential security incidents to appropriate security personnel and communicating security incidents to relevant stakeholders to improve risk management, take necessary response actions, and track incident progress to help determine business impacts. |
| 23 | Incident metrics and continuous improvement | This control objective focuses on measuring and tracking incident management performance, such as incident response times, incident resolution rates, and root cause analysis outcomes |
| 24 | Privacy Laws | This control objective focuses on regulations and laws to protect individuals' personal data from unauthorized access, misuse, or disclosure. The intent is to ensure that entities collecting or processing such data do so responsibly, transparently, and with the individual's knowledge and consent, thereby safeguarding an individual's right to privacy and trust in the digital ecosystem. |
| 25 | Log generation and integrity | This control objective focuses on log generation, including security logs and audit trails, to record activity and reduce fraud, errors, and unauthorized use within the organization's compute environment. This includes ensuring log integrity and confidentiality remain intact from the point of generation. |
| 26 | Log retention | This control objective focuses on retaining and archiving log data for a specified period of time to meet regulatory requirements and support incident response and forensic investigations. |
| 27 | Log aggregation and analysis | This control objective focuses on real-time monitoring of logs and events. This involves aggregating, normalizing, correlating, analyzing, and reviewing log data, including security events, audit trails, and user activity, from multiple sources to identify security events or patterns that may indicate an ongoing or emerging threat. |
| 28 | Alerting and Notification | This control objective focuses on generating alerts and notifications to relevant parties of potential security incidents or risks based on log monitoring and analysis results. |
| 29 | Log monitoring and event management tools | This control objective focuses on selecting, implementing, and maintaining log monitoring and event management tools and technologies to support real-time log analysis, retention, and protection. This supports timely response to anomalous activity and security events reducing the risk of undetected or unknown threats to the organization. |
| 30 | Network architecture and secure configuration | This control objective focuses on network architecture, design, and secure configurations network devices or services, including routing switching, and firewall solutions to prevent malicious and unnecessary content from entering the environment. |
| 31 | Network monitoring | This control objective focuses on monitoring and analyzing network traffic, including intrusion detection and prevention and network flow analysis to identify and respond to potential threat quickly before they escalate into a serious security incident. |
| 32 | Wireless network security | This control objective focuses on management of wireless network access, including secure configuration and encryption. |
| 33 | Network filtering | This control objective focuses on filtering and inspecting network traffic for unwanted or malicious content to reduce the risk of unauthorized data exfiltration, spread of malware, and impact of compromised systems to other resources. |
| 34 | Physical security management | This control objective focuses on the organization's ability to ensure the physical security of corporate facilities, data centers, and other locations to prevent or reduce threats to people, information, and assets that may cause damage or loss. This includes surveillance and physical access management processes and systems. |
| 35 | Environmental protection controls | This control objective focuses on securing the physical environment of assets, such as temperature and humidity controls, fire suppression systems, water detection mechanisms, and redundant power supply, to prevent or reduce threats to people, information, and assets that may cause damage or loss. |
| 36 | Vulnerability scanning and remediation | This control objective focuses on scanning systems and applications to identify and remediate known vulnerabilities to reduce the risk of attack and exploitations. |
| 37 | IT risk assessment and management | This control objective focuses on identifying, assessing, prioritizing, reporting, and responding to risks, and implementing risk mitigation strategies to reduce risks to acceptable levels based on defined risk tolerance. |
| 38 | Vulnerability assessments and prioritization | This control objective focuses on processes for determining the severity of risks, threats, and vulnerabilities and prioritizing them for remediation based on the level of risk they pose to reduce chances of attack and exploitations. |
| 39 | Continuous vulnerability monitoring | This control objective focuses on continuously monitoring and actively searching for vulnerabilities and threats to detect vulnerabilities in real-time enabling faster response and containment of a security incident to reduce risk of escalation. |
| 40 | Threat intelligence | This control objective focuses on gathering and analyzing information on current and emerging threats to proactively identify vulnerabilities and potential attack vectors, and reduce the risk of security incidents. |
| 41 | Vulnerability reporting and metrics | This control objective focuses on determining and reporting on key performance indicators (KPIs) and metrics to measure the effectiveness of threat and vulnerability management processes and communicate risk to stakeholders. |
| 42 | Offensive security | This control objective focuses on actively identifying and exploiting vulnerabilities in computer systems and networks to assess their security posture and develop strategies to improve their overall security to reduce the risk of exploitation and attack. |
| 43 | Malware protection | This control objective focuses on preventing, detecting, and remediating malware infections on systems and networks to reduce the risk of attack and exploitation. |
| 44 | Development lifecycle processes | This control objective focuses on the software development lifecycle processes, such as requirements gathering, design, coding, deployment, and maintencence of code to reduce the risk of introducing vulnerabilities or insecure code into production environments. |
| 45 | Code reviews and testing | This control objective focuses on testing and reviewing code to ensure that it meets the requirements and is securely developed to reduce the risk of introducing vulnerabilities or insecure code in to production environments. |
| 46 | Secure configuration management | This control objective focuses on maintaining secure configurations of systems and software, and managing configuration drift, to reduce the risk of performance issues, inconsistencies, errors and compliance issues that can lead to compromise and unintended data exposure. |
| 47 | Patch management | This control objective focuses on maintaining system and software security and functionality by ensuring that patches and updates are applied in a timely and effective manner to reduce the risk of cyberattacks and compromise. |
| 48 | Change management | This control objective focuses on managing changes to the software, including testing, approval, and implementation to minimize disruption, reduce costly back-out activities, and provide clear communication of changes to stakeholders. |
| 49 | DevOps | This control objective focuses on integrating development and operations teams to ensure the rapid and secure deployments, accelerated innovation, and reduced failure rates and recovery times. |
| 50 | Compliance management | This control objective focuses on establishing and enforcing policies, procedures, and controls that adhere to applicable regulatory security and compliance requirements and industry best practices that ensure operational accountability with organizational obligations that govern the business. |
| 51 | Security governance & program management | This control objective focuses on establishing the set of practices, policies, and procedures that guide an organization's approach to information security to ensure alignment with the organization's business goals and objectives to protect the organization's assets from unauthorized access, use, disclosure, modification, or destruction. This involves establishment of a consistent and structured information security program and strategy that supports employee awareness and acknowledgement of security policies outlining employee responsibilities for complying with organizational governance. |
| 52 | Security awareness | This control objective focuses on security awareness for individuals within an organization by providing training, knowledge, understanding, and behavioral awareness related to security risks and best practices, with the goal of preventing security incidents and improving overall security posture. |
| 53 | Vendor selection | This control objective focuses on the organization establishing risk-based evaluation criteria, due diligence procedures, and contractual clauses for third party vendor, supplier, and service provider selection to identify and prepare for vendor risks, and avoid disruption to business performance. |
| 54 | Vendor management | This control objective focuses on assessing and managing third party risks, monitoring and reviewing third party activities, and managing third party security incidents to identify vendor risks and reduce potential for business disruption or negative impact on business performance. Third-parties include vendors, suppliers, and service providers. |
Note
This data was generated from Control Catalog using the command: aws controlcatalog list-objectives
