SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
PR.PS: Platform Security
Configuration Management
PR.PS-01: Configuration management practices are established and applied.
  • 1. For at least relevant information and network systems, their secure (hardened) reference configurations are defined and documented in an updated list.
  • 2. In compliance with the policies of measure GV.PO-01, procedures are adopted and documented in relation to point 1.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Configuration management practices are established and applied.

Software Maintenance and Replacement
PR.PS-02: Software is maintained, replaced, and removed based on risk.
  • 1. Except for justified and documented normative or technical reasons, only software, including operating systems, for which security updates are guaranteed is installed.
  • 2. Except for justified and documented normative or technical reasons, the latest security updates released by the manufacturer are installed without undue delay, in line with the vulnerability management plan referred to in measure ID.RA-08.
  • 3. In compliance with the policies referred to in measure GV.PO-01, procedures are adopted and documented in relation to points 1 and 2.
  • 4. Except for justified and documented normative or technical reasons and in accordance with the risk assessment outcomes referred to in measure ID.RA-05, the update of software deemed critical is verified in a test environment before actual deployment in an operational environment.
  • 5. In compliance with the policies referred to in measure GV.PO-01, procedures are adopted and documented in relation to point 4.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Software is maintained, replaced, and removed based on risk.

Hardware Maintenance
PR.PS-03: Hardware is maintained, replaced, and removed based on risk.
  • 1. For at least the relevant information systems and networks, procedures are adopted and documented for the physical transfer and secure disposal of devices used for data storage.
  • 2. For at least the relevant information systems and networks, one or more logs of maintenance performed on hardware are kept.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Hardware is maintained, replaced, and removed based on risk.

Log Record Generation
PR.PS-04: Log records are generated and made available for continuous monitoring.
  • 1. All remote accesses and those performed with accounts having administrative privileges are recorded.
  • 2. For at least relevant information and network systems, logs necessary for monitoring security events, including those related to accesses mentioned in point 1, are securely stored, and possibly centralized.
  • 3. In accordance with the risk assessment results of measure ID.RA-05, the retention timelines for the logs mentioned in point 2 are defined and documented.
  • 4. In compliance with the policies of measure GV.PO-01, procedures are adopted and documented concerning points 1 and 2.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Log records are generated and made available for continuous monitoring.

Secure Systems Development Practices
PR.PS-06: Secure software development practices are integrated and their performance is monitored throughout the entire software lifecycle.
  • 1. Secure code development practices are adopted and documented in software development.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Secure software development practices are integrated and their performance is monitored throughout the entire software lifecycle.