ccb-cff-2023-03-01.yaml

urn: urn:intuitem:risk:library:ccb-cff-2023-03-01
locale: en
ref_id: CCB-CFF-2023-03-01
name: CCB CyberFundamentals Framework - 2023-03-01
description: 'Centre For Cybersecurity Belgium - CyberFundamentals Framework

  With content from CyFun Self-Assessment tool V2024-11-05

  https://ccb.belgium.be'
copyright: All texts, layouts, designs and other elements of any nature in this document
  are subject to copyright law.
version: 5
publication_date: 2025-01-19
provider: CCB
packager: intuitem
translations:
  fr:
    name: CCB CyberFondamentaux - 2023-03-01
    description: 'Centre For Cybersecurity Belgium - CyberFondamentaux

      With content from CyFun Self-Assessment tool V2024-11-05

      https://ccb.belgium.be'
objects:
  framework:
    urn: urn:intuitem:risk:framework:ccb-cff-2023-03-01
    ref_id: CCB-CFF-2023-03-01
    name: CCB CyberFundamentals Framework - 2023-03-01
    description: Centre For Cybersecurity Belgium - CyberFundamentals Framework
    translations:
      fr:
        name: CCB CyberFondamentaux - 2023-03-01
        description: Centre For Cybersecurity Belgium - CyberFondamentaux
    min_score: 1
    max_score: 5
    scores_definition:
    - score: 1
      name: Initial
      description: Standard process does not exist.
      description_doc: No Process documentation or not formally approved by management.
      translations:
        fr:
          name: Initial
          description: "Il n\u2019existe pas de processus standard."
          description_doc: "Pas de documentation sur le processus ou pas d\u2019approbation\
            \ formelle par la direction. "
    - score: 2
      name: Repeatable
      description: Ad-hoc process exists and is done informally.
      description_doc: Formally approved Process documentation exists but not reviewed
        in the previous 2 years.
      translations:
        fr:
          name: "R\xE9p\xE9table"
          description: "Il existe un processus ad hoc qui se d\xE9roule de mani\xE8\
            re informelle."
          description_doc: "Il existe une documentation de processus formellement\
            \ approuv\xE9e, mais elle n\u2019a pas fait l\u2019objet d\u2019un audit\
            \ au cours des deux derni\xE8res ann\xE9es."
    - score: 3
      name: Defined
      description: 'Formal process exists and is implemented.

        Evidence available for most activities.

        Less than 10% process exceptions.'
      description_doc: 'Formally approved Process documentation exists, and exceptions
        are documented and approved.

        Documented & approved exceptions < 5% of the time.'
      translations:
        fr:
          name: "D\xE9fini"
          description: "Un processus formel existe et est mis en \u0153uvre.\nDes\
            \ preuves sont disponibles pour la plupart des activit\xE9s. \nMoins de\
            \ 10 % d\u2019exceptions au processus."
          description_doc: "Il existe une documentation formellement approuv\xE9e\
            \ sur les processus et les exceptions sont document\xE9es et approuv\xE9\
            es.\nLes exceptions sont document\xE9es et approuv\xE9es dans moins de\
            \ 5 % des cas."
    - score: 4
      name: Managed
      description: 'Formal process exists and is implemented.

        Evidence available for all activities.

        Detailed metrics of the process are captured and reported.

        Minimal target for metrics has been established.

        Less than 5% of process exceptions.'
      description_doc: 'Formally approved Process documentation exists, and exceptions
        are documented and approved.

        Documented & approved exceptions < 3% of the time.'
      translations:
        fr:
          name: "G\xE9r\xE9"
          description: "Un processus formel existe et est mis en \u0153uvre.\nDes\
            \ preuves sont disponibles pour toutes les activit\xE9s.\nDes mesures\
            \ d\xE9taill\xE9es du processus sont saisies et communiqu\xE9es.\nUn objectif\
            \ minimum est fix\xE9 pour les indicateurs.\nMoins de 5 % des exceptions\
            \ au processus."
          description_doc: "Il existe une documentation formellement approuv\xE9e\
            \ sur les processus et les exceptions sont document\xE9es et approuv\xE9\
            es.\nExceptions document\xE9es et approuv\xE9es < 3 % du temps."
    - score: 5
      name: Optimizing
      description: 'Formal process exists and is implemented.

        Evidence available for all activities.

        Detailed metrics of the process are captured and reported.

        Minimal target for metrics has been established and continually improving.

        Less than 1% of process exceptions.'
      description_doc: 'Formally approved Process documentation exists, and exceptions
        are documented and approved.

        Documented & approved exceptions < 0,5% of the time.'
      translations:
        fr:
          name: "Optimis\xE9"
          description: "Un processus formel existe et est mis en \u0153uvre.\nDes\
            \ preuves sont disponibles pour toutes les activit\xE9s.\nDes mesures\
            \ d\xE9taill\xE9es du processus sont saisies et communiqu\xE9es.\nDes\
            \ objectifs minimaux sont fix\xE9s pour les indicateurs et sont am\xE9\
            lior\xE9s en permanence.\nMoins de 1 % des exceptions au processus."
          description_doc: "Il existe une documentation formellement approuv\xE9e\
            \ sur les processus et les exceptions sont document\xE9es et approuv\xE9\
            es.\nExceptions document\xE9es et approuv\xE9es < 0,5 % du temps."
    implementation_groups_definition:
    - ref_id: B
      name: basic
      description: null
      translations:
        fr:
          name: basique
          description: null
    - ref_id: I
      name: important
      description: null
      translations:
        fr:
          name: important
          description: null
    - ref_id: E
      name: essential
      description: null
      translations:
        fr:
          name: essentiel
          description: null
    - ref_id: BK
      name: basic - key measures
      description: null
      translations:
        fr:
          name: "basique - mesure cl\xE9"
          description: null
    - ref_id: IK
      name: important - key measures
      description: null
      translations:
        fr:
          name: "important - mesure cl\xE9"
          description: null
    - ref_id: EK
      name: essential - key measures
      description: null
      translations:
        fr:
          name: "essentiel - mesure cl\xE9"
          description: null
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      assessable: false
      depth: 1
      ref_id: ID
      name: IDENTIFY (ID)
      translations:
        fr:
          name: IDENTIFIER (ID)
          description: ''
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.AM
      name: Asset Management
      description: "The data, personnel, devices, systems, and facilities that enable\
        \ the organization to achieve business purposes are identified and managed\
        \ consistent with their relative importance to organizational objectives and\
        \ the organization\u2019s risk strategy."
      translations:
        fr:
          name: "Gestion d'actifs\_"
          description: "Les donn\xE9es, le personnel, les dispositifs, les syst\xE8\
            mes et les installations qui permettent \xE0 l'organisation d'atteindre\
            \ ses objectifs op\xE9rationnels sont identifi\xE9s et g\xE9r\xE9s en\
            \ fonction de leur importance relative par rapport aux objectifs de l'organisation\
            \ et \xE0 sa strat\xE9gie en mati\xE8re de risques."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-1
      description: Physical devices and systems within the organization are inventoried
      translations:
        fr:
          name: null
          description: "Les dispositifs et syst\xE8mes physiques utilis\xE9s dans\
            \ l'organisation sont inventori\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: BASIC_ID.AM-1.1
      description: An inventory of assets associated with information and information
        processing facilities within the organization shall be documented, reviewed,
        and updated when changes occur.
      annotation: "\u2022\tThis inventory includes fixed and portable computers, tablets,\
        \ mobile phones, Programmable Logic Controllers (PLCs), sensors, actuators,\
        \ robots, machine tools, firmware, network switches, routers, power supplies,\
        \ and other networked components or devices. \n\u2022\tThis inventory must\
        \ include all assets, whether or not they are connected to the organization's\
        \ network.\n\u2022\tThe use of an IT asset management tool could be considered."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un inventaire des actifs associ\xE9s aux informations et aux\
            \ installations de traitement de l'information au sein de l'organisation\
            \ doit \xEAtre document\xE9, examin\xE9 et mis \xE0 jour lorsque des changements\
            \ surviennent."
          annotation: "\u2022 Cet inventaire comprend des ordinateurs fixes et portables,\
            \ des tablettes, des t\xE9l\xE9phones mobiles, des contr\xF4leurs logiques\
            \ programmables (PLC), des capteurs, des actionneurs, des robots, des\
            \ machines- outils, des micrologiciels, des switchs, des routeurs, des\
            \ alimentations et d'autres composants ou dispositifs en r\xE9seau. \n\
            \u2022 Cet inventaire doit inclure tous les actifs, qu'ils soient ou non\
            \ connect\xE9s au r\xE9seau de l'organisation. \n\u2022 L'utilisation\
            \ d'un outil de gestion des actifs informatiques pourrait \xEAtre envisag\xE9\
            e."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: IMPORTANT_ID.AM-1.2
      description: "The inventory of assets associated with information and information\
        \ processing facilities shall reflect changes in the  organization\u2019s\
        \ context and include all information necessary for effective accountability."
      annotation: "\u2022\tInventory specifications include for example, manufacturer,\
        \ device type, model, serial number, machine names and network addresses,\
        \ physical location\u2026\n\u2022\tAccountability is the obligation to explain,\
        \ justify, and take responsibility for one's actions, it implies answerability\
        \ for the outcome of the task or process.\n\u2022\tChanges include the decommissioning\
        \ of material."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'inventaire des actifs associ\xE9s aux informations et aux\
            \ installations de traitement de l'information doit refl\xE9ter les changements\
            \ intervenus dans le contexte de l'organisation et inclure toutes les\
            \ informations n\xE9cessaires \xE0 une responsabilisation efficace."
          annotation: "\u2022 Les sp\xE9cifications de l'inventaire comprennent par\
            \ exemple le fabricant, le type de dispositif, le mod\xE8le, le num\xE9\
            ro de s\xE9rie, les noms de machine et les adresses de r\xE9seau, l'emplacement\
            \ physique... \n\u2022 La responsabilisation est l\u2019obligation de\
            \ rendre compte , d'expliquer, de justifier et d'assumer la responsabilit\xE9\
            \ de ses actions, elle implique la responsabilit\xE9 du r\xE9sultat de\
            \ la t\xE2che ou du processus. \n\u2022 Les changements incluent le d\xE9\
            classement de mat\xE9riel."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: IMPORTANT_ID.AM-1.3
      description: When unauthorized hardware is detected, it shall be quarantined
        for possible exception handling, removed, or replaced, and the inventory shall
        be updated accordingly.
      annotation: "\u2022\tAny unsupported hardware without an exception documentation,\
        \ is designated as unauthorized.\n\u2022\tUnauthorized hardware can be detected\
        \ during inventory, requests for support by the user or other means."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Lorsque du mat\xE9riel non autoris\xE9 est d\xE9tect\xE9,\
            \ il est mis en quarantaine pour un \xE9ventuel traitement d'exception,\
            \ retir\xE9 ou remplac\xE9, et l'inventaire est mis \xE0 jour en cons\xE9\
            quence."
          annotation: "\u2022 Tout mat\xE9riel non pris en charge, sans documentation\
            \ d'exception, est d\xE9sign\xE9 comme non autoris\xE9. \n\u2022 Le mat\xE9\
            riel non autoris\xE9 peut \xEAtre d\xE9tect\xE9 lors de l'inventaire,\
            \ des demandes d'assistance de l'utilisateur ou par d'autres moyens."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-1
      ref_id: ID.AM-1.4
      description: Mechanisms for detecting the presence of unauthorized hardware
        and firmware components within the organization's network shall be identified.
      annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\
        \u2022\tThere should be a process to address unauthorized assets on a frequently\
        \  basis; The organization may choose to remove the asset from the network,\
        \ deny the asset from connecting remotely to the network, or quarantine the\
        \ asset."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les m\xE9canismes permettant de d\xE9tecter la pr\xE9sence\
            \ de composants mat\xE9riels et micrologiciels non autoris\xE9s dans le\
            \ r\xE9seau de l'organisation doivent \xEAtre identifi\xE9s."
          annotation: "\u2022 Lorsque cela est possible et s\xFBr, il convient d\u2019\
            automatiser ces m\xE9canismes. \n\u2022 Il convient d\u2019avoir un process\
            \ pour traiter les actifs non autoris\xE9s sur une base fr\xE9quente ;\
            \ L'organisation peut choisir de retirer l\u2019actif du r\xE9seau, de\
            \ l'emp\xEAcher de se connecter \xE0 distance au r\xE9seau ou de le mettre\
            \ en quarantaine."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-2
      description: Software platforms and applications within the organization are
        inventoried
      translations:
        fr:
          name: null
          description: "Les plateformes et applications logicielles utilis\xE9es au\
            \ sein de l'organisation sont inventori\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: BASIC_ID.AM-2.1
      description: An inventory that reflects what software platforms and applications
        are being used in the organization shall be documented, reviewed, and updated
        when changes occur.
      annotation: "\u2022\tThis inventory includes software programs, software platforms\
        \ and databases, even if outsourced (SaaS).\n\u2022\tOutsourcing arrangements\
        \ should be part of the contractual agreements with the provider.\n\u2022\t\
        Information in the inventory should include for example: name, description,\
        \ version, number of users, data processed, etc.\n\u2022\tA distinction should\
        \ be made between unsupported software and unauthorized software.\n\u2022\t\
        The use of an IT asset management tool could be considered."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un inventaire refl\xE9tant les plateformes et les applications\
            \ logicielles utilis\xE9es dans l'organisation doit \xEAtre document\xE9\
            , r\xE9vis\xE9 et mis \xE0 jour lorsque des changements surviennent."
          annotation: "\u2022 Cet inventaire comprend les programmes logiciels, les\
            \ plateformes logicielles et les bases de donn\xE9es, m\xEAme s'ils sont\
            \ externalis\xE9s (SaaS). \n\u2022 Il convient que les accords d'externalisation\
            \ fassent partie des accords contractuels avec le fournisseur. \n\u2022\
            \ Il convient que les informations de l'inventaire comprennent par exemple\
            \ : le nom, la description, la version, le nombre d'utilisateurs, les\
            \ donn\xE9es trait\xE9es, etc. \n\u2022 Il convient de faire la distinction\
            \ entre les logiciels non pris en charge et les logiciels non autoris\xE9\
            s. \n\u2022 L'utilisation d'un outil de gestion des actifs informatiques\
            \ pourrait \xEAtre envisag\xE9e."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.2
      description: "The inventory of software platforms and applications  associated\
        \ with information and information processing shall reflect changes in the\
        \  organization\u2019s context and include all information necessary for effective\
        \ accountability."
      annotation: The inventory of software platforms and applications should include
        the title, publisher, initial install/use date, and business purpose for each
        entry; where appropriate, include the Uniform Resource Locator (URL), app
        store(s), version(s), deployment mechanism, and decommission date.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'inventaire des plates-formes logicielles et des applications\
            \ associ\xE9es \xE0 l'information et au traitement de l'information doit\
            \ refl\xE9ter l'\xE9volution du contexte de l'organisation et inclure\
            \ toutes les informations n\xE9cessaires \xE0 une responsabilisation efficace."
          annotation: "Il convient que l'inventaire des plateformes logicielles et\
            \ des applications comprenne le titre, l'\xE9diteur, la date d'installation/utilisation\
            \ initiale et l'objectif de l'organisation pour chaque entr\xE9e ; le\
            \ cas \xE9ch\xE9ant, il convient d\u2019inclure l\u2019adresse web (URL),\
            \ le ou les magasins d'applications, la ou les versions, le m\xE9canisme\
            \ de d\xE9ploiement et la date de mise hors service."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.3
      description: Individuals who are responsible and who are accountable for administering
        software platforms and applications within the organization shall be identified.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les personnes qui sont responsables de l'administration des\
            \ plates-formes et des applications logicielles au sein de l'organisation\
            \ et qui doivent en rendre compte doivent \xEAtre identifi\xE9es."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: IMPORTANT_ID.AM-2.4
      description: When unauthorized software is detected, it shall be quarantined
        for possible exception handling, removed, or replaced, and the inventory shall
        be updated accordingly.
      annotation: "\u2022\tAny unsupported software without an exception documentation,\
        \ is designated as unauthorized.\n\u2022\tUnauthorized software can be detected\
        \ during inventory, requests for support by the user or other means."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Lorsqu'un logiciel non autoris\xE9 est d\xE9tect\xE9, il est\
            \ mis en quarantaine en vue d'un \xE9ventuel traitement d'exception, supprim\xE9\
            \ ou remplac\xE9, et l'inventaire est mis \xE0 jour en cons\xE9quence."
          annotation: "\u2022 Tout logiciel non pris en charge sans documentation\
            \ d'exception, est d\xE9sign\xE9 comme non autoris\xE9. \n\u2022 Les logiciels\
            \ non autoris\xE9s peuvent \xEAtre d\xE9tect\xE9s lors de l'inventaire,\
            \ des demandes d'assistance de l'utilisateur ou par d'autres moyens."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-2
      ref_id: ID.AM-2.5
      description: "Mechanisms for detecting the presence of unauthorized software\
        \ within the organization\u2019s ICT/OT environment shall be identified. "
      annotation: "\u2022\tWhere safe and feasible, these mechanisms should be automated.\n\
        \u2022\tThere should be a process to regularly address unauthorised assets;\
        \ The organization may choose to remove the asset from the network, deny the\
        \ asset from connecting remotely to the network, or quarantine the asset."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les m\xE9canismes permettant de d\xE9tecter la pr\xE9sence\
            \ de logiciels non autoris\xE9s dans l'environnement TIC/OT de l'organisation\
            \ doivent \xEAtre identifi\xE9s."
          annotation: "\u2022 Lorsque cela est possible et s\xFBr, il convient d\u2019\
            automatiser ces m\xE9canismes. \n\u2022 Il convient d\u2019avoir un process\
            \ pour traiter les actifs non autoris\xE9s sur une base fr\xE9quente ;\
            \ L'organisation peut choisir de retirer l\u2019actif du r\xE9seau, de\
            \ l'emp\xEAcher de se connecter \xE0 distance au r\xE9seau ou de le mettre\
            \ en quarantaine."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-3
      description: Organizational communication and data flows are mapped
      translations:
        fr:
          name: null
          description: "La communication organisationnelle et les flux de donn\xE9\
            es sont sch\xE9matis\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: BASIC_ID.AM-3.1
      description: Information that the organization stores and uses shall be identified.
      annotation: "\u2022\tStart by listing all the types of information your business\
        \ stores or uses. Define \u201Cinformation type\u201D in any useful way that\
        \ makes sense to your business. You may want to have your employees make a\
        \ list of all the information they use in their regular activities. List everything\
        \ you can think of, but you do not need to be too specific. For example, you\
        \ may keep customer names and email addresses, receipts for raw material,\
        \ your banking information, or other proprietary information.\n\u2022\tConsider\
        \ mapping this information with the associated assets identified in the inventories\
        \ of physical devices, systems, software platforms and applications used within\
        \ the organization (see ID.AM-1 & ID.AM-2)."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les informations que l'organisation stocke et utilise doivent\
            \ \xEAtre identifi\xE9es."
          annotation: "\u2022 Commencez par \xE9num\xE9rer tous les types d'informations\
            \ que votre organisation stocke ou utilise. D\xE9finissez le \"type d'information\"\
            \ de toute mani\xE8re utile et logique pour votre organisation. Vous pouvez\
            \ demander \xE0 vos employ\xE9s de dresser une liste de toutes les informations\
            \ qu'ils utilisent dans le cadre de leurs activit\xE9s habituelles. Dressez\
            \ une liste de tout ce \xE0 quoi vous pouvez penser, mais il n'est pas\
            \ n\xE9cessaire d'\xEAtre trop pr\xE9cis. Par exemple, vous pouvez conserver\
            \ les noms et adresses \xE9lectroniques de vos clients, les re\xE7us de\
            \ mati\xE8res premi\xE8res, vos informations bancaires ou d'autres informations\
            \ exclusives. \n\u2022 Envisagez de mettre en correspondance ces informations\
            \ avec les actifs associ\xE9s identifi\xE9s dans les inventaires des dispositifs\
            \ physiques, des syst\xE8mes, des plateformes logicielles et des applications\
            \ utilis\xE9s au sein de l'organisation (voir ID.AM-1 & ID.AM-2)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: IMPORTANT_ID.AM-3.2
      description: All connections within the organization's ICT/OT environment, and
        to other organization-internal platforms shall be mapped, documented, approved,
        and updated as appropriate.
      annotation: "\u2022\tConnection information includes, for example, the interface\
        \ characteristics, data characteristics, ports, protocols, addresses, description\
        \ of the data, security requirements, and the nature of the connection.\n\u2022\
        \tConfiguration management can be used as supporting asset.\n\u2022\tThis\
        \ documentation should not be stored only on the network it represents.\n\u2022\
        \tConsider keeping a copy of this documentation in a safe offline environment\
        \ (e.g. offline hard disk, paper hardcopy, \u2026)"
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Toutes les connexions au sein de l'environnement TIC/OT de\
            \ l'organisation, ainsi qu'\xE0 d'autres plateformes internes \xE0 l'organisation,\
            \ doivent \xEAtre sch\xE9matis\xE9es, document\xE9es, approuv\xE9es et\
            \ mises \xE0 jour le cas \xE9ch\xE9ant."
          annotation: "\u2022 Les informations relatives \xE0 la connexion comprennent,\
            \ par exemple, les caract\xE9ristiques de l'interface, les caract\xE9\
            ristiques des donn\xE9es, les ports, les protocoles, les adresses, la\
            \ description des donn\xE9es, les exigences de s\xE9curit\xE9 et la nature\
            \ de la connexion. \n\u2022 La gestion de la configuration peut \xEAtre\
            \ utilis\xE9e comme soutien. \n\u2022 Il convient que cette documentation\
            \ ne soit pas stock\xE9e uniquement sur le r\xE9seau qu'elle repr\xE9\
            sente. \n\u2022 Envisagez de conserver une copie de cette documentation\
            \ dans un environnement hors ligne s\xFBr (par exemple, disque dur hors\
            \ ligne, copie papier, ...)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-3
      ref_id: ID.AM-3.3
      description: "The information flows/data flows within the organization\u2019\
        s ICT/OT environment, as well as to other organization-internal systems shall\
        \ be mapped, documented, authorized, and updated when changes occur."
      annotation: "\u2022\tWith knowledge of the information/data flows within a system\
        \ and between systems, it is possible to determine where information can and\
        \ cannot go.\n\u2022\tConsider:\no\tEnforcing controls restricting connections\
        \ to only authorized interfaces.\no\tHeightening system monitoring activity\
        \ whenever there is an indication of increased risk to organization's critical\
        \ operations and assets.\no\tProtecting the system from information leakage\
        \ due to electromagnetic signals emanations."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les flux d'informations/de donn\xE9es dans l'environnement\
            \ TIC/OT de l'organisation, ainsi que vers d'autres syst\xE8mes internes\
            \ \xE0 l'organisation, doivent \xEAtre sch\xE9matis\xE9s, document\xE9\
            s, autoris\xE9s et mis \xE0 jour lorsque des changements surviennent."
          annotation: "\u2022 En connaissant les flux d'informations et de donn\xE9\
            es au sein d'un syst\xE8me et entre les syst\xE8mes, il est possible de\
            \ d\xE9terminer o\xF9 les informations peuvent et ne peuvent pas aller.\
            \ \n\u2022 Envisagez de : \n  o Appliquer des contr\xF4les restreignant\
            \ les connexions aux seules interfaces autoris\xE9es. \n  o Renforcer\
            \ l'activit\xE9 de surveillance du syst\xE8me chaque fois qu'il y a une\
            \ indication d'un risque accru pour les op\xE9rations et les actifs critiques\
            \ de l'organisation. \n  o Prot\xE9ger le syst\xE8me contre les fuites\
            \ d'informations dues aux \xE9manations de signaux \xE9lectromagn\xE9\
            tiques."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-4
      description: External information systems are catalogued
      translations:
        fr:
          name: null
          description: " Les syst\xE8mes d'information externes sont catalogu\xE9\
            s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      ref_id: IMPORTANT_ID.AM-4.1
      description: The organization shall map, document, authorize and when changes
        occur, update, all external services and the connections made with them.
      annotation: "\u2022\tOutsourcing of systems, software platforms and applications\
        \ used within the organization is covered in ID.AM-1 & ID.AM-2\n\u2022\tExternal\
        \ information systems are systems or components of systems for which organizations\
        \ typically have no direct supervision and authority over the application\
        \ of security requirements and controls, or the determination of the effectiveness\
        \ of implemented controls on those systems i.e., services that are run in\
        \ cloud, SaaS, hosting or other external environments, API (Application Programming\
        \ Interface)\u2026\n\u2022\tMapping external services and the connections\
        \ made to them and authorizing them in advance avoids wasting unnecessary\
        \ resources investigating a supposedly non-authenticated connection to external\
        \ systems."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit sch\xE9matiser, documenter, autoriser\
            \ et, lorsque des changements surviennent, mettre \xE0 jour, tous les\
            \ services externes et les connexions \xE9tablies avec eux."
          annotation: "\u2022\tOutsourcing of systems, software platforms and applications\
            \ used within the organization is covered in ID.AM-1 & ID.AM-2 \n\u2022\
            \tExternal information systems are systems or components of systems for\
            \ which organizations typically have no direct supervision and authority\
            \ over the application of security requirements and controls, or the determination\
            \ of the effectiveness of implemented controls on those systems i.e.,\
            \ services that are run in cloud, SaaS, hosting or other external environments,\
            \ API (Application Programming Interface)\u2026 \n\u2022\tMapping external\
            \ services and the connections made to them and authorizing them in advance\
            \ avoids wasting unnecessary resources investigating a supposedly non-authenticated\
            \ connection to external systems."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-4
      ref_id: ID.AM-4.2
      description: The flow of information to/from external systems shall be mapped,
        documented, authorized, and update when changes occur.
      annotation: Consider requiring external service providers to identify and document
        the functions, ports, protocols, and services necessary for the connection
        services.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Le flux d'informations vers/depuis les syst\xE8mes externes\
            \ doit \xEAtre sch\xE9matis\xE9, document\xE9, autoris\xE9 et mis \xE0\
            \ jour lorsque des changements surviennent."
          annotation: "Envisagez d'exiger des fournisseurs de services externes qu'ils\
            \ identifient et documentent les fonctions, ports, protocoles et services\
            \ n\xE9cessaires aux services de connexion."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-5
      description: 'Resources (e.g., hardware, devices, data, time, personnel, and
        software) are prioritized based on their classification, criticality, and
        business value '
      translations:
        fr:
          name: null
          description: "Les ressources sont organis\xE9es par ordre de priorit\xE9\
            \ en fonction de leur classification, de leur criticit\xE9 et de leur\
            \ valeur op\xE9rationnelle."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.am-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-5
      ref_id: BASIC_ID.AM-5.1
      description: "The organization\u2019s resources (hardware, devices, data, time,\
        \ personnel, information, and software) shall be prioritized based on their\
        \ classification, criticality, and business value."
      annotation: "\u2022\tDetermine organization\u2019s resources (e.g., hardware,\
        \ devices, data, time, personnel, information, and software):\no\tWhat would\
        \ happen to my business if these resources were made public, damaged, lost\u2026\
        ?\no\tWhat would happen to my business when the integrity of resources is\
        \ no longer guaranteed?\no\tWhat would happen to my business if I/my customers\
        \ couldn\u2019t access these resources? And rank these resources based on\
        \ their classification, criticality, and business value.\n\u2022\tResources\
        \ should include enterprise assets. \u2022\tCreate a classification for sensitive\
        \ information by first determining categories, e.g.\no\tPublic - freely accessible\
        \ to all, even externally\no\tInternal - accessible only to members of your\
        \ organization\no\tConfidential - accessible only to those whose duties require\
        \ access.\n\u2022\tCommunicate these categories and identify what types of\
        \ data fall into these categories (HR data, financial data, legal data, personal\
        \ data, etc.).\n\u2022\tConsider the use of the Traffic Light Protocol (TLP).\n\
        \u2022\tData classification should apply to the three aspects: C-I-A. Consider\
        \ implementing an automated tool, such as a host-based Data Loss Prevention\
        \ (DLP) tool to identify all sensitive data stored, processed, or transmitted\
        \ through enterprise assets, including those located onsite or at a remote\
        \ service provider."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les ressources de l'organisation (mat\xE9riel, dispositifs,\
            \ donn\xE9es, temps, personnel, informations et logiciels) doivent \xEA\
            tre organis\xE9es par ordre de priorit\xE9 en fonction de leur classification,\
            \ de leur criticit\xE9 et de leur valeur op\xE9rationnelle."
          annotation: "\u2022 D\xE9terminer les ressources de l'organisation (par\
            \ exemple, le mat\xE9riel, les dispositifs, les donn\xE9es, le temps,\
            \ le personnel, les informations et les logiciels) :\n  o Qu'arriverait-il\
            \ \xE0 mon organisation si ces ressources \xE9taient rendues publiques,\
            \ endommag\xE9es, perdues... ? \n  o Qu'arriverait-il \xE0 mon organisation\
            \ lorsque l'int\xE9grit\xE9 des ressources ne serait plus garantie ? \n\
            \  o Que se passerait-il pour mon organisation si mes clients ou moi-m\xEA\
            me ne pouvions pas acc\xE9der \xE0 ces ressources ? Et organisez ces ressources\
            \ en fonction de leur classification, de leur criticit\xE9 et de leur\
            \ valeur op\xE9rationnelle. \n\u2022 Il convient que les ressources incluent\
            \ les actifs de l\u2019organisation. \n\u2022 Cr\xE9ez une classification\
            \ pour les informations sensibles en d\xE9terminant d'abord les cat\xE9\
            gories, par ex. \n  o Public - librement accessible \xE0 tous, m\xEAme\
            \ \xE0 l'ext\xE9rieur. o Interne - accessible uniquement aux membres de\
            \ votre organisation \n  o Confidentiel - accessible uniquement aux personnes\
            \ dont les fonctions l'exigent. \n\u2022 Communiquer ces cat\xE9gories\
            \ et identifier les types de donn\xE9es qui en font partie (donn\xE9es\
            \ RH, donn\xE9es financi\xE8res, donn\xE9es juridiques, donn\xE9es personnelles,\
            \ etc.) \n\u2022 Envisager l'utilisation du protocole de feux de circulation\
            \ (TLP). \n\u2022 Il convient que la classification des donn\xE9es s'applique\
            \ aux trois aspects : C-I-A \n\u2022 Envisagez de mettre en place un outil\
            \ automatis\xE9, tel qu'un outil de pr\xE9vention des pertes de donn\xE9\
            es (DLP) bas\xE9 sur l'h\xF4te, pour identifier toutes les donn\xE9es\
            \ sensibles stock\xE9es, trait\xE9es ou transmises par le biais des actifs\
            \ de l\u2019organisation, y compris ceux situ\xE9s sur place ou chez un\
            \ fournisseur de services distant."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am
      ref_id: ID.AM-6
      description: Cybersecurity roles, responsibilities, and authorities for the
        entire workforce and third-party stakeholders are established
      translations:
        fr:
          name: null
          description: "Les r\xF4les, responsabilit\xE9s et pouvoirs en mati\xE8re\
            \ de cybers\xE9curit\xE9 pour l'ensemble du personnel et les parties prenantes\
            \ tierces (par exemple, les fournisseurs, les clients, les partenaires)\
            \ sont \xE9tablis."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.am-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      ref_id: IMPORTANT_ID.AM-6.1
      description: '[KEY MEASURE] Information security and cybersecurity roles, responsibilities
        and authorities within the organization shall be documented, reviewed, authorized,
        and updated and alignment with organization-internal roles and external partners.'
      annotation: "It should be considered to:\n\u2022\tDescribe security roles, responsibilities,\
        \ and authorities: who in your organization should be consulted, informed,\
        \ and held accountable for all or part of your assets.\n\u2022\tProvide security\
        \ roles, responsibilities, and authority for all key functions in information/cyber\
        \ security (legal, detection activities\u2026).\n\u2022\tInclude information/cybersecurity\
        \ roles and responsibilities for third-party providers (e.g., suppliers, customers,\
        \ partners) with physical or logical access to the organization\u2019s ICT/OT\
        \ environment."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les r\xF4les, les responsabilit\xE9s et les\
            \ pouvoirs en mati\xE8re de s\xE9curit\xE9 de l'information et de cybers\xE9\
            curit\xE9 au sein de l'organisation sont document\xE9s, examin\xE9s, autoris\xE9\
            s et mis \xE0 jour et align\xE9s sur les r\xF4les internes de l'organisation\
            \ et les partenaires externes."
          annotation: "Il convient d'envisager : \n\u2022 D\xE9crire les r\xF4les,\
            \ les responsabilit\xE9s et les autorit\xE9s en mati\xE8re de s\xE9curit\xE9\
            \ : qui, dans votre organisation, il convient de consulter, informer et\
            \ tenir responsable de tout ou partie de vos actifs. \n\u2022 Fournir\
            \ les r\xF4les, les responsabilit\xE9s et l'autorit\xE9 en mati\xE8re\
            \ de s\xE9curit\xE9 pour toutes les fonctions cl\xE9s de la s\xE9curit\xE9\
            \ de l'information/cyber (juridique, activit\xE9s de d\xE9tection...).\
            \ \n\u2022 Inclure les r\xF4les et responsabilit\xE9s en mati\xE8re de\
            \ s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9 pour les fournisseurs\
            \ tiers ayant un acc\xE8s physique ou logique \xE0 l'environnement TIC/OT\
            \ de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.am-6
      ref_id: ID.AM-6.2
      description: The organization shall appoint an information security officer.
      annotation: The information security officer should be responsible for monitoring
        the implementation of the organization's information/cyber security strategy
        and safeguards.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit nommer un responsable de la s\xE9curit\xE9\
            \ des informations."
          annotation: "Il convient que le responsable de la s\xE9curit\xE9 de l'information\
            \ soit charg\xE9 de surveiller la mise en \u0153uvre de la strat\xE9gie\
            \ de s\xE9curit\xE9 de l'information/cyber et des mesures de protection\
            \ de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.BE
      name: Business Environment
      description: "The organization\u2019s mission, objectives, stakeholders, and\
        \ activities are understood and prioritized; this information is used to inform\
        \ cybersecurity roles, responsibilities, and risk management decisions."
      translations:
        fr:
          name: "Environnement op\xE9rationnel"
          description: "La mission, les objectifs, les parties prenantes et les activit\xE9\
            s de l'organisation sont compris et class\xE9s par ordre de priorit\xE9\
            \ ; ces informations sont utilis\xE9es pour d\xE9finir les r\xF4les, les\
            \ responsabilit\xE9s et les d\xE9cisions en mati\xE8re de gestion des\
            \ risques li\xE9s \xE0 la cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-1
      description: "The organization\u2019s role in the supply chain is identified\
        \ and communicated"
      translations:
        fr:
          name: null
          description: "Le r\xF4le de l'organisation dans la cha\xEEne d'approvisionnement\
            \ est identifi\xE9 et communiqu\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      ref_id: IMPORTANT_ID.BE-1.1
      description: "The organization\u2019s role in the supply chain shall be identified,\
        \ documented, and communicated. "
      annotation: "\u2022\tThe organisation should be able to clearly identify who\
        \ is upstream and downstream of the organisation and which suppliers provide\
        \ services, capabilities, products and items to the organisation.\n\u2022\t\
        The organisation should communicate its position to its upstream and downstream\
        \ so that it is understood where they sit in terms of critical importance\
        \ to the organisation's operations."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Le r\xF4le de l'organisation dans la cha\xEEne d'approvisionnement\
            \ doit \xEAtre identifi\xE9, document\xE9 et communiqu\xE9."
          annotation: "\u2022 Il convient que l'organisation soit en mesure d'identifier\
            \ clairement qui se trouve en amont et en aval de l'organisation et quels\
            \ fournisseurs lui apportent des services, des capacit\xE9s, des produits\
            \ et des articles. \u2022 Il convient que l'organisation communique sa\
            \ position \xE0 ses partenaires en amont et en aval afin de comprendre\
            \ o\xF9 ils se situent en termes d'importance critique pour les op\xE9\
            rations de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-1
      ref_id: ID.BE-1.2
      description: The organization shall protect its ICT/OT environment from supply
        chain threats by applying security safeguards as part of a documented comprehensive
        security strategy.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit prot\xE9ger son environnement TIC/OT des\
            \ menaces pesant sur la cha\xEEne d'approvisionnement en appliquant des\
            \ mesures de s\xE9curit\xE9 dans le cadre d'une strat\xE9gie de s\xE9\
            curit\xE9 globale document\xE9e."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-2
      description: "The organization\u2019s place in critical infrastructure and its\
        \ industry sector is identified and communicated"
      translations:
        fr:
          name: null
          description: "La place de l'organisation dans les infrastructures critiques\
            \ et son secteur d'activit\xE9 est identifi\xE9e et communiqu\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-2
      ref_id: IMPORTANT_ID.BE-2.1
      description: "The organization\u2019s place in critical infrastructure and its\
        \ industry sector shall be identified and communicated."
      annotation: The organisation covered by NIS legislation has a responsibility
        to know the other organisations in the same sector in order to work with them
        to achieve the objectives set by NIS for that particular sector.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La place de l'organisation dans les infrastructures critiques\
            \ et dans son secteur d'activit\xE9 doit \xEAtre identifi\xE9e et communiqu\xE9\
            e."
          annotation: "L'organisation couverte par la l\xE9gislation NIS a la responsabilit\xE9\
            \ de conna\xEEtre les autres organisations du m\xEAme secteur afin de\
            \ travailler avec elles pour atteindre les objectifs fix\xE9s par NIS\
            \ pour ce secteur particulier."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-3
      description: Priorities for organizational mission, objectives, and activities
        are established and communicated
      translations:
        fr:
          name: null
          description: "Les priorit\xE9s de la mission, des objectifs et des activit\xE9\
            s de l'organisation sont \xE9tablies et communiqu\xE9es."
          annotation: null
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-3
      ref_id: IMPORTANT_ID.BE-3.1
      description: Priorities for organizational mission, objectives, and activities
        are established and communicated.
      annotation: Information protection needs should be determined, and the related
        processes revised as necessary.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les priorit\xE9s pour les op\xE9rations, les objectifs et\
            \ les activit\xE9s de l'organisation doivent \xEAtre \xE9tablies et communiqu\xE9\
            es."
          annotation: "Il convient que les besoins en mati\xE8re de protection de\
            \ l'information soient d\xE9termin\xE9s, et les processus connexes r\xE9\
            vis\xE9s si n\xE9cessaire, jusqu'\xE0 l'obtention d'un ensemble r\xE9\
            alisable."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-4
      description: Dependencies and critical functions for delivery of critical services
        are established
      translations:
        fr:
          name: null
          description: "Les d\xE9pendances et les fonctions critiques pour la prestation\
            \ des services critiques sont \xE9tablies."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-4
      ref_id: IMPORTANT_ID.BE-4.1
      description: Dependencies and mission-critical functions for the delivery of
        critical services shall be identified, documented, and prioritized according
        to their criticality as part of the risk assessment process.
      annotation: Dependencies and business critical functions should include support
        services.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les d\xE9pendances et les fonctions essentielles \xE0 la fourniture\
            \ de services critiques doivent \xEAtre identifi\xE9es, document\xE9es\
            \ et class\xE9es par ordre de priorit\xE9 en fonction de leur criticit\xE9\
            \ dans le cadre du processus d'\xE9valuation des risques."
          annotation: "Il convient que les d\xE9pendances et les fonctions essentielles\
            \ \xE0 l'organisation incluent les services de soutien."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be
      ref_id: ID.BE-5
      description: Resilience requirements to support delivery of critical services
        are established for all operating states (e.g. under duress/attack, during
        recovery, normal operations)
      translations:
        fr:
          name: null
          description: "Les exigences en mati\xE8re de r\xE9silience pour soutenir\
            \ la prestation de services essentiels sont \xE9tablies pour tous les\
            \ \xE9tats de fonctionnement (par exemple, en cas de contrainte/attaque,\
            \ pendant le r\xE9tablissement, les op\xE9rations normales)."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.be-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: IMPORTANT_ID.BE-5.1
      description: To support cyber resilience and secure the delivery of critical
        services, the necessary requirements are identified, documented and their
        implementation tested and approved.
      annotation: "\u2022\tConsider implementing resiliency mechanisms to support\
        \ normal and adverse operational situations (e.g., failsafe, load balancing,\
        \ hot swap).\n\u2022\tConsider aspects of business continuity management in\
        \ e.g. Business Impact Analyse (BIA), Disaster Recovery Plan (DRP) and Business\
        \ Continuity Plan (BCP)."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Pour soutenir la cyber-r\xE9silience et s\xE9curiser la prestation\
            \ de services essentiels, les exigences n\xE9cessaires sont identifi\xE9\
            es, document\xE9es et leur mise en \u0153uvre test\xE9e et approuv\xE9\
            e."
          annotation: "\u2022 Envisagez de mettre en \u0153uvre des m\xE9canismes\
            \ de r\xE9silience pour prendre en charge les situations op\xE9rationnelles\
            \ normales et d\xE9favorables (par exemple, failsafe, \xE9quilibrage de\
            \ charge, hot swap). \u2022 Examiner les aspects de la gestion de la continuit\xE9\
            \ des activit\xE9s, par exemple l'analyse de l'impact sur les activit\xE9\
            s (BIA), le plan de reprise d\u2019activit\xE9s (PRA) et le plan de continuit\xE9\
            \ des activit\xE9s (PCA)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: ID.BE-5.2
      description: Information processing & supporting facilities shall implement
        redundancy to meet availability requirements, as defined by the organization
        and/or regulatory frameworks.
      annotation: "\u2022\tConsider provisioning adequate data and network redundancy\
        \ (e.g. redundant network devices, servers with load balancing, raid arrays,\
        \ backup services, 2 separate datacentres, fail-over network connections,\
        \ 2 ISP's\u2026).\n\u2022\tConsider protecting critical equipment/services\
        \ from power outages and other failures due to utility interruptions (e.g.\
        \ UPS & NO-break, frequent test, service contracts that include regular maintenance,\
        \ redundant power cabling, 2 different power service providers...)."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les installations de traitement de l'information et de soutien\
            \ doivent mettre en \u0153uvre la redondance pour r\xE9pondre aux exigences\
            \ de disponibilit\xE9, telles que d\xE9finies par l'organisation et/ou\
            \ les cadres r\xE9glementaires."
          annotation: "\u2022 Envisagez de pr\xE9voir une redondance ad\xE9quate des\
            \ donn\xE9es et du r\xE9seau (par exemple, des dispositifs de r\xE9seau\
            \ redondants, des serveurs avec r\xE9partition de la charge, des matrices\
            \ Raid, des services de sauvegarde, deux centres de donn\xE9es distincts,\
            \ des connexions r\xE9seau \xE0 basculement, deux fournisseurs d'acc\xE8\
            s Internet...). \n\u2022 Envisagez de prot\xE9ger les \xE9quipements/services\
            \ critiques contre les pannes de courant et autres d\xE9faillances dues\
            \ aux interruptions de service (par exemple, onduleurs et syst\xE8mes\
            \ sans coupure, tests fr\xE9quents, contrats de service incluant une maintenance\
            \ r\xE9guli\xE8re, c\xE2blage \xE9lectrique redondant, 2 fournisseurs\
            \ de services d'alimentation diff\xE9rents...)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.be-5
      ref_id: ID.BE-5.3
      description: Recovery time and recovery point objectives for the resumption
        of essential ICT/OT system processes shall be defined.
      annotation: "\u2022\tConsider applying the 3-2-1 back-up rule to improve RPO\
        \ and RTO (maintain at least 3 copies of your data, keep 2 of them at separate\
        \ locations and one copy should be stored at an off-site location).\n\u2022\
        \tConsider implementing mechanisms such as hot swap, load balancing and failsafe\
        \ to increase resilience."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Des objectifs de temps et de points de r\xE9tablissement pour\
            \ le r\xE9tablissement des processus essentiels des syst\xE8mes TIC/OT\
            \ sont d\xE9finis."
          annotation: "\u2022 Envisagez d'appliquer la r\xE8gle de sauvegarde 3-2-1\
            \ pour am\xE9liorer le RPO et le RTO (conservez au moins 3 copies de vos\
            \ donn\xE9es, dont 2 \xE0 des endroits diff\xE9rents et il convient de\
            \ stocker une copie hors site). \n\u2022 Envisagez de mettre en \u0153\
            uvre des m\xE9canismes tels que le hot swap, l'\xE9quilibrage des charges\
            \ et le failsafe pour accro\xEEtre la r\xE9silience."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.GV
      name: Governance
      description: "The policies, procedures, and processes to manage and monitor\
        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
        \ requirements are understood and inform the management of cybersecurity risk."
      translations:
        fr:
          name: Gouvernance
          description: "Les politiques, proc\xE9dures et processus de gestion et de\
            \ suivi des exigences r\xE9glementaires, juridiques, environnementales\
            \ et op\xE9rationnelles de l'organisation sont compris et contribuent\
            \ \xE0 la gestion du risque de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-1
      description: Organizational cybersecurity policy is established and communicated
      translations:
        fr:
          name: null
          description: "La politique de cybers\xE9curit\xE9 de l'organisation est\
            \ \xE9tablie et communiqu\xE9e ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      ref_id: BASIC_ID.GV-1.1
      description: Policies and procedures for information security and cyber security
        shall be created, documented, reviewed, approved, and updated when changes
        occur.
      annotation: "\u2022\tPolicies and procedures used to identify acceptable practices\
        \ and expectations for business operations, can be used to train new employees\
        \ on your information security expectations, and can aid an investigation\
        \ in case of an incident. These policies and procedures should be readily\
        \ accessible to employees.\n\u2022\tPolicies and procedures for information-\
        \ and cybersecurity should clearly describe your expectations for protecting\
        \ the organization\u2019s information and systems, and how management expects\
        \ the company\u2019s resources to be used and protected by all employees.\n\
        \u2022\tPolicies and procedures should be reviewed and updated at least annually\
        \ and every time there are changes in the organization or technology. Whenever\
        \ the policies are changed, employees should be made aware of the changes."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les politiques et proc\xE9dures en mati\xE8re de s\xE9curit\xE9\
            \ de l'information et de cybers\xE9curit\xE9 doivent \xEAtre cr\xE9\xE9\
            es, document\xE9es, examin\xE9es, approuv\xE9es et mises \xE0 jour lorsque\
            \ des changements interviennent."
          annotation: "\u2022 Les politiques et les proc\xE9dures qui servent \xE0\
            \ identifier les pratiques et les attentes acceptables pour les op\xE9\
            rations, peuvent \xEAtre utilis\xE9es pour former les nouveaux employ\xE9\
            s sur vos attentes en mati\xE8re de s\xE9curit\xE9 de l'information et\
            \ peuvent faciliter une enqu\xEAte en cas d'incident. Il convient que\
            \ ces politiques et proc\xE9dures soient facilement accessibles aux employ\xE9\
            s. \n\u2022 Il convient que les politiques et proc\xE9dures en mati\xE8\
            re de s\xE9curit\xE9 de l'information et de cybers\xE9curit\xE9 d\xE9\
            crivent clairement vos attentes en mati\xE8re de protection des informations\
            \ et des syst\xE8mes de l'organisation, ainsi que la mani\xE8re dont la\
            \ direction s'attend \xE0 ce que les ressources de l'organisation soient\
            \ utilis\xE9es et prot\xE9g\xE9es par tous les employ\xE9s. \n\u2022 Il\
            \ convient que les politiques et proc\xE9dures soient revues et mises\
            \ \xE0 jour au moins une fois par an et \xE0 chaque fois que des changements\
            \ interviennent dans l'organisation ou la technologie. Chaque fois que\
            \ les politiques sont modifi\xE9es, il convient d\u2019informer les employ\xE9\
            s des changements."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-1
      ref_id: IMPORTANT_ID.GV-1.2
      description: An organization-wide information security and cybersecurity policy
        shall be established, documented, updated when changes occur, disseminated,
        and approved by senior management.
      annotation: "The policy should include, for example:\n\u2022\tThe identification\
        \ and assignment of roles, responsibilities, management commitment, coordination\
        \ among organizational entities, and compliance. Guidance on role profiles\
        \ along with their identified titles, missions, tasks, skills, knowledge,\
        \ competences is available in the \"European Cybersecurity Skills Framework\
        \ Role Profiles\" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\n\
        \u2022\tThe coordination among organizational entities responsible for the\
        \ different aspects of security (i.e., technical, physical, personnel, cyber-physical,\
        \ information, access control, media protection, vulnerability management,\
        \ maintenance, monitoring)\n\u2022\tThe coverage of the full life cycle of\
        \ the ICT/OT systems."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Une politique de s\xE9curit\xE9 des informations et de cybers\xE9\
            curit\xE9 \xE0 l'\xE9chelle de l'organisation doit \xEAtre \xE9tablie,\
            \ document\xE9e, mise \xE0 jour en cas de changement, diffus\xE9e et approuv\xE9\
            e par la direction g\xE9n\xE9rale."
          annotation: "Il convient que la politique inclue, par exemple, les \xE9\
            l\xE9ments suivants : \n\u2022 L'identification et l'attribution des r\xF4\
            les, les responsabilit\xE9s, l'engagement de la direction, la coordination\
            \ entre les entit\xE9s organisationnelles et la conformit\xE9. Des conseils\
            \ sur les profils de r\xF4le ainsi que leurs titres, missions, t\xE2ches,\
            \ aptitudes, connaissances et comp\xE9tences sont disponibles dans le\
            \ \"European Cybersecurity Skills Framework Role Profiles\" de ENISA.\
            \ (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles)\
            \ \n\u2022 La coordination entre les entit\xE9s organisationnelles responsables\
            \ des diff\xE9rents aspects de la s\xE9curit\xE9 (c'est-\xE0-dire technique,\
            \ physique, personnel, cyber-physique, information, contr\xF4le d'acc\xE8\
            s, protection des m\xE9dias, gestion des vuln\xE9rabilit\xE9s, maintenance,\
            \ surveillance). \u2022 La couverture du cycle de vie complet des syst\xE8\
            mes TIC/OT."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-3
      description: Legal and regulatory requirements regarding cybersecurity, including
        privacy and civil liberties obligations, are understood and managed
      translations:
        fr:
          name: null
          description: "Les exigences l\xE9gales et r\xE9glementaires concernant la\
            \ cybers\xE9curit\xE9, y compris les obligations en mati\xE8re de vie\
            \ priv\xE9e et de libert\xE9s civiles, sont comprises et g\xE9r\xE9es\
            \ ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      ref_id: BASIC_ID.GV-3.1
      description: Legal and regulatory requirements regarding information/cybersecurity,
        including privacy obligations, shall be understood and implemented.
      annotation: There are no additional guidelines.
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les exigences l\xE9gales et r\xE9glementaires en mati\xE8\
            re de s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9, y compris les\
            \ obligations en mati\xE8re de respect de la vie priv\xE9e, doivent \xEA\
            tre comprises et appliqu\xE9es."
          annotation: "Il n'y a pas de directives suppl\xE9mentaires."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-3
      ref_id: IMPORTANT_ID.GV-3.2
      description: Legal and regulatory requirements regarding information/cybersecurity,
        including privacy obligations, shall be managed.
      annotation: "\u2022\tThere should be regular reviews to ensure the continuous\
        \ compliance with legal and regulatory requirements regarding information/cybersecurity,\
        \ including privacy obligations.\n\u2022\tThis requirement also applies to\
        \ contractors and service providers."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les exigences l\xE9gales et r\xE9glementaires en mati\xE8\
            re de s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9, y compris les\
            \ obligations en mati\xE8re de respect de la vie priv\xE9e, doivent \xEA\
            tre comprises, mises en \u0153uvre et g\xE9r\xE9es."
          annotation: "\u2022 Il convient de proc\xE9der \xE0 des examens r\xE9guliers\
            \ afin de garantir le respect permanent des exigences l\xE9gales et r\xE9\
            glementaires en mati\xE8re de s\xE9curit\xE9 de l'information/cybers\xE9\
            curit\xE9, y compris les obligations en mati\xE8re de protection de la\
            \ vie priv\xE9e. \n\u2022 Cette exigence s'applique \xE9galement aux entrepreneurs\
            \ et aux prestataires de services."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv
      ref_id: ID.GV-4
      description: Governance and risk management processes address cybersecurity
        risks
      translations:
        fr:
          name: null
          description: "Les processus de gouvernance et de gestion des risques traitent\
            \ les risques de cybers\xE9curit\xE9 ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.gv-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      ref_id: BASIC_ID.GV-4.1
      description: As part of the company's overall risk management, a comprehensive
        strategy to manage information security and cybersecurity risks shall be developed
        and updated when changes occur.
      annotation: This strategy should include determining and allocating the required
        resources to protect the organisation's business-critical assets.
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Dans le cadre de la gestion globale des risques de l'organisation,\
            \ une strat\xE9gie compl\xE8te de gestion des risques li\xE9s \xE0 la\
            \ s\xE9curit\xE9 de l'information et \xE0 la cybers\xE9curit\xE9 doit\
            \ \xEAtre \xE9labor\xE9e et mise \xE0 jour lorsque des changements surviennent."
          annotation: "Il convient d\u2019inclure dans cette strat\xE9gie la d\xE9\
            termination et l'affectation des ressources n\xE9cessaires \xE0 la protection\
            \ des actifs critiques de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.gv-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.gv-4
      ref_id: IMPORTANT_ID.GV-4.2
      description: "Information security and cybersecurity risks shall be documented,\
        \ formally approved, and updated when changes occur.\t"
      annotation: Consider using Risk Management tools.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les risques li\xE9s \xE0 la s\xE9curit\xE9 de l'information\
            \ et \xE0 la cybers\xE9curit\xE9 doivent \xEAtre document\xE9s, approuv\xE9\
            s formellement et mis \xE0 jour lorsque des changements surviennent."
          annotation: Envisagez d'utiliser des outils de gestion des risques.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.RA
      name: Risk Assessment
      description: The organization understands the cybersecurity risk to organizational
        operations (including mission, functions, image, or reputation), organizational
        assets, and individuals.
      translations:
        fr:
          name: "\xC9valuation des risques "
          description: "L'organisation comprend le risque de cybers\xE9curit\xE9 pour\
            \ les op\xE9rations de l'organisation (y compris la mission, les fonctions,\
            \ l'image ou la r\xE9putation), ses actifs et les individus."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-1
      description: Asset vulnerabilities are identified and documented
      translations:
        fr:
          name: null
          description: " Les vuln\xE9rabilit\xE9s des actifs sont identifi\xE9es et\
            \ document\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: BASIC_ID.RA-1.1
      description: Threats and vulnerabilities shall be identified.
      annotation: "\u2022\tA vulnerability refers to a weakness in the organization\u2019\
        s hardware, software, or procedures. It is a gap through which a bad actor\
        \ can gain access to the organization\u2019s assets. A vulnerability exposes\
        \ an organization to threats.\n\u2022\tA threat is a malicious or negative\
        \ event that takes advantage of a vulnerability. \n\u2022\tThe risk is the\
        \ potential for loss and damage when the threat does occur."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les menaces et les vuln\xE9rabilit\xE9s doivent \xEAtre identifi\xE9\
            es."
          annotation: "\u2022 Une vuln\xE9rabilit\xE9 fait r\xE9f\xE9rence \xE0 une\
            \ faiblesse dans le mat\xE9riel, les logiciels ou les proc\xE9dures de\
            \ l'organisation. Il s'agit d'une faille par laquelle un acteur malveillant\
            \ peut acc\xE9der aux actifs de l'organisation. Une vuln\xE9rabilit\xE9\
            \ expose une organisation \xE0 des menaces. \u2022 Une menace est un \xE9\
            v\xE9nement malveillant ou n\xE9gatif qui tire parti d'une vuln\xE9rabilit\xE9\
            . \n\u2022 Le risque est la possibilit\xE9 de perte et de dommage lorsque\
            \ la menace se concr\xE9tise."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: IMPORTANT_ID.RA-1.2
      description: A process shall be established to monitor, identify, and document
        vulnerabilities of the organisation's business critical systems in a continuous
        manner.
      annotation: "\u2022\tWhere safe and feasible, the use of vulnerability scanning\
        \ should be considered.\n\u2022\tThe organization should establish and maintain\
        \ a testing program appropriate to its size, complexity, and maturity."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un processus doit \xEAtre \xE9tabli pour surveiller, identifier\
            \ et documenter en permanence les vuln\xE9rabilit\xE9s des syst\xE8mes\
            \ critiques de l'organisation."
          annotation: "\u2022 Lorsque cela est s\xFBr et possible, il convient d\u2019\
            envisager l'utilisation d'une analyse de vuln\xE9rabilit\xE9. \n\u2022\
            \ Il convient que l'organisation \xE9tablisse et maintienne un programme\
            \ de tests adapt\xE9 \xE0 sa taille, sa complexit\xE9 et sa maturit\xE9\
            ."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-1
      ref_id: ID.RA-1.3
      description: "To ensure that organization's operations are not adversely impacted\
        \ by the testing process, performance/load testing and penetration testing\
        \ on the organization\u2019s systems shall be conducted with care."
      annotation: Consider validating security measures after each penetration test.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Pour s'assurer que les op\xE9rations de l'organisation ne\
            \ sont pas affect\xE9es par le processus de test, les tests de performance/charge\
            \ et les tests de p\xE9n\xE9tration sur les syst\xE8mes de l'organisation\
            \ doivent \xEAtre men\xE9s avec soin."
          annotation: "Envisager de valider les mesures de s\xE9curit\xE9 apr\xE8\
            s chaque test de p\xE9n\xE9tration"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-2
      description: Cyber threat intelligence is received from information sharing
        forums and sources
      translations:
        fr:
          name: null
          description: "Les renseignements sur les cybermenaces sont re\xE7us de forums\
            \ de partage d'informations et de sources."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      ref_id: IMPORTANT_ID.RA-2.1
      description: ' A threat and vulnerability awareness program that includes a
        cross-organization information-sharing capability shall be implemented. '
      annotation: A threat and vulnerability awareness program should include ongoing
        contact with security groups and associations to receive security alerts and
        advisories. (Security groups and associations include, for example, special
        interest groups, forums, professional associations, news groups, and/or peer
        groups of security professionals in similar organizations).This contact can
        include the sharing of information about potential vulnerabilities and incidents.
        This sharing capability should have an unclassified and classified information
        sharing capability.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un programme de sensibilisation aux menaces et aux vuln\xE9\
            rabilit\xE9s, comprenant une capacit\xE9 de partage d'informations entre\
            \ les organisations, doit \xEAtre mis en \u0153uvre."
          annotation: "Il convient qu\u2019un programme de sensibilisation aux menaces\
            \ et aux vuln\xE9rabilit\xE9s inclue un contact permanent avec les groupes\
            \ et associations de s\xE9curit\xE9 afin de recevoir les alertes et les\
            \ conseils de s\xE9curit\xE9. (Les groupes et associations de s\xE9curit\xE9\
            \ comprennent, par exemple, des groupes d'int\xE9r\xEAt sp\xE9ciaux, des\
            \ forums, des associations professionnelles, des groupes de presse et/ou\
            \ des groupes de pairs compos\xE9s de professionnels de la s\xE9curit\xE9\
            \ appartenant \xE0 des organisations similaires). Il convient que cette\
            \ capacit\xE9 de partage aie une capacit\xE9 de partage d'informations\
            \ classifi\xE9es et non classifi\xE9es."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-2
      ref_id: ID.RA-2.2
      description: It shall be identified where automated mechanisms can be implemented
        to make security alert and advisory information available to relevant organization
        stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Il se doit d'identifier les endroits o\xF9 des m\xE9canismes\
            \ automatis\xE9s peuvent \xEAtre mis en \u0153uvre pour mettre les informations\
            \ relatives aux alertes et aux avis de s\xE9curit\xE9 \xE0 la disposition\
            \ des parties prenantes pertinentes de l'organisation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-5
      description: Threats, vulnerabilities, likelihoods, and impacts are used to
        determine risk
      translations:
        fr:
          name: null
          description: "Les menaces, les vuln\xE9rabilit\xE9s, les probabilit\xE9\
            s et les impacts sont utilis\xE9s pour d\xE9terminer les risques."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_id.ra-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: BASIC_ID.RA-5.1
      description: The organization shall conduct risk assessments in which risk is
        determined by threats, vulnerabilities and impact on business processes and
        assets.
      annotation: "\u2022\tKeep in mind that threats exploit vulnerabilities.\n\u2022\
        \tIdentify the consequences that losses of confidentiality, integrity and\
        \ availability may have on the assets and related business processes."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer des \xE9valuations des risques\
            \ dans lesquelles le risque est d\xE9termin\xE9 par les menaces, les vuln\xE9\
            rabilit\xE9s et l'impact sur les processus et les actifs de l'organisation."
          annotation: "\u2022 N'oubliez pas que les menaces exploitent les vuln\xE9\
            rabilit\xE9s. \n\u2022 Identifier les cons\xE9quences que les pertes de\
            \ confidentialit\xE9, d'int\xE9grit\xE9 et de disponibilit\xE9 peuvent\
            \ avoir sur les actifs et les processus op\xE9rationnels connexes."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: IMPORTANT_ID.RA-5.2
      description: The organization shall conduct and  document risk assessments in
        which risk is determined by threats, vulnerabilities, impact on business processes
        and assets, and the likelihood of their occurrence.
      annotation: "\u2022\tRisk assessment should include threats from insiders and\
        \ external parties.\n\u2022\tQualitative and/or quantitative  risk analysis\
        \ methods \n(MAPGOOD, ISO27005, CIS RAM, \u2026) can be used together with\
        \ software tooling."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer et documenter des \xE9valuations\
            \ des risques dans lesquelles le risque est d\xE9termin\xE9 par les menaces,\
            \ les vuln\xE9rabilit\xE9s, l'impact sur les processus et les actifs de\
            \ l'organisation, et la probabilit\xE9 qu'ils se produisent."
          annotation: "\u2022 Il convient que l'\xE9valuation des risques inclue les\
            \ menaces provenant de personnes internes et externes. \n\u2022 Les m\xE9\
            thodes d'analyse de risque qualitatives et/ou quantitatives (MAPGOOD,\
            \ ISO27005, CIS RAM, ...) peuvent \xEAtre utilis\xE9es avec des outils\
            \ logiciels."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-5
      ref_id: ID.RA-5.3
      description: Risk assessment results shall be disseminated to relevant stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les r\xE9sultats de l'\xE9valuation des risques sont diffus\xE9\
            s aux parties prenantes concern\xE9es."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra
      ref_id: ID.RA-6
      description: Risk responses are identified and prioritized
      translations:
        fr:
          name: null
          description: "Les r\xE9ponses aux risques sont identifi\xE9es et class\xE9\
            es par ordre de priorit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.ra-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.ra-6
      ref_id: IMPORTANT_ID.RA-6.1
      description: "A comprehensive strategy shall be developed and implemented to\
        \ manage risks to the organization\u2019s critical systems, that includes\
        \ the identification and prioritization of risk responses."
      annotation: "\u2022\tManagement and employees should be involved in information-\
        \ and cybersecurity.\n\u2022\tIt should be identified what the most important\
        \ assets are, and how they are protected.\n\u2022\tIt should be clear what\
        \ impact will be if these assets are compromised.\n\u2022\tIt should be established\
        \ how the implementation of adequate mitigation measures will be organized."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Une strat\xE9gie globale doit \xEAtre \xE9labor\xE9e et mise\
            \ en \u0153uvre pour g\xE9rer les risques auxquels sont expos\xE9s les\
            \ syst\xE8mes critiques de l'organisation, qui comprend l'identification\
            \ et la hi\xE9rarchisation des r\xE9ponses aux risques."
          annotation: "\u2022 Il convient que la direction et les employ\xE9s soient\
            \ impliqu\xE9s dans la s\xE9curit\xE9 de l'information et la cybers\xE9\
            curit\xE9. \n\u2022 Il convient de d\xE9terminer quels sont les actifs\
            \ les plus importants et comment ils sont prot\xE9g\xE9s. \n\u2022 Il\
            \ convient que l'impact d'une compromission de ces actifs soit clair.\
            \ \n\u2022 Il convient d'\xE9tablir comment la mise en \u0153uvre de mesures\
            \ d'att\xE9nuation ad\xE9quates sera organis\xE9e."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.RM
      name: Risk Management Strategy
      description: "The organization\u2019s priorities, constraints, risk tolerances,\
        \ and assumptions are established and used to support operational risk decisions."
      translations:
        fr:
          name: Gestion des risques
          description: "Les priorit\xE9s, contraintes, tol\xE9rances au risque et\
            \ hypoth\xE8ses de l'organisation sont \xE9tablies et utilis\xE9es pour\
            \ soutenir les d\xE9cisions relatives au risque op\xE9rationnel."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-1
      description: Risk management processes are established, managed, and agreed
        to by organizational stakeholders
      translations:
        fr:
          name: null
          description: "Les processus de gestion des risques sont \xE9tablis, g\xE9\
            r\xE9s et accept\xE9s par les parties prenantes de l\u2019organisation."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-1
      ref_id: IMPORTANT_ID.RM-1.1
      description: A cyber risk management process that identifies key internal and
        external stakeholders and facilitates addressing risk-related issues and information
        shall be created, documented, reviewed, approved, and updated when changes
        occur.
      annotation: 'External stakeholders include  customers, investors and shareholders,
        suppliers, government agencies and the wider community. '
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un processus de gestion des cyber-risques qui identifie les\
            \ principales parties prenantes internes et externes et facilite le traitement\
            \ des questions et des informations li\xE9es aux risques doit \xEAtre\
            \ cr\xE9\xE9, document\xE9, examin\xE9, approuv\xE9 et mis \xE0 jour lorsque\
            \ des changements surviennent."
          annotation: "Les parties prenantes externes comprennent les clients, les\
            \ investisseurs et les actionnaires, les fournisseurs, les agences gouvernementales\
            \ et la communaut\xE9 au sens large."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-2
      description: Organizational risk tolerance is determined and clearly expressed
      translations:
        fr:
          name: null
          description: "La tol\xE9rance de l'organisation au risque est d\xE9termin\xE9\
            e et clairement exprim\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-2
      ref_id: IMPORTANT_ID.RM-2.1
      description: "The organization shall clearly determine it\u2019s risk appetite."
      annotation: Determination and expression of risk tolerance (risk appetite) should
        be in line with the policies on information security and cybersecurity, to
        facilitate demonstration of coherence between policies, risk tolerance and
        measures.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit d\xE9terminer clairement son app\xE9tit\
            \ pour le risque."
          annotation: "Il convient que la d\xE9termination et l'expression de la tol\xE9\
            rance au risque (app\xE9tit pour le risque) soient conformes aux politiques\
            \ de s\xE9curit\xE9 de l'information et de cybers\xE9curit\xE9, afin de\
            \ faciliter la d\xE9monstration de la coh\xE9rence entre les politiques,\
            \ la tol\xE9rance au risque et les mesures."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm
      ref_id: ID.RM-3
      description: "The organization\u2019s determination of risk tolerance is informed\
        \ by its role in critical infrastructure and sector specific risk analysis"
      translations:
        fr:
          name: null
          description: "La d\xE9termination de la tol\xE9rance au risque de l'organisation\
            \ est \xE9clair\xE9e par son r\xF4le dans l'infrastructure critique et\
            \ l'analyse des risques sp\xE9cifiques au secteur."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.rm-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.rm-3
      ref_id: IMPORTANT_ID.RM-3.1
      description: "The organization\u2019s role in critical infrastructure and its\
        \ sector shall determine the organization\u2019s risk appetite."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Le r\xF4le de l'organisation dans les infrastructures critiques\
            \ et son secteur d\xE9terminent l'app\xE9tit de l'organisation pour le\
            \ risque."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id
      ref_id: ID.SC
      name: Supply Chain Risk Management
      description: "The organization\u2019s priorities, constraints, risk tolerances,\
        \ and assumptions are established and used to support risk decisions associated\
        \ with managing supply chain risk. The organization has established and implemented\
        \ the processes to identify, assess and manage supply chain risks."
      translations:
        fr:
          name: "Gestion des risques li\xE9s \xE0 la cha\xEEne d'approvisionnement"
          description: "Les priorit\xE9s, les contraintes, les tol\xE9rances au risque\
            \ et les hypoth\xE8ses de l'organisation sont \xE9tablies et utilis\xE9\
            es pour soutenir les d\xE9cisions li\xE9es \xE0 la gestion des risques\
            \ de la cha\xEEne d'approvisionnement. L'organisation a \xE9tabli et mis\
            \ en \u0153uvre les processus pour identifier, \xE9valuer et g\xE9rer\
            \ les risques li\xE9s \xE0 la cha\xEEne d'approvisionnement."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-1
      description: Cyber supply chain risk management processes are identified, established,
        assessed, managed, and agreed to by organizational stakeholders
      translations:
        fr:
          name: null
          description: "Les processus de gestion des risques li\xE9s \xE0 la cha\xEE\
            ne d'approvisionnement sont identifi\xE9s, \xE9tablis, \xE9valu\xE9s,\
            \ g\xE9r\xE9s et accept\xE9s par les parties prenantes de l'organisation."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-1
      ref_id: ID.SC-1.1
      description: The organization shall document, review, approve, update when changes
        occur, and implement a cyber supply chain risk management process that supports
        the identification, assessment, and mitigation of the risks associated with
        the distributed and interconnected nature of ICT/OT product and service supply
        chains.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit documenter, examiner, approuver, mettre\
            \ \xE0 jour lorsque des changements surviennent et mettre en \u0153uvre\
            \ un processus de gestion des risques li\xE9s \xE0 la cha\xEEne d'approvisionnement\
            \ cybern\xE9tique qui soutient l'identification, l'\xE9valuation et l'att\xE9\
            nuation des risques associ\xE9s \xE0 la nature distribu\xE9e et interconnect\xE9\
            e des cha\xEEnes d'approvisionnement en produits et services TIC/OT."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-2
      description: 'Suppliers and third party partners of information systems, components,
        and services are identified, prioritized, and assessed using a cyber supply
        chain risk assessment process '
      translations:
        fr:
          name: null
          description: "Les fournisseurs et les partenaires tiers de syst\xE8mes d'information,\
            \ de composants et de services sont identifi\xE9s, class\xE9s par ordre\
            \ de priorit\xE9 et \xE9valu\xE9s \xE0 l'aide d'un processus d'\xE9valuation\
            \ des risques de la cybercha\xEEne d\u2019approvisionnement."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      ref_id: IMPORTANT_ID.SC-2.1
      description: "The organization shall conduct cyber supply chain risk assessments\
        \ at least annually or when a change to the organization\u2019s critical systems,\
        \ operational environment, or supply chain occurs; These assessments shall\
        \ be documented, and the results disseminated to relevant stakeholders including\
        \ those responsible for ICT/OT systems."
      annotation: This assessment should identify and prioritize potential negative
        impacts to the organization from the risks associated with the distributed
        and interconnected nature of ICT/OT product and service supply chains.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer des \xE9valuations des risques\
            \ li\xE9s \xE0 la cha\xEEne d'approvisionnement cybern\xE9tique au moins\
            \ une fois par an ou lorsqu'un changement intervient dans les syst\xE8\
            mes critiques, l'environnement op\xE9rationnel ou la cha\xEEne d'approvisionnement\
            \ de l'organisation ; ces \xE9valuations doivent \xEAtre document\xE9\
            es et les r\xE9sultats diffus\xE9s aux parties prenantes concern\xE9es,\
            \ y compris les responsables des syst\xE8mes TIC/OT."
          annotation: "Il convient que cette \xE9valuation permette d'identifier et\
            \ de hi\xE9rarchiser les impacts n\xE9gatifs potentiels pour l'organisation\
            \ des risques associ\xE9s \xE0 la nature distribu\xE9e et interconnect\xE9\
            e des cha\xEEnes d'approvisionnement en produits et services TIC/OT."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-2
      ref_id: ID.SC-2.2
      description: "A documented list of all the organization\u2019s suppliers, vendors\
        \ and partners who may be involved in a major incident shall be established,\
        \ kept up-to-date and made available online and offline."
      annotation: This list should include suppliers, vendors and partners contact
        information and the services they provide, so they can be contacted for assistance
        in the event of an outage or service degradation.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Une liste document\xE9e de tous les fournisseurs, vendeurs\
            \ et partenaires de l'organisation susceptibles d'\xEAtre impliqu\xE9\
            s dans un incident majeur doit \xEAtre \xE9tablie, tenue \xE0 jour et\
            \ mise \xE0 disposition en ligne et hors ligne."
          annotation: "Il convient d\u2019inclure dans cette liste les coordonn\xE9\
            es des fournisseurs, des vendeurs et des partenaires, ainsi que les services\
            \ qu'ils fournissent, afin qu'ils puissent \xEAtre contact\xE9s pour une\
            \ assistance en cas de panne ou de d\xE9gradation du service."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-3
      description: "Contracts with suppliers and third-party partners are used to\
        \ implement appropriate measures designed to meet the objectives of an organization\u2019\
        s cybersecurity program and Cyber Supply Chain Risk Management Plan."
      translations:
        fr:
          name: null
          description: "Les contrats avec les fournisseurs et les partenaires tiers\
            \ sont utilis\xE9s pour mettre en \u0153uvre des mesures appropri\xE9\
            es con\xE7ues pour atteindre les objectifs du programme de cybers\xE9\
            curit\xE9 et du plan de gestion des risques de la cha\xEEne d'approvisionnement\
            \ de l'organisation."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: IMPORTANT_ID.SC-3.1
      description: Based on the results of the cyber supply chain risk assessment,
        a contractual framework for suppliers and external partners shall be established
        to address sharing of sensitive information and distributed and interconnected
        ICT/OT products and services.
      annotation: "\u2022\tEntities not subject to the NIS legislation should consider\
        \ business critical suppliers and third-party partners only.\n\u2022\tKeep\
        \ in mind that GDPR requirements need to be fulfilled when business information\
        \ contains personal data (applicable on all levels), i.e. security measures\
        \ need to be addressed in the contractual framework."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Sur la base des r\xE9sultats de l'\xE9valuation des risques\
            \ li\xE9s \xE0 la cybercha\xEEne d'approvisionnement, un cadre contractuel\
            \ est \xE9tabli pour les fournisseurs et les partenaires externes afin\
            \ de traiter le partage d'informations sensibles et de produits et services\
            \ TIC/OT distribu\xE9s et interconnect\xE9s."
          annotation: "\u2022 Il convient que les entit\xE9s qui ne sont pas soumises\
            \ \xE0 la l\xE9gislation NIS ne consid\xE8rent que les fournisseurs et\
            \ les partenaires tiers essentiels \xE0 leur activit\xE9. \n\u2022 N'oubliez\
            \ pas que les exigences du GDPR doivent \xEAtre respect\xE9es lorsque\
            \ les informations op\xE9rationnelles contiennent des donn\xE9es \xE0\
            \ caract\xE8re personnel (applicable \xE0 tous les niveaux), c'est- \xE0\
            -dire que les mesures de s\xE9curit\xE9 doivent \xEAtre abord\xE9es dans\
            \ le cadre contractuel."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: ID.SC-3.2
      description: "[KEY MEASURE] Contractual information security and cybersecurity\u2019\
        \ requirements for suppliers and third-party partners shall be implemented\
        \ to ensure a verifiable flaw remediation process, and to ensure the correction\
        \ of flaws identified during \u2018information security and cybersecurity\u2019\
        \ testing and evaluation."
      annotation: "\u2022\tInformation systems containing software (or firmware) affected\
        \ by recently announced software flaws (and potential vulnerabilities resulting\
        \ from those flaws) should be identified.\n\u2022\tNewly released security\
        \ relevant patches, service packs, and hot fixes should be installed, and\
        \ these  patches, service packs, and hot fixes are tested for effectiveness\
        \ and potential side effects on the organization\u2019s information systems\
        \ before installation. Flaws discovered during security assessments, continuous\
        \ monitoring, incident response activities, or information system error handling\
        \ are also addressed expeditiously. Flaw remediation should be incorporated\
        \ into configuration management as an emergency change."
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Des exigences contractuelles en mati\xE8re\
            \ de \"s\xE9curit\xE9 de l'information et de cybers\xE9curit\xE9\" pour\
            \ les fournisseurs et les partenaires tiers sont mises en \u0153uvre pour\
            \ garantir un processus v\xE9rifiable de correction des failles et pour\
            \ garantir la correction des failles identifi\xE9es lors des tests et\
            \ des \xE9valuations de \"s\xE9curit\xE9 de l'information et de cybers\xE9\
            curit\xE9\"."
          annotation: "\u2022 Il convient que les syst\xE8mes d'information contenant\
            \ des logiciels (ou micrologiciels) affect\xE9s par des failles logicielles\
            \ r\xE9cemment annonc\xE9es (et les vuln\xE9rabilit\xE9s potentielles\
            \ r\xE9sultant de ces failles) soient identifi\xE9s. \n\u2022 Les correctifs\
            \ de s\xE9curit\xE9 r\xE9cemment publi\xE9s, les Service Packs et hot\
            \ fixes doivent \xEAtre install\xE9s, et leur efficacit\xE9 ainsi que\
            \ les effets secondaires potentiels sur les syst\xE8mes d'information\
            \ de l'organisation sont test\xE9s avant leur installation. Les failles\
            \ d\xE9couvertes lors des \xE9valuations de s\xE9curit\xE9, de la surveillance\
            \ continue, des activit\xE9s de r\xE9ponse aux incidents ou du traitement\
            \ des erreurs du syst\xE8me d'information sont \xE9galement trait\xE9\
            es rapidement. Il convient que la correction des failles soit int\xE9\
            gr\xE9e \xE0 la gestion de la configuration en tant que changement d'urgence."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-3
      ref_id: ID.SC-3.3
      description: "[KEY MEASURE] The organization shall establish contractual requirements\
        \ permitting the organization to review the \u2018information security and\
        \ cybersecurity\u2019 programs implemented by suppliers and third-party partners."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit \xE9tablir des exigences\
            \ contractuelles lui permettant d'examiner les programmes de \"s\xE9curit\xE9\
            \ des informations et de cybers\xE9curit\xE9\" mis en \u0153uvre par les\
            \ fournisseurs et les partenaires tiers."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-4
      description: Suppliers and third-party partners are routinely assessed using
        audits, test results, or other forms of evaluations to confirm they are meeting
        their contractual obligations.
      translations:
        fr:
          name: null
          description: "Les fournisseurs et les partenaires tiers sont r\xE9guli\xE8\
            rement \xE9valu\xE9s \xE0 l'aide d'audits, de r\xE9sultats de tests ou\
            \ d'autres formes d'\xE9valuation pour confirmer qu'ils respectent leurs\
            \ obligations contractuelles."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      ref_id: IMPORTANT_ID.SC-4.1
      description: "The organization shall review assessments of suppliers\u2019 and\
        \ third-party partner\u2019s compliance with contractual obligations by routinely\
        \ reviewing audits, test results, and other evaluations."
      annotation: Entities not subject to the NIS legislation could limit themselves
        to business critical suppliers and third-party partners only.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit examiner les \xE9valuations de la conformit\xE9\
            \ des fournisseurs et des partenaires tiers aux obligations contractuelles\
            \ en examinant r\xE9guli\xE8rement les audits, les r\xE9sultats des tests\
            \ et autres \xE9valuations."
          annotation: "Les entit\xE9s non soumises \xE0 la l\xE9gislation NIS pourraient\
            \ se limiter aux seuls fournisseurs et partenaires tiers critiques pour\
            \ l\u2019organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-4
      ref_id: ID.SC-4.2
      description: "The organization shall review assessments of suppliers\u2019 and\
        \ third-party partner\u2019s compliance with contractual obligations by routinely\
        \ reviewing third-party independent audits, test results, and other evaluations."
      annotation: The depth of the review should depend on the criticality of delivered
        products and services.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit examiner les \xE9valuations de la conformit\xE9\
            \ des fournisseurs et des partenaires tiers aux obligations contractuelles\
            \ en examinant r\xE9guli\xE8rement les audits ind\xE9pendants de tiers,\
            \ les r\xE9sultats des tests et autres \xE9valuations."
          annotation: "Il convient que la profondeur de l'examen d\xE9pende de la\
            \ criticit\xE9 des produits et services fournis."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc
      ref_id: ID.SC-5
      description: Response and recovery planning and testing are conducted with suppliers
        and third-party providers
      translations:
        fr:
          name: null
          description: "La planification et les tests de r\xE9ponse et de r\xE9tablissement\
            \ sont effectu\xE9s avec les fournisseurs et les prestataires tiers."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_id.sc-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      ref_id: IMPORTANT_ID.SC-5.1
      description: The organization shall identify and document key personnel from
        suppliers and third-party partners to include them as stakeholders in response
        and recovery planning activities.
      annotation: Entities not subject to the NIS legislation could limit themselves
        to business critical suppliers and third-party partners only.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit identifier et documenter le personnel\
            \ cl\xE9 des fournisseurs et des partenaires tiers afin de les inclure\
            \ en tant que parties prenantes dans les activit\xE9s de planification\
            \ de la r\xE9ponse et du r\xE9tablissement."
          annotation: "Les entit\xE9s non soumises \xE0 la l\xE9gislation NIS pourraient\
            \ se limiter aux seuls fournisseurs et partenaires tiers critiques pour\
            \ l\u2019organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:id.sc-5
      ref_id: ID.SC-5.2
      description: The organization shall identify and document key personnel from
        suppliers and third-party partners to include them as stakeholders in testing
        and execution of the response and recovery plans.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit identifier et documenter le personnel\
            \ cl\xE9 des fournisseurs et des partenaires tiers afin de les inclure\
            \ en tant que parties prenantes dans les tests et l'ex\xE9cution des plans\
            \ de r\xE9ponse et de r\xE9tablissement."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      assessable: false
      depth: 1
      ref_id: PR
      name: PROTECT (PR)
      translations:
        fr:
          name: PROTEGER (PR)
          description: null
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.AC
      name: Identity Management, Authentication and Access Control
      description: Access to physical and logical assets and associated facilities
        is limited to authorized users, processes, and devices, and is managed consistent
        with the assessed risk of unauthorized access to authorized activities and
        transactions.
      translations:
        fr:
          name: "Gestion des identit\xE9s, authentification et contr\xF4le d'acc\xE8\
            s "
          description: "L'acc\xE8s aux actifs physiques et logiques et aux installations\
            \ associ\xE9es est limit\xE9 aux utilisateurs, processus et dispositifs\
            \ autoris\xE9s, et est g\xE9r\xE9 en fonction du risque \xE9valu\xE9 d'acc\xE8\
            s non autoris\xE9 aux activit\xE9s et transactions autoris\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-1
      description: Identities and credentials are issued, managed, verified, revoked,
        and audited for authorized devices, users and processes
      translations:
        fr:
          name: null
          description: "Les identit\xE9s et les identifiants sont \xE9mis, g\xE9r\xE9\
            s, v\xE9rifi\xE9s, r\xE9voqu\xE9s et audit\xE9s pour les dispositifs,\
            \ utilisateurs et processus autoris\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: BASIC_PR.AC-1.1
      description: '[KEY MEASURE] Identities and credentials for authorized devices
        and users shall be managed.'
      annotation: "Identities and credentials for authorized devices and users could\
        \ be managed through a password policy. A password policy is a set of rules\
        \ designed to enhance ICT/OT security by encouraging organization\u2019s to:\n\
        (Not limitative list and measures to be considered as appropriate)\n\u2022\
        \tChange all default passwords.\n\u2022\tEnsure that no one works with administrator\
        \ privileges for daily tasks.\n\u2022\tKeep a limited and updated list of\
        \ system administrator accounts.\n\u2022\tEnforce password rules, e.g. passwords\
        \ must be longer than a state-of-the-art number of characters with a combination\
        \ of character types and changed periodically or when there is any suspicion\
        \ of compromise.\n\u2022\tUse only individual accounts and never share passwords.\n\
        \u2022\tImmediately disable unused accounts\n\u2022\tRights and privileges\
        \ are managed by user groups."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les identit\xE9s et les identifiants des dispositifs\
            \ et des utilisateurs autoris\xE9s doivent \xEAtre g\xE9r\xE9s."
          annotation: "Les identit\xE9s et les identifiants des dispositifs et des\
            \ utilisateurs autoris\xE9s peuvent \xEAtre g\xE9r\xE9es par une politique\
            \ de mot de passe. Une politique de mot de passe est un ensemble de r\xE8\
            gles destin\xE9es \xE0 renforcer la s\xE9curit\xE9 des TIC/OT en encourageant\
            \ l'organisation \xE0 (liste non limitative et mesures \xE0 envisager\
            \ le cas \xE9ch\xE9ant) : \n\u2022 Changez tous les mots de passe par\
            \ d\xE9faut. \n\u2022 Veillez \xE0 ce que personne ne travaille avec des\
            \ privil\xE8ges d'administrateur pour les t\xE2ches quotidiennes. \n\u2022\
            \ Conservez une liste limit\xE9e et mise \xE0 jour des comptes d'administrateur\
            \ syst\xE8me. \n\u2022 Appliquer les r\xE8gles relatives aux mots de passe,\
            \ par exemple, les mots de passe doivent \xEAtre plus longs qu'un nombre\
            \ de caract\xE8res ad\xE9quat avec une combinaison de types de caract\xE8\
            res et \xEAtre chang\xE9s p\xE9riodiquement ou lorsqu'il y a un soup\xE7\
            on de compromission. \n\u2022 N'utilisez que des comptes individuels et\
            \ ne partagez jamais vos mots de passe. \n\u2022 D\xE9sactiver imm\xE9\
            diatement les comptes inutilis\xE9s. \n\u2022 Les droits et les privil\xE8\
            ges sont g\xE9r\xE9s par des groupes d'utilisateurs."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: IMPORTANT_PR.AC-1.2
      description: Identities and credentials for authorized devices and users shall
        be managed, where feasible through automated mechanisms.
      annotation: "\u2022\tAutomated mechanisms can help to support the management\
        \ and auditing of information system credentials.\n\u2022\tConsider strong\
        \ user authentication, meaning an authentication based on the use of at least\
        \ two authentication factors from different categories of either knowledge\
        \ (something only the user knows), possession (something only the user possesses)\
        \ or inherence (something the user is) that are independent, in that the breach\
        \ of one does not compromise the reliability of the others, and is designed\
        \ in such a way to protect the confidentiality of the authentication data."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les identit\xE9s et les identifiants des dispositifs et des\
            \ utilisateurs autoris\xE9s sont g\xE9r\xE9s, si possible par des m\xE9\
            canismes automatis\xE9s."
          annotation: "\u2022 Des m\xE9canismes automatis\xE9s peuvent contribuer\
            \ \xE0 la gestion et \xE0 l'audit des informations d'identification des\
            \ syst\xE8mes d'information. \n\u2022 Consid\xE9rons l'authentification\
            \ forte des utilisateurs, c'est-\xE0-dire une authentification bas\xE9\
            e sur l'utilisation d'au moins deux facteurs d'authentification appartenant\
            \ \xE0 des cat\xE9gories diff\xE9rentes de connaissance (quelque chose\
            \ que seul l'utilisateur sait), de possession (quelque chose que seul\
            \ l'utilisateur poss\xE8de) ou d'inh\xE9rence (quelque chose que l'utilisateur\
            \ est) qui sont ind\xE9pendantes, en ce sens que la violation de l'une\
            \ d'entre elles ne compromet pas la fiabilit\xE9 des autres, et qui sont\
            \ con\xE7ues de mani\xE8re \xE0 prot\xE9ger la confidentialit\xE9 des\
            \ donn\xE9es d'authentification."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.3
      description: System credentials shall be deactivated after a specified period
        of inactivity unless it would compromise the safe operation of (critical)
        processes.
      annotation: "\u2022\tTo guarantee the safe operation, service accounts should\
        \ be used for running processes and services.\n\u2022\tConsider the use of\
        \ a formal access procedure for external parties."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les identifiants du syst\xE8me doivent \xEAtre d\xE9sactiv\xE9\
            s apr\xE8s une p\xE9riode d'inactivit\xE9 d\xE9termin\xE9e, \xE0 moins\
            \ que cela ne compromette le fonctionnement s\xFBr des processus (critiques)."
          annotation: "\u2022 Pour garantir un fonctionnement s\xFBr, Il convient\
            \ d\u2019utiliser des comptes de service pour les processus et les services\
            \ en cours d'ex\xE9cution. \u2022 Envisagez l'utilisation d'une proc\xE9\
            dure d'acc\xE8s formelle pour les parties externes."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.4
      description: "For transactions within the organization's critical systems, the\
        \ organization shall implement:\n\u2022\tmulti-factor end-user authentication\
        \ (MFA or \"strong authentication\").\n\u2022\tcertificate-based authentication\
        \ for system-to-system communications"
      annotation: Consider the use of SSO (Single Sign On) in combination with MFA
        for the organization's internal and external critical systems.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Pour les transactions au sein des syst\xE8mes critiques de\
            \ l'organisation, l'organisation doit mettre en \u0153uvre : \n\u2022\
            \ l'authentification multifactorielle de l'utilisateur final (MFA ou \"\
            authentification forte\"). \n\u2022 authentification bas\xE9e sur des\
            \ certificats pour les communications syst\xE8me \xE0 syst\xE8me"
          annotation: "Envisagez l'utilisation du SSO (Single Sign On) en combinaison\
            \ avec le MFA pour les syst\xE8mes critiques internes et externes de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-1
      ref_id: PR.AC-1.5
      description: "The organization\u2019s critical systems shall be monitored for\
        \ atypical use of system credentials. Credentials associated with significant\
        \ risk shall be disabled."
      annotation: "\u2022\tConsider limiting the number of failed login attempts by\
        \ implementing automatic lockout.\n\u2022\tThe locked account won\u2019t be\
        \ accessible until it has been reset or the account lockout duration elapses."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les syst\xE8mes critiques de l'organisation doivent \xEAtre\
            \ surveill\xE9s pour d\xE9tecter toute utilisation atypique des informations\
            \ d'identification du syst\xE8me. Les identifiants associ\xE9s \xE0 un\
            \ risque important doivent \xEAtre d\xE9sactiv\xE9s."
          annotation: "\u2022 Envisagez de limiter le nombre de tentatives de connexion\
            \ infructueuses en mettant en place un verrouillage automatique. \n\u2022\
            \ Le compte verrouill\xE9 ne sera pas accessible tant qu'il n'aura pas\
            \ \xE9t\xE9 r\xE9initialis\xE9 ou que la dur\xE9e de verrouillage du compte\
            \ ne sera pas \xE9coul\xE9e."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-2
      description: Physical access to assets is managed and protected
      translations:
        fr:
          name: null
          description: "L'acc\xE8s physique aux actifs est g\xE9r\xE9 et prot\xE9\
            g\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: BASIC_PR.AC-2.1
      description: Physical access to the facility, servers and network components
        shall be managed.
      annotation: "\u2022\tConsider to strictly manage keys to access the premises\
        \ and alarm codes. The following rules should be considered:\no\tAlways retrieve\
        \ an employee's keys or badges when they leave the company permanently.\n\
        o\tChange company alarm codes frequently.\no\tNever give keys or alarm codes\
        \ to external service providers (cleaning agents, etc.), unless it is possible\
        \ to trace these accesses and restrict them technically to given time slots.\n\
        \u2022\tConsider to not leaving internal network access outlets accessible\
        \ in public areas. These public places can be waiting rooms, corridors..."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'acc\xE8s physique \xE0 l'installation, aux serveurs et aux\
            \ composants du r\xE9seau doit \xEAtre g\xE9r\xE9."
          annotation: "\u2022 Envisagez de g\xE9rer strictement les cl\xE9s d'acc\xE8\
            s aux locaux et les codes d'alarme. Il convient de prendre en compte les\
            \ r\xE8gles suivantes: \n  o R\xE9cup\xE9rez toujours les cl\xE9s ou les\
            \ badges d'un employ\xE9 lorsqu'il quitte d\xE9finitivement l\u2019organisation.\
            \ \n  o Changez fr\xE9quemment les codes d'alarme de l\u2019organisation.\
            \ \n  o Ne jamais donner de cl\xE9s ou de codes d'alarme \xE0 des prestataires\
            \ ext\xE9rieurs (agents de nettoyage, etc.), sauf s'il est possible de\
            \ tracer ces acc\xE8s et de les limiter techniquement \xE0 des plages\
            \ horaires donn\xE9es. \n\u2022 Envisagez de ne pas laisser les prises\
            \ d'acc\xE8s au r\xE9seau interne accessibles dans les lieux publics.\
            \ Ces lieux publics peuvent \xEAtre des salles d'attente, des couloirs..."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: IMPORTANT_PR.AC-2.2
      description: The management of physical access shall include measures related
        to access in emergency situations.
      annotation: "\u2022\tPhysical access controls may include, for example: lists\
        \ of authorized individuals, identity credentials, escort requirements, guards,\
        \ fences, turnstiles, locks, monitoring of facility access, camera surveillance.\n\
        \u2022\tThe following measures should be considered:\no\tImplement a badge\
        \ system and create different security zones.\no\tLimit physical access to\
        \ servers and network components to authorized personnel.\no\tLog all access\
        \ to servers and network components.\n\u2022\tVisitor access records should\
        \ be maintained, reviewed and acted upon as required."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'acc\xE8s physique doit \xEAtre g\xE9r\xE9, y compris les\
            \ mesures relatives \xE0 l'acc\xE8s dans les situations d'urgence."
          annotation: "\u2022 Les contr\xF4les d'acc\xE8s physiques peuvent inclure,\
            \ par exemple, des listes de personnes autoris\xE9es, des pi\xE8ces d'identit\xE9\
            , des exigences d'escorte, des gardes, des cl\xF4tures, des tourniquets,\
            \ des serrures, la surveillance de l'acc\xE8s aux installations, la surveillance\
            \ par cam\xE9ra. \n\u2022 Il convient d\u2019envisager les mesures suivantes\
            \ : \n  o Mettez en place un syst\xE8me de badges et cr\xE9ez diff\xE9\
            rentes zones de s\xE9curit\xE9. \n  o Limitez l'acc\xE8s physique aux\
            \ serveurs et aux composants du r\xE9seau au personnel autoris\xE9. \n\
            \  o Consigner tous les acc\xE8s aux serveurs et aux composants du r\xE9\
            seau. \n\u2022 Il convient que les enregistrements d'acc\xE8s des visiteurs\
            \ soient conserv\xE9s, examin\xE9s et trait\xE9s selon les besoins."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: PR.AC-2.3
      description: Physical access to critical zones shall be controlled in addition
        to the physical access to the facility.
      annotation: "E.g. production, R&D, organization\u2019s critical systems equipment\
        \ (server rooms\u2026)"
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'acc\xE8s physique aux zones critiques doit \xEAtre contr\xF4\
            l\xE9 en plus de l'acc\xE8s physique \xE0 l'installation."
          annotation: "Par exemple, la production, la R&D, les \xE9quipements des\
            \ syst\xE8mes critiques de l'organisation (salles de serveurs,etc.)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-2
      ref_id: PR.AC-2.4
      description: 'Assets related to critical zones shall be physically protected. '
      annotation: "\u2022\tConsider protecting power equipment, power cabling, network\
        \ cabling, and network access interfaces from accidental damage, disruption,\
        \ and physical tampering.\n\u2022\tConsider implementing redundant and physically\
        \ separated power systems for organization\u2019s critical operations."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les actifs li\xE9s aux zones critiques doivent \xEAtre prot\xE9\
            g\xE9s physiquement."
          annotation: "\u2022 Pensez \xE0 prot\xE9ger les \xE9quipements d'alimentation,\
            \ le c\xE2blage d'alimentation, le c\xE2blage r\xE9seau et les interfaces\
            \ d'acc\xE8s au r\xE9seau contre les dommages accidentels, les perturbations\
            \ et les manipulations physiques. \u2022 Envisagez de mettre en place\
            \ des syst\xE8mes d'alimentation redondants et physiquement s\xE9par\xE9\
            s pour les op\xE9rations critiques de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-3
      description: Remote access is managed
      translations:
        fr:
          name: null
          description: "L'acc\xE8s \xE0 distance est g\xE9r\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: BASIC_PR.AC-3.1
      description: The organisation's wireless access points shall be secured.
      annotation: "Consider the following when wireless networking is used:\n\u2022\
        \tChange the administrative password upon installation of a wireless access\
        \ points.\n\u2022\tSet the wireless access point so that it does not broadcast\
        \ its Service Set Identifier (SSID).\n\u2022\tSet your router to use at least\
        \ WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced\
        \ Encryption Standard (AES) for encryption.\n\u2022\tEnsure that wireless\
        \ internet access to customers is separated from your business network.\n\u2022\
        \tConnecting to unknown or unsecured / guest wireless access points, should\
        \ be avoided, and if unavoidable done through an encrypted virtual private\
        \ network (VPN) capability.\n\u2022\tManage all endpoint devices (fixed and\
        \ mobile) according to the organization's security policies."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les points d'acc\xE8s sans fil de l'organisation doivent \xEA\
            tre s\xE9curis\xE9s."
          annotation: "Tenez compte des \xE9l\xE9ments suivants lorsque vous utilisez\
            \ un r\xE9seau sans fil : \n\u2022 Changez le mot de passe administratif\
            \ lors de l'installation d'un point d'acc\xE8s sans fil. \n\u2022 Configurez\
            \ le point d'acc\xE8s sans fil de mani\xE8re \xE0 ce qu'il ne diffuse\
            \ pas son identifiant (SSID). \n\u2022 Configurez votre routeur pour qu'il\
            \ utilise au moins le WiFi Protected Access (WPA-2 ou WPA-3 si possible),\
            \ avec la norme de cryptage avanc\xE9e (AES) pour le cryptage. \n\u2022\
            \ Veillez \xE0 ce que l'acc\xE8s Internet sans fil des clients soit s\xE9\
            par\xE9 du r\xE9seau de votre organisation. \n\u2022 Il convient d\u2019\
            \xE9viter de se connecter \xE0 des points d'acc\xE8s sans fil inconnus\
            \ ou non s\xE9curis\xE9s, et si cela est in\xE9vitable, il faut le faire\
            \ par le biais d'un r\xE9seau priv\xE9 virtuel (VPN) crypt\xE9. \n\u2022\
            \ G\xE9rer tous les dispositifs d'extr\xE9mit\xE9 (fixes et mobiles) conform\xE9\
            ment aux politiques de s\xE9curit\xE9 de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: BASIC_PR.AC-3.2
      description: '[KEY MEASURE] The organization''s networks when accessed remotely
        shall be secured, including through multi-factor authentication (MFA).'
      annotation: Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email,
        remote desktop, and Virtual Private Network (VPNs).
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les r\xE9seaux de l'organisation auxquels\
            \ on acc\xE8de \xE0 distance doivent \xEAtre s\xE9curis\xE9s, notamment\
            \ par une authentification multifactorielle (MFA)."
          annotation: "Appliquer le MFA (par exemple 2FA) sur les syst\xE8mes en contact\
            \ avec l'Internet, tels que le courrier \xE9lectronique, le bureau \xE0\
            \ distance et le r\xE9seau priv\xE9 virtuel (VPN)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: IMPORTANT_PR.AC-3.3
      description: "[KEY MEASURE] Usage restrictions, connection requirements, implementation\
        \ guidance, and authorizations for remote access to the organization\u2019\
        s critical systems environment shall be identified, documented and implemented. "
      annotation: "Consider the following:\n\u2022\tRemote access methods include,\
        \ for example, wireless, broadband, Virtual Private Network (VPN) connections,\
        \ mobile device connections, and communications through external networks.\n\
        \u2022\tLogin credentials should be in line with company's user authentication\
        \ policies.\n\u2022\tRemote access for support activities or maintenance of\
        \ organizational assets should be approved, logged, and performed in a manner\
        \ that prevents unauthorized access.\n\u2022\tThe user should be made aware\
        \ of any remote connection to its device by a visual indication."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les restrictions d'utilisation, les exigences\
            \ de connexion, les conseils de mise en \u0153uvre et les autorisations\
            \ d'acc\xE8s \xE0 distance \xE0 l'environnement des syst\xE8mes critiques\
            \ de l'organisation doivent \xEAtre identifi\xE9s, document\xE9s et mis\
            \ en \u0153uvre."
          annotation: "Consid\xE9rez ce qui suit : \n\u2022 Les m\xE9thodes d'acc\xE8\
            s \xE0 distance comprennent, par exemple, des connexions sans fil, \xE0\
            \ large bande, \xE0 un r\xE9seau priv\xE9 virtuel (VPN), des connexions\
            \ de dispositifs mobiles et des communications par des r\xE9seaux externes.\
            \ \n\u2022 Il convient que les identifiants de connexion soient conformes\
            \ aux politiques d'authentification des utilisateurs de l\u2019organisation.\
            \ \n\u2022 Il convient que l'acc\xE8s \xE0 distance pour les activit\xE9\
            s de soutien ou la maintenance des actifs de l'organisation soit approuv\xE9\
            , enregistr\xE9 et effectu\xE9 de mani\xE8re \xE0 emp\xEAcher tout acc\xE8\
            s non autoris\xE9. \n\u2022 Il convient d\u2019informer l'utilisateur\
            \ de toute connexion \xE0 distance \xE0 son appareil par une indication\
            \ visuelle."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: R.AC-3.4
      description: "Remote access to the organization\u2019s critical systems shall\
        \ be monitored and cryptographic mechanisms shall be implemented where determined\
        \ necessary."
      annotation: This should include that only authorized use of privileged functions
        from remote access is allowed.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'acc\xE8s \xE0 distance aux syst\xE8mes critiques de l'organisation\
            \ doit \xEAtre surveill\xE9 et des m\xE9canismes cryptographiques doivent\
            \ \xEAtre mis en \u0153uvre lorsque cela est jug\xE9 n\xE9cessaire."
          annotation: "Il convient d\u2019inclure que seule l'utilisation autoris\xE9\
            e des fonctions privil\xE9gi\xE9es \xE0 partir d'un acc\xE8s \xE0 distance\
            \ est permise."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:r.ac-3.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-3
      ref_id: R.AC-3.5
      description: The security for connections with external systems shall be verified
        and framed by documented agreements.
      annotation: Access from pre-defined IP addresses could be considered.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "La s\xE9curit\xE9 des connexions avec les syst\xE8mes externes\
            \ doit \xEAtre v\xE9rifi\xE9e et encadr\xE9e par des accords document\xE9\
            s."
          annotation: "L'acc\xE8s \xE0 partir d'adresses IP pr\xE9d\xE9finies pourrait\
            \ \xEAtre envisag\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-4
      description: Access permissions and authorizations are managed, incorporating
        the principles of least privilege and separation of duties
      translations:
        fr:
          name: null
          description: "Les permissions et autorisations d'acc\xE8s sont g\xE9r\xE9\
            es en int\xE9grant les principes du moindre privil\xE8ge et de la s\xE9\
            paration des t\xE2ches."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.1
      description: "[KEY MEASURE] Access permissions for users to the organization\u2019\
        s systems shall be defined and managed."
      annotation: "The following should be considered:\n\u2022\tDraw up and review\
        \ regularly access lists per system (files, servers, software, databases,\
        \ etc.), possibly through analysis of the Active Directory in Windows-based\
        \ systems, with the objective of determining who needs what kind of access\
        \ (privileged or not), to what, to perform their duties in the organization.\n\
        \u2022\tSet up a separate account for each user (including any contractors\
        \ needing access) and require that strong, unique passwords be used for each\
        \ account.\n\u2022\tEnsure that all employees use computer accounts without\
        \ administrative privileges to perform typical work functions. This includes\
        \ separation of personal and admin accounts.\n\u2022\tFor guest accounts,\
        \ consider using the minimal privileges (e.g. internet access only) as required\
        \ for your business needs.\n\u2022\tPermission management should be documented\
        \ in a procedure and updated when appropriate.\n\u2022\tUse 'Single Sign On'\
        \ (SSO) when appropriate."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les autorisations d'acc\xE8s des utilisateurs\
            \ aux syst\xE8mes de l'organisation doivent \xEAtre d\xE9finies et g\xE9\
            r\xE9es."
          annotation: "Il convient de consid\xE9rer les \xE9l\xE9ments suivants :\
            \ \n\u2022 \xC9tablir et r\xE9viser r\xE9guli\xE8rement les listes d'acc\xE8\
            s par syst\xE8me (fichiers, serveurs, logiciels, bases de donn\xE9es,\
            \ etc.), \xE9ventuellement par l'analyse de l'Active Directory dans les\
            \ syst\xE8mes bas\xE9s sur Windows, dans le but de d\xE9terminer qui a\
            \ besoin de quel type d'acc\xE8s (privil\xE9gi\xE9 ou non), \xE0 quoi,\
            \ pour exercer ses fonctions dans l'organisation. \n\u2022 Cr\xE9ez un\
            \ compte distinct pour chaque utilisateur (y compris pour les sous-traitants\
            \ ayant besoin d'un acc\xE8s) et exigez que des mots de passe forts et\
            \ uniques soient utilis\xE9s pour chaque compte. \n\u2022 Veillez \xE0\
            \ ce que tous les employ\xE9s utilisent des comptes informatiques sans\
            \ privil\xE8ges administratifs pour effectuer des fonctions de travail\
            \ typiques. Cela inclut la s\xE9paration des comptes personnels et des\
            \ comptes administratifs. \n\u2022 Pour les comptes d'invit\xE9s, envisagez\
            \ d'utiliser les privil\xE8ges minimaux (par exemple, l'acc\xE8s \xE0\
            \ l'Internet uniquement) requis pour vos besoins op\xE9rationnels. \n\u2022\
            \ Il convient que la gestion des autorisations soit document\xE9e dans\
            \ une proc\xE9dure et mise \xE0 jour le cas \xE9ch\xE9ant. \n\u2022 Utilisez\
            \ l'authentification unique (SSO) si n\xE9cessaire."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.2
      description: '[KEY MEASURE] It shall be identified who should have access to
        the organization''s business''s critical information and technology and the
        means to get access.'
      annotation: 'Means to get access may include: a key, password, code, or administrative
        privilege.'
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit identifier qui devrait\
            \ avoir acc\xE8s aux informations et aux technologies critiques de l'organisation\
            \ et les moyens d'y acc\xE9der."
          annotation: "Les moyens d'acc\xE8s peuvent inclure : une cl\xE9, un mot\
            \ de passe, un code ou un privil\xE8ge administratif."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.3
      description: '[KEY MEASURE] Employee access to data and information shall be
        limited to the systems and specific information they need to do their jobs
        (the principle of Least Privilege).'
      annotation: "The principle of Least Privilege should be understood as the principle\
        \ that a security architecture should be designed so that each employee is\
        \ granted the minimum system resources and authorizations that the employee\
        \ needs to perform its function. Consider to:\n\u2022\tNot allow any employee\
        \ to have access to all the business\u2019s information.\n\u2022\tLimit the\
        \ number of Internet accesses and interconnections with partner networks to\
        \ the strict necessary to be able to centralize and homogenize the monitoring\
        \ of exchanges more easily.\n\u2022\tEnsure that when an employee leaves the\
        \ business, all access to the business\u2019s information or systems is blocked\
        \ instantly."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'acc\xE8s des employ\xE9s aux donn\xE9es\
            \ et aux informations doit \xEAtre limit\xE9 aux syst\xE8mes et aux informations\
            \ sp\xE9cifiques dont ils ont besoin pour faire leur travail (principe\
            \ du moindre privil\xE8ge)."
          annotation: "Il convient que le principe du moindre privil\xE8ge soit compris\
            \ comme le principe selon lequel une architecture de s\xE9curit\xE9 doit\
            \ \xEAtre con\xE7ue de mani\xE8re \xE0 ce que chaque employ\xE9 se voie\
            \ accorder les ressources syst\xE8me et les autorisations minimales dont\
            \ il a besoin pour exercer sa fonction. \n\u2022 \xC0 consid\xE9rer: \n\
            o Ne pas permettre \xE0 un employ\xE9 d'avoir acc\xE8s \xE0 toutes les\
            \ informations de l'organisation. \no Limiter le nombre d'acc\xE8s Internet\
            \ et d'interconnexions avec les r\xE9seaux partenaires au strict n\xE9\
            cessaire pour pouvoir centraliser et homog\xE9n\xE9iser plus facilement\
            \ le suivi des \xE9changes. \no Assurez-vous que lorsqu'un employ\xE9\
            \ quitte l'organisation, tout acc\xE8s aux informations ou aux syst\xE8\
            mes de l'organisation est bloqu\xE9 instantan\xE9ment."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: BASIC_PR.AC-4.4
      description: '[KEY MEASURE] Nobody shall have administrator privileges for daily
        tasks.'
      annotation: "Consider the following:\n\u2022\tSeparate administrator accounts\
        \ from user accounts.\n\u2022\tDo not privilege user accounts to effectuate\
        \ administration tasks.\n\u2022\tCreate unique local administrator passwords\
        \ and disable unused accounts.\n\u2022\tConsider prohibiting Internet browsing\
        \ from administrative accounts."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Personne ne doit avoir de privil\xE8ges d'administrateur\
            \ pour les t\xE2ches quotidiennes."
          annotation: "Consid\xE9rez ce qui suit :\n\u2022 S\xE9parez les comptes\
            \ d'administrateur des comptes d'utilisateur. \n\u2022 Ne pas privil\xE9\
            gier les comptes d'utilisateurs pour effectuer les t\xE2ches d'administration.\
            \ \n\u2022 Cr\xE9ez des mots de passe uniques pour les administrateurs\
            \ locaux et d\xE9sactivez les comptes inutilis\xE9s. \n\u2022 Envisagez\
            \ d'interdire la navigation sur Internet aux comptes administratifs."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.5
      description: Where feasible, automated mechanisms shall be implemented to support
        the management of user accounts on the organisation's critical systems, including
        disabling, monitoring, reporting and deleting user accounts.
      annotation: Consider separately identifying each person with access to the organization's
        critical systems with a username to remove generic and anonymous accounts
        and access.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Dans la mesure du possible, des m\xE9canismes automatis\xE9\
            s doivent \xEAtre mis en \u0153uvre pour prendre en charge la gestion\
            \ des comptes d'utilisateurs sur les syst\xE8mes critiques de l'organisation,\
            \ y compris la d\xE9sactivation, la surveillance, l'\xE9tablissement de\
            \ rapports et la suppression des comptes d'utilisateurs."
          annotation: "Envisagez d'identifier s\xE9par\xE9ment chaque personne ayant\
            \ acc\xE8s aux syst\xE8mes critiques de l'organisation avec un nom d'utilisateur\
            \ afin de supprimer les comptes et les acc\xE8s g\xE9n\xE9riques et anonymes."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.6
      description: Separation of duties (SoD) shall be ensured in the management of
        access rights.
      annotation: "Separation of duties includes, for example:\n\u2022\tdividing operational\
        \ functions and system support functions among different roles.\n\u2022\t\
        conducting system support functions with different individuals.\n\u2022\t\
        not allow a single individual to both initiate and approve a transaction (financial\
        \ or otherwise).\n\u2022\tensuring that security personnel administering access\
        \ control functions do not also administer audit functions."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La s\xE9paration des t\xE2ches est assur\xE9e dans la gestion\
            \ des droits d'acc\xE8s."
          annotation: "La s\xE9paration des t\xE2ches comprend, par exemple : \n\u2022\
            \ la r\xE9partition des fonctions op\xE9rationnelles et des fonctions\
            \ de soutien du syst\xE8me entre diff\xE9rents r\xF4les. \n\u2022 mener\
            \ des fonctions de soutien du syst\xE8me avec diff\xE9rentes personnes.\
            \ \n\u2022 ne pas permettre \xE0 une seule personne d'initier et d'approuver\
            \ une transaction (financi\xE8re ou autre). \n\u2022 s'assurer que le\
            \ personnel de s\xE9curit\xE9 qui g\xE8re les fonctions de contr\xF4le\
            \ d'acc\xE8s ne g\xE8re pas \xE9galement les fonctions d'audit."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-4.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: IMPORTANT_PR.AC-4.7
      description: Priviliged users shall be managed and monitored.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les utilisateurs privil\xE9gi\xE9s doivent \xEAtre g\xE9r\xE9\
            s et surveill\xE9s."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: PR.AC-4.8
      description: Account usage restrictions for specific time periods and locations
        shall be taken into account in the organization's security access policy and
        applied accordingly.
      annotation: Specific restrictions can include, for example, restricting usage
        to certain days of the week, time of day, or specific durations of time.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les restrictions d'utilisation des comptes pour des p\xE9\
            riodes et des lieux sp\xE9cifiques doivent \xEAtre prises en compte dans\
            \ la politique d'acc\xE8s s\xE9curis\xE9 de l'organisation et appliqu\xE9\
            es en cons\xE9quence."
          annotation: "Les restrictions sp\xE9cifiques peuvent inclure, par exemple,\
            \ la limitation de l'utilisation \xE0 certains jours de la semaine, \xE0\
            \ certaines heures de la journ\xE9e ou \xE0 des dur\xE9es sp\xE9cifiques."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4.9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-4
      ref_id: PR.AC-4.9
      description: Priviliged users shall be managed,  monitored and audited.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les utilisateurs privil\xE9gi\xE9s doivent \xEAtre g\xE9r\xE9\
            s, surveill\xE9s et audit\xE9s."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-5
      description: Network integrity is protected (e.g., network segregation, network
        segmentation)
      translations:
        fr:
          name: null
          description: "L'int\xE9grit\xE9 du r\xE9seau (s\xE9paration du r\xE9seau,\
            \ segmentation du r\xE9seau...) est prot\xE9g\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: BASIC_PR.AC-5.1
      description: '[KEY MEASURE] Firewalls shall be installed and activated on all
        the organization''s networks.'
      annotation: "Consider the following:\n\u2022\tInstall and operate a firewall\
        \ between your internal network and the Internet. This may be a function of\
        \ a (wireless) access point/router, or it may be a function of a router provided\
        \ by the Internet Service Provider (ISP).\n\u2022\tEnsure there is antivirus\
        \ software installed on purchased firewall solutions and ensure that the administrator\u2019\
        s log-in and administrative password is changed upon installation and regularly\
        \ thereafter.\n\u2022\tInstall, use, and update a software firewall on each\
        \ computer system (including smart phones and other networked devices).\n\u2022\
        \tHave firewalls on each of your computers and networks even if you use a\
        \ cloud service provider or a virtual private network (VPN). Ensure that for\
        \ telework home network and systems have hardware and software firewalls installed,\
        \ operational, and regularly updated.\n\u2022\tConsider installing an Intrusion\
        \ Detection / Prevention System (IDPS). These devices analyze network traffic\
        \ at a more detailed level and can provide a greater level of protection."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Des pare-feu doivent \xEAtre install\xE9s\
            \ et activ\xE9s sur tous les r\xE9seaux de l'organisation."
          annotation: "Consid\xE9rez ce qui suit : \n\u2022 Installez et faites fonctionner\
            \ un pare-feu entre votre r\xE9seau interne et l'Internet. Il peut s'agir\
            \ d'une fonction d'un point d'acc\xE8s/routeur (sans fil) ou d'un routeur\
            \ fourni par le fournisseur d'acc\xE8s Internet (FAI). \n\u2022 Assurez-vous\
            \ qu'un logiciel antivirus est install\xE9 sur les solutions de pare-feu\
            \ achet\xE9es et veillez \xE0 ce que le mot de passe de connexion et d'administration\
            \ de l'administrateur soit modifi\xE9 lors de l'installation et r\xE9\
            guli\xE8rement par la suite.\n\u2022 Installez, utilisez et mettez \xE0\
            \ jour un pare-feu logiciel sur chaque syst\xE8me informatique (y compris\
            \ les t\xE9l\xE9phones intelligents et autres appareils en r\xE9seau).\
            \ \n\u2022 Installez des pare-feu sur chacun de vos ordinateurs et r\xE9\
            seaux, m\xEAme si vous utilisez un fournisseur de services en nuage ou\
            \ un r\xE9seau priv\xE9 virtuel (VPN). Assurez-vous que le r\xE9seau et\
            \ les syst\xE8mes de votre domicile de t\xE9l\xE9travail sont \xE9quip\xE9\
            s de pare-feu mat\xE9riels et logiciels install\xE9s, op\xE9rationnels\
            \ et r\xE9guli\xE8rement mis \xE0 jour. \n\u2022 Envisagez d'installer\
            \ un syst\xE8me de d\xE9tection et de pr\xE9vention des intrusions (IDPS).\
            \ Ces dispositifs analysent le trafic r\xE9seau \xE0 un niveau plus d\xE9\
            taill\xE9 et peuvent fournir un plus grand niveau de protection."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ac-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: BASIC_PR.AC-5.2
      description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s
        critical systems shall be protected by incorporating network segmentation
        and segregation.'
      annotation: "\u2022\tConsider creating different security zones in the network\
        \ (e.g. Basic network segmentation through VLAN\u2019s or other network access\
        \ control mechanisms) and control/monitor the traffic between these zones.\n\
        \u2022\tWhen the network is \"flat\", the compromise of a vital network component\
        \ can lead to the compromise of the entire network."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Le cas \xE9ch\xE9ant, l'int\xE9grit\xE9 du\
            \ r\xE9seau des syst\xE8mes critiques de l'organisation doit \xEAtre prot\xE9\
            g\xE9e par l'int\xE9gration de la segmentation et de la s\xE9gr\xE9gation\
            \ du r\xE9seau."
          annotation: "\u2022 Envisagez de cr\xE9er diff\xE9rentes zones de s\xE9\
            curit\xE9 dans le r\xE9seau (par exemple, segmentation de base du r\xE9\
            seau par des VLAN ou d'autres m\xE9canismes de contr\xF4le d'acc\xE8s\
            \ au r\xE9seau) et contr\xF4lez/surveillez le trafic entre ces zones.\
            \ \n\u2022 Lorsque le r\xE9seau est \"plat\", la compromission d'un composant\
            \ vital du r\xE9seau peut entra\xEEner la compromission de l'ensemble\
            \ du r\xE9seau."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: IMPORTANT_PR.AC-5.3
      description: '[KEY MEASURE] Where appropriate, network integrity of the organization''s
        critical systems shall be protected by

        (1) Identifying, documenting, and controlling connections between system components.

        (2) Limiting external connections to the organization''s critical systems.'
      annotation: Boundary protection mechanisms include, for example, routers, gateways,
        unidirectional gateways, data diodes, and firewalls separating system components
        into logically separate networks or subnetworks.
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Le cas \xE9ch\xE9ant, l'int\xE9grit\xE9 du\
            \ r\xE9seau des syst\xE8mes critiques de l'organisation doit \xEAtre prot\xE9\
            g\xE9e par : (1) Identifier, documenter et contr\xF4ler les connexions\
            \ entre les composants du syst\xE8me. (2) Limiter les connexions externes\
            \ aux syst\xE8mes critiques de l'organisation."
          annotation: "Les m\xE9canismes de protection des limites comprennent, par\
            \ exemple, les routeurs, les gateways, les gateways unidirectionnelles,\
            \ les data diodes et les pare-feu qui s\xE9parent les composants du syst\xE8\
            me en r\xE9seaux ou sous-r\xE9seaux logiquement distincts."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-5.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: IMPORTANT_PR.AC-5.4
      description: '[KEY MEASURE] The organization shall monitor and control connections
        and communications at the external boundary and at key internal boundaries
        within the organization''s critical systems by implementing boundary protection
        devices where appropriate. '
      annotation: "Consider implementing the following recommendations:\n\u2022\t\
        Separate your public WIFI network from your business network.\n\u2022\tProtect\
        \ your business WIFI with state-of-the-art encryption.\n\u2022\tImplement\
        \ a Network Access Control (NAC) solution.\n\u2022\tEncrypt connections to\
        \ your corporate network.\n\u2022\tDivide your network according to security\
        \ levels and apply firewall rules. Isolate your networks for server administration.\n\
        \u2022\tForce VPN on public networks.\n\u2022\tImplement a closed policy for\
        \ security gateways (deny all policy: only allow/open connections that have\
        \ been explicitly pre-authorized)."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit surveiller et contr\xF4\
            ler les connexions et les communications \xE0 la fronti\xE8re externe\
            \ et aux principales fronti\xE8res internes des syst\xE8mes critiques\
            \ de l'organisation en mettant en \u0153uvre des dispositifs de protection\
            \ des fronti\xE8res, le cas \xE9ch\xE9ant."
          annotation: "Envisagez de mettre en \u0153uvre les recommandations suivantes\
            \ : \n\u2022 S\xE9parez votre r\xE9seau WIFI public de votre r\xE9seau\
            \ professionnel. \n\u2022 Prot\xE9gez votre WIFI professionnel gr\xE2\
            ce \xE0 un cryptage de pointe. \n\u2022 Mettre en \u0153uvre une solution\
            \ de contr\xF4le d'acc\xE8s au r\xE9seau (NAC). \n\u2022 Cryptez les connexions\
            \ \xE0 votre r\xE9seau d'organisation. \n\u2022 Divisez votre r\xE9seau\
            \ en fonction des niveaux de s\xE9curit\xE9 et appliquez des r\xE8gles\
            \ de pare-feu. Isolez vos r\xE9seaux pour l'administration des serveurs.\
            \ \n\u2022 Forcer le VPN sur les r\xE9seaux publics. \n\u2022 Mettez en\
            \ \u0153uvre une politique de fermeture des gateways de s\xE9curit\xE9\
            \ (politique de refus de tout : n'autorisez/ouvrez que les connexions\
            \ qui ont \xE9t\xE9 explicitement pr\xE9autoris\xE9es)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: PR.AC-5.5
      description: The organization shall implement, where feasible, authenticated
        proxy servers for defined communications traffic between the organization's
        critical systems and external networks.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre, dans la mesure du\
            \ possible, des serveurs proxy authentifi\xE9s pour le trafic de communication\
            \ d\xE9fini entre les syst\xE8mes critiques de l'organisation et les r\xE9\
            seaux externes."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-5
      ref_id: PR.AC-5.6
      description: The organization shall ensure that the organization's critical
        systems fail safely when a border protection device fails operationally.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les syst\xE8mes critiques\
            \ de l'organisation tombent en panne en toute s\xE9curit\xE9 lorsqu'un\
            \ dispositif de protection des fronti\xE8res tombe en panne op\xE9rationnelle."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-6
      description: Identities are proofed and bound to credentials and asserted in
        interactions
      translations:
        fr:
          name: null
          description: "Les identit\xE9s sont prouv\xE9es et li\xE9es aux identifiants\
            \ et pr\xE9sent\xE9es dans les interactions."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      ref_id: IMPORTANT_PR.AC-6.1
      description: The organization shall implement documented procedures for verifying
        the identity of individuals before issuing credentials that provide access
        to organization's systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des proc\xE9dures\
            \ document\xE9es pour v\xE9rifier l'identit\xE9 des personnes avant de\
            \ d\xE9livrer des identifiants donnant acc\xE8s aux syst\xE8mes de l'organisation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-6
      ref_id: PR.AC-6.2
      description: The organization shall ensure the use of unique credentials bound
        to each verified user, device, and process interacting with the organization's
        critical systems; make sure that they are authenticated, and that the unique
        identifiers are captured when performing system interactions.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit garantir l'utilisation d'identifiants\
            \ uniques li\xE9s \xE0 chaque utilisateur, dispositif et processus v\xE9\
            rifi\xE9 interagissant avec les syst\xE8mes critiques de l'organisation\
            \ ; s'assurer qu'ils sont authentifi\xE9s et que les identifiants uniques\
            \ sont captur\xE9s lors des interactions avec le syst\xE8me."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac
      ref_id: PR.AC-7
      description: "Users, devices, and other assets are authenticated (e.g., single-factor,\
        \ multi-factor) commensurate with the risk of the transaction (e.g., individuals\u2019\
        \ security and privacy risks and other organizational risks)"
      translations:
        fr:
          name: null
          description: "Les utilisateurs, les appareils et les autres actifs sont\
            \ authentifi\xE9s (par exemple, \xE0 un seul facteur, \xE0 plusieurs facteurs)\
            \ en fonction du risque de la transaction (par exemple, les risques pour\
            \ la s\xE9curit\xE9 et la confidentialit\xE9 des individus et d\u2019\
            autres risques organisationnels)"
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ac-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ac-7
      ref_id: IMPORTANT_PR.AC-7.1
      description: "[KEY MEASURE for ESSENTIAL] The organization shall perform a documented\
        \ risk assessment on organization's critical system transactions and authenticate\
        \ users, devices, and other assets (e.g., single-factor, multi-factor) commensurate\
        \ with the risk of the transaction (e.g., individuals\u2019 security and privacy\
        \ risks and other organizational risks)."
      annotation: Consider a security-by-design approach for new systems; For existing
        systems a separate risk assessment should be used.
      implementation_groups:
      - I
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit effectuer une \xE9valuation\
            \ des risques document\xE9e sur les transactions des syst\xE8mes critiques\
            \ de l'organisation et authentifier les utilisateurs, les dispositifs\
            \ et les autres actifs (par exemple, \xE0 un ou plusieurs facteurs) en\
            \ fonction du risque de la transaction (par exemple, les risques pour\
            \ la s\xE9curit\xE9 et la vie priv\xE9e des individus et les autres risques\
            \ pour l'organisation)."
          annotation: "Envisagez une approche de s\xE9curit\xE9 par la conception\
            \ pour les nouveaux syst\xE8mes ; pour les syst\xE8mes existants, il convient\
            \ d\u2019utiliser une \xE9valuation des risques distincte."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.AT
      name: Awareness and Training
      description: "The organization\u2019s personnel and partners are provided cybersecurity\
        \ awareness education and are trained to perform their cybersecurity-related\
        \ duties and responsibilities consistent with related policies, procedures,\
        \ and agreements."
      translations:
        fr:
          name: 'Sensibilisation et formation '
          description: "Le personnel et les partenaires de l'organisation re\xE7oivent\
            \ une formation de sensibilisation \xE0 la cybers\xE9curit\xE9 et sont\
            \ form\xE9s \xE0 l'ex\xE9cution de leurs t\xE2ches et responsabilit\xE9\
            s li\xE9es \xE0 la cybers\xE9curit\xE9, conform\xE9ment aux politiques,\
            \ proc\xE9dures et accords connexes."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-1
      description: 'All users are informed and trained '
      translations:
        fr:
          name: null
          description: "Tous les utilisateurs sont inform\xE9s et entrain\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.at-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: BASIC_PR.AT-1.1
      description: Employees shall be trained as appropriate.
      annotation: "\u2022\tEmployees include all users and managers of the ICT/OT\
        \ systems, and they should be trained immediately when hired and regularly\
        \ thereafter about the company\u2019s information security policies and what\
        \ they will be expected to do to protect company\u2019s business information\
        \ and technology.\n\u2022\tTraining should be continually updated and reinforced\
        \ by awareness campaigns."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les employ\xE9s doivent \xEAtre form\xE9s de mani\xE8re appropri\xE9\
            e."
          annotation: "\u2022 Les employ\xE9s comprennent tous les utilisateurs et\
            \ les gestionnaires des syst\xE8mes TIC/OT, et il convient qu\u2019ils\
            \ soient form\xE9s d\xE8s leur embauche, puis r\xE9guli\xE8rement, aux\
            \ politiques de s\xE9curit\xE9 de l'information de l'organisation et \xE0\
            \ ce qu'on attend d'eux pour prot\xE9ger les informations et les technologies\
            \ de l'organisation. \n\u2022 Il convient que la formation soit continuellement\
            \ mise \xE0 jour et renforc\xE9e par des campagnes de sensibilisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: IMPORTANT_PR.AT-1.2
      description: The organization shall incorporate insider threat recognition and
        reporting into security awareness training.
      annotation: "Consider to:\n\u2022\tCommunicate and discuss regularly to ensure\
        \ that everyone is aware of their responsibilities.\n\u2022\tDevelop an outreach\
        \ program by gathering in a document the messages you want to convey to your\
        \ staff (topics, audiences, objectives, etc.) and your communication rhythm\
        \ on a calendar (weekly, monthly, one-time, etc.). Communicate continuously\
        \ and in an engaging way, involving management, IT colleagues, the ICT service\
        \ provider and HR and Communication managers.\n\u2022\tCover topics such as:\
        \ recognition of fraud attempts, phishing, management of sensitive information,\
        \ incidents, etc. The goal is for all employees to understand ways to protect\
        \ company information.\n\u2022\tDiscuss with your management, your ICT colleagues,\
        \ or your ICT service provider some practice scenarios (e.g. what to do if\
        \ a virus alert is triggered, if a storm cuts off the power, if data is blocked,\
        \ if an account is hacked, etc.), determine what behaviours to adopt, document\
        \ and communicate them to all your staff. The central point of contact in\
        \ the event of an incident should be known to all.\n\u2022\tOrganize a simulation\
        \ of a scenario to test your knowledge. Consider performing the exercise for\
        \ example at least once a year."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit int\xE9grer la reconnaissance et le signalement\
            \ des menaces internes dans la formation \xE0 la s\xE9curit\xE9."
          annotation: "\xC0 consid\xE9rer : \n\u2022 Communiquez et discutez r\xE9\
            guli\xE8rement afin de vous assurer que chacun est conscient de ses responsabilit\xE9\
            s. \n\u2022 D\xE9veloppez un programme de sensibilisation en rassemblant\
            \ dans un document les messages que vous souhaitez transmettre \xE0 votre\
            \ personnel (sujets, publics, objectifs, etc.) et votre rythme de communication\
            \ sur un calendrier (hebdomadaire, mensuel, ponctuel, etc.). Communiquez\
            \ de mani\xE8re continue et engageante, en impliquant la direction, les\
            \ coll\xE8gues informaticiens, le fournisseur de services TIC et les responsables\
            \ des RH et de la communication. \n\u2022 Les sujets abord\xE9s sont les\
            \ suivants : reconnaissance des tentatives de fraude, hame\xE7onnage,\
            \ gestion des informations sensibles, incidents, etc. L'objectif est que\
            \ tous les employ\xE9s comprennent les moyens de prot\xE9ger les informations\
            \ de l'organisation. \n\u2022 Discutez avec votre direction, vos coll\xE8\
            gues des TIC ou votre fournisseur de services TIC de certains sc\xE9narios\
            \ pratiques (par exemple, que faire en cas d'alerte au virus, de coupure\
            \ de courant due \xE0 un orage, de blocage des donn\xE9es, de piratage\
            \ d'un compte, etc.), d\xE9terminez les comportements \xE0 adopter, documentez-les\
            \ et communiquez-les \xE0 l'ensemble de votre personnel. Il convient que\
            \ le point de contact central en cas d'incident soit connu de tous. \n\
            \u2022 Organisez une simulation d'un sc\xE9nario pour tester vos connaissances.\
            \ Envisagez de r\xE9aliser cet exercice, par exemple, au moins une fois\
            \ par an."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-1
      ref_id: PR.AT-1.3
      description: The organization shall implement an evaluation method to measure
        the effectiveness of the awareness trainings.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre une m\xE9thode d'\xE9\
            valuation pour mesurer l'efficacit\xE9 des formations de sensibilisation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-2
      description: 'Privileged users understand their roles and responsibilities '
      translations:
        fr:
          name: null
          description: " Les utilisateurs privil\xE9gi\xE9s comprennent leurs r\xF4\
            les et leurs responsabilit\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-2
      ref_id: IMPORTANT_PR.AT-2.1
      description: Privileged users shall be qualified before privileges are granted,
        and these users shall be able to demonstrate the understanding of their roles,
        responsibilities, and authorities.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les utilisateurs privil\xE9gi\xE9s doivent \xEAtre qualifi\xE9\
            s avant que les privil\xE8ges ne leurs soient accord\xE9s, et ces utilisateurs\
            \ doivent pouvoir d\xE9montrer qu'ils comprennent leurs r\xF4les, leurs\
            \ responsabilit\xE9s et leurs pouvoirs."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-3
      description: 'Third-party stakeholders (e.g., suppliers, customers, partners)
        understand their roles and responsibilities '
      translations:
        fr:
          name: null
          description: "Les parties prenantes tierces (par exemple, les fournisseurs,\
            \ les clients, les partenaires) comprennent leurs r\xF4les et responsabilit\xE9\
            s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.1
      description: "The organization shall establish and enforce security requirements\
        \ for business-critical third-party providers and users.\t"
      annotation: "Enforcement should include that \u2018third party stakeholder\u2019\
        -users (e.g. suppliers, customers, partners) can demonstrate the understanding\
        \ of their roles and responsibilities."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit \xE9tablir et appliquer des exigences\
            \ de s\xE9curit\xE9 pour les fournisseurs et les utilisateurs tiers essentiels\
            \ \xE0 l'organisation."
          annotation: "Il convient que la mise en application inclue le fait que les\
            \ utilisateurs des \"parties prenantes tierces\" (par exemple, les fournisseurs,\
            \ les clients, les partenaires) puissent d\xE9montrer qu'ils comprennent\
            \ leurs r\xF4les et leurs responsabilit\xE9s."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.2
      description: "Third-party providers shall be required to notify any personnel\
        \ transfers, termination, or transition involving personnel with physical\
        \ or logical access to organization's business critical system's components.\t"
      annotation: Third-party providers include, for example, service providers, contractors,
        and other organizations providing system development, technology services,
        outsourced applications, or network and security management.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les fournisseurs tiers sont tenus de notifier tout transfert,\
            \ licenciement ou transition de personnel ayant un acc\xE8s physique ou\
            \ logique aux composants des syst\xE8mes critiques de l'organisation."
          annotation: "Les fournisseurs tiers comprennent, par exemple, des prestataires\
            \ de services, des entrepreneurs et d'autres organisations fournissant\
            \ le d\xE9veloppement de syst\xE8mes, des services technologiques, des\
            \ applications externalis\xE9es ou la gestion du r\xE9seau et de la s\xE9\
            curit\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: IMPORTANT_PR.AT-3.3
      description: The organization shall monitor business critical service providers
        and users for security compliance.
      annotation: Third party audit results can be used as audit evidence.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit contr\xF4ler les fournisseurs de services\
            \ et les utilisateurs critiques pour l'organisation en mati\xE8re de conformit\xE9\
            \ \xE0 la s\xE9curit\xE9."
          annotation: "Les r\xE9sultats d'audits r\xE9alis\xE9s par des tiers peuvent\
            \ \xEAtre utilis\xE9s comme preuves d'audit."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-3
      ref_id: PR.AT-3.4
      description: The organization shall audit business-critical external service
        providers for security compliance.
      annotation: Third party audit results can be used as audit evidence.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit auditer les fournisseurs de services externes\
            \ critiques pour l'organisation afin de v\xE9rifier leur conformit\xE9\
            \ en mati\xE8re de s\xE9curit\xE9."
          annotation: "Les r\xE9sultats d'audits r\xE9alis\xE9s par des tiers peuvent\
            \ \xEAtre utilis\xE9s comme preuves d'audit."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-4
      description: 'Senior executives understand their roles and responsibilities '
      translations:
        fr:
          name: null
          description: "Les cadres sup\xE9rieurs comprennent leurs r\xF4les et responsabilit\xE9\
            s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-4
      ref_id: IMPORTANT_PR.AT-4.1
      description: Senior executives shall demonstrate the understanding of their
        roles, responsibilities, and authorities.
      annotation: Guidance on role profiles along with their identified titles, missions,
        tasks, skills, knowledge, competences is available in the "European Cybersecurity
        Skills Framework Role Profiles" by ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles
        )
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les cadres sup\xE9rieurs doivent d\xE9montrer qu'ils comprennent\
            \ leurs r\xF4les, leurs responsabilit\xE9s et leurs pouvoirs."
          annotation: "Des conseils sur les profils de r\xF4le ainsi que leurs titres,\
            \ missions, t\xE2ches, aptitudes, connaissances et comp\xE9tences sont\
            \ disponibles dans le document \"European Cybersecurity Skills Framework\
            \ Role Profiles\" de ENISA. (https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles\
            \ )"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at
      ref_id: PR.AT-5
      description: 'Physical and cybersecurity personnel understand their roles and
        responsibilities '
      translations:
        fr:
          name: null
          description: "Le personnel de la s\xE9curit\xE9 physique et de la cybers\xE9\
            curit\xE9 comprend ses r\xF4les et responsabilit\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.at-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.at-5
      ref_id: IMPORTANT_PR.AT-5.1
      description: The organization shall ensure that personnel responsible for the
        physical protection and security of the organization's critical systems and
        facilities are qualified through training before privileges are granted, and
        that they understand their responsibilities.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que le personnel responsable\
            \ de la protection physique et de la s\xE9curit\xE9 des syst\xE8mes et\
            \ installations critiques de l'organisation est qualifi\xE9 par une formation\
            \ avant que des privil\xE8ges ne soient accord\xE9s, et qu'il comprend\
            \ ses responsabilit\xE9s."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.DS
      name: Data Security
      description: "Information and records (data) are managed consistent with the\
        \ organization\u2019s risk strategy to protect the confidentiality, integrity,\
        \ and availability of information."
      translations:
        fr:
          name: "S\xE9curit\xE9 des donn\xE9es "
          description: "Les informations et les enregistrements (donn\xE9es) sont\
            \ g\xE9r\xE9s conform\xE9ment \xE0 la strat\xE9gie de l'organisation en\
            \ mati\xE8re de risques afin de prot\xE9ger la confidentialit\xE9, l'int\xE9\
            grit\xE9 et la disponibilit\xE9 des informations."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-1
      description: Data-at-rest is protected
      translations:
        fr:
          name: null
          description: "Les donn\xE9es au repos sont prot\xE9g\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-1
      ref_id: PR.DS-1.1
      description: "The organization shall protect its critical system information\
        \ determined to be critical/ sensitive while at rest.\t"
      annotation: "\u2022\tConsider using encryption techniques for data storage,\
        \ data transmission or data transport (e.g., laptop, USB).\n\u2022\tConsider\
        \ encrypting end-user devices and removable media containing sensitive data\
        \ (e.g. hard disks, laptops, mobile device, USB storage devices, \u2026).\
        \ This could be done by e.g. Windows BitLocker\xAE, VeraCrypt,  Apple FileVault\xAE\
        , Linux\xAE dm-crypt,\u2026\n\u2022\tConsider encrypting sensitive data stored\
        \ in the cloud. The below measures should be considered:\n\u2022\tImplement\
        \ dedicated safeguards to prevent unauthorized access, distortion, or modification\
        \ of system data and audit records (e.g. restricted access rights, daily backups,\
        \ data encryption, firewall installation).\n\u2022\tEncrypt hard drives, external\
        \ media, stored files, configuration files and data stored in the cloud."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisme doit prot\xE9ger ses informations critiques du\
            \ syst\xE8me d\xE9termin\xE9es comme \xE9tant critiques/sensibles lorsqu'elles\
            \ sont au repos."
          annotation: "\u2022 Envisagez d'utiliser des techniques de cryptage pour\
            \ le stockage des donn\xE9es, la transmission des donn\xE9es ou le transport\
            \ des donn\xE9es (par exemple, ordinateur portable, USB). \u2022 Envisagez\
            \ de crypter les appareils des utilisateurs finaux et les supports amovibles\
            \ contenant des donn\xE9es sensibles (disques durs, ordinateurs portables,\
            \ appareils mobiles, p\xE9riph\xE9riques de stockage USB, etc.) Cela peut\
            \ \xEAtre fait par exemple avec Windows BitLocker\xAE, VeraCrypt, Apple\
            \ FileVault\xAE, Linux\xAE dm-crypt, ... \n\u2022 Envisagez de crypter\
            \ les donn\xE9es sensibles stock\xE9es dans le nuage. \n\u2022 Mettre\
            \ en \u0153uvre des mesures de protection sp\xE9cifiques pour emp\xEA\
            cher l'acc\xE8s non autoris\xE9, la d\xE9formation ou la modification\
            \ des donn\xE9es du syst\xE8me et des enregistrements d'audit (par exemple,\
            \ droits d'acc\xE8s restreints, sauvegardes quotidiennes, cryptage des\
            \ donn\xE9es, installation de pare-feu). \n\u2022 Chiffrez les disques\
            \ durs, les supports externes, les fichiers stock\xE9s, les fichiers de\
            \ configuration et les donn\xE9es stock\xE9es dans le nuage."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-2
      description: Data-in-transit is protected
      translations:
        fr:
          name: null
          description: "Les donn\xE9es en transit sont prot\xE9g\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-2
      ref_id: PR.DS-2.1
      description: The organization shall protect its critical system information
        determined to be critical when in transit.
      annotation: When the organization often sends sensitive documents or e-mails,
        it is recommended to encrypt those documents and/or e-mails with appropriate,
        supported, and authorized software tools. If you send sensitive documents
        or emails, you may want to consider encrypting those documents and/or emails
        with appropriate, supported, and authorized software tools.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit prot\xE9ger les informations de ses syst\xE8\
            mes jug\xE9es critiques lorsqu'elles sont en transit."
          annotation: Si vous envoyez des documents ou des courriels sensibles, vous
            pouvez envisager de les crypter.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-3
      description: Assets are formally managed throughout removal, transfers, and
        disposition
      translations:
        fr:
          name: null
          description: "Les actifs sont g\xE9r\xE9s de mani\xE8re formelle tout au\
            \ long de leur retrait, de leur transfert et de leur mise \xE0 disposition."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ds-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: BASIC_PR.DS-3.1
      description: Assets and media shall be disposed of safely.
      annotation: "\u2022\tWhen eliminating tangible assets like business computers/laptops,\
        \ servers, hard drive(s) and other storage media (USB drives, paper\u2026\
        ), ensure that all   sensitive business or personal data are securely deleted\
        \ (i.e. electronically \u201Cwiped\u201D) before they are removed and then\
        \ physically destroyed (or re-commissioned). This is also known as \u201C\
        sanitization\u201D and thus related to the requirement and guidance in PR.IP-6.\n\
        \u2022\tConsider installing a remote-wiping application on company laptops,\
        \ tablets, cell phones, and other mobile devices."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les actifs et les supports doivent \xEAtre \xE9limin\xE9s\
            \ de mani\xE8re s\xFBre."
          annotation: "\u2022 Lors de l'\xE9limination d'actifs tangibles tels que\
            \ les ordinateurs professionnels/portables, les serveurs, le(s) disque(s)\
            \ dur(s) et autres supports de stockage (cl\xE9s USB, papier...), assurez-vous\
            \ que toutes les donn\xE9es professionnelles ou personnelles sensibles\
            \ sont supprim\xE9es de mani\xE8re s\xE9curis\xE9e (c'est-\xE0-dire \"\
            effac\xE9es\" \xE9lectroniquement) avant d'\xEAtre retir\xE9es et ensuite\
            \ physiquement d\xE9truites (ou remises en service). Cette op\xE9ration\
            \ est \xE9galement connue sous le nom de \"assainissement\" et est donc\
            \ li\xE9e \xE0 l'exigence et aux conseils de PR.IP-6. \n\u2022 Envisager\
            \ d'installer une application d'effacement \xE0 distance sur les ordinateurs\
            \ portables, les tablettes, les t\xE9l\xE9phones portables et autres appareils\
            \ mobiles de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: IMPORTANT_PR.DS-3.2
      description: The organization shall enforce accountability for all its business-critical
        assets throughout the system lifecycle, including removal, transfers, and
        disposition.
      annotation: "Accountability should include:\n\u2022\tThe authorization for business-critical\
        \ assets to enter and exit the facility.\n\u2022\tMonitoring and maintaining\
        \ documentation related to the movements of business-critical assets."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit faire respecter l'obligation de rendre\
            \ compte de tous ses actifs essentiels \xE0 l'organisation tout au long\
            \ du cycle de vie du syst\xE8me, y compris lors du retrait, du transfert\
            \ et de leur mise \xE0 disposition."
          annotation: "Il convient que la responsabilit\xE9 inclue : \n\u2022 L'autorisation\
            \ pour les actifs critiques d'entrer et de sortir de l'installation. \n\
            \u2022 Le suivi et maintien de la documentation relative aux mouvements\
            \ des actifs critiques pour l\u2019organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: IMPORTANT_PR.DS-3.3
      description: The organization shall ensure that the necessary measures are taken
        to deal with  loss, misuse, damage, or theft of assets.
      annotation: "This can be done by policies, processes & procedures (reporting),\
        \ technical & organizational means (encryption, Access Control (AC), Mobile\
        \ Device Management (MDM), monitoring, secure wipe, awareness, signed user\
        \ agreement, guidelines & manuals, backups, inventory update \u2026)."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit veiller \xE0 ce que les mesures n\xE9\
            cessaires soient prises pour faire face \xE0 la perte, \xE0 l'utilisation\
            \ abusive, \xE0 la d\xE9t\xE9rioration ou au vol des actifs."
          annotation: "Cela peut se faire par des politiques, des processus et des\
            \ proc\xE9dures (reporting), des moyens techniques et organisationnels\
            \ (cryptage, contr\xF4le d'acc\xE8s (AC), gestion des appareils mobiles\
            \ (MDM), surveillance, effacement s\xE9curis\xE9, sensibilisation, accord\
            \ d'utilisation sign\xE9, directives et manuels, sauvegardes, mise \xE0\
            \ jour de l'inventaire...)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-3
      ref_id: PR.DS-3.4
      description: The organization shall ensure that disposal actions are approved,
        tracked, documented, and verified.
      annotation: Disposal actions include media sanitization actions (See PR.IP-6)
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les actions d'\xE9limination\
            \ sont approuv\xE9es, suivies, document\xE9es et v\xE9rifi\xE9es."
          annotation: "Les actions d'\xE9limination comprennent des actions de assainissement\
            \ des m\xE9dias (voir PR.IP-6)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-4
      description: Adequate capacity to ensure availability is maintained
      translations:
        fr:
          name: null
          description: "Une capacit\xE9 ad\xE9quate pour assurer la disponibilit\xE9\
            \ est maintenue."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: IMPORTANT_PR.DS-4.1
      description: Capacity planning shall ensure adequate resources for organization's
        critical system information processing, networking, telecommunications, and
        data storage.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La planification des capacit\xE9s doit garantir des ressources\
            \ ad\xE9quates pour le traitement de l'information, la mise en r\xE9seau,\
            \ les t\xE9l\xE9communications et le stockage des donn\xE9es des syst\xE8\
            mes critiques de l'organisation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: IMPORTANT_PR.DS-4.2
      description: Audit data from the organization's critical systems shall be moved
        to an alternative system.
      annotation: Be aware that log services can become a bottleneck and hinder the
        correct functioning of the source systems.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les donn\xE9es d'audit des syst\xE8mes critiques de l'organisation\
            \ doivent \xEAtre d\xE9plac\xE9es vers un syst\xE8me alternatif."
          annotation: "Sachez que les services de log peuvent devenir un goulot d'\xE9\
            tranglement et entraver le bon fonctionnement des syst\xE8mes sources."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-4
      ref_id: PR.DS-4.3
      description: "The organization\u2019s critical systems shall be protected against\
        \ denial-of-service attacks or at least the effect of such attacks will be\
        \ limited."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les syst\xE8mes critiques de l'organisation doivent \xEAtre\
            \ prot\xE9g\xE9s contre les attaques par d\xE9ni de service ou, du moins,\
            \ l'effet de ces attaques sera limit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-5
      description: Protections against data leaks are implemented
      translations:
        fr:
          name: null
          description: "Les protections contre les fuites de donn\xE9es sont mises\
            \ en \u0153uvre."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-5
      ref_id: IMPORTANT_PR.DS-5.1
      description: '[KEY MEASURE] The organization shall take appropriate actions
        resulting in the monitoring of its critical systems at external borders and
        critical internal points when unauthorized access and activities, including
        data leakage, is detected.'
      annotation: "\u2022\tConsider implementing dedicated protection measures (restricted\
        \ access rights, daily backups, data encryption, installation of firewalls,\
        \ etc.) for the most sensitive data.\n\u2022\tConsider frequent audit of the\
        \ configuration of the central directory (Active Directory in Windows environment),\
        \ with specific focus on the access to data of key persons in the company."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit prendre des mesures appropri\xE9\
            es qui se traduisent par la surveillance de ses syst\xE8mes critiques\
            \ aux fronti\xE8res ext\xE9rieures et aux points internes critiques lorsqu'un\
            \ acc\xE8s et des activit\xE9s non autoris\xE9s, y compris une fuite de\
            \ donn\xE9es, sont d\xE9tect\xE9s."
          annotation: "\u2022 Pensez \xE0 mettre en place des mesures de protection\
            \ d\xE9di\xE9es (droits d'acc\xE8s restreints, sauvegardes quotidiennes,\
            \ cryptage des donn\xE9es, installation de pare-feu, etc.) pour les donn\xE9\
            es les plus sensibles. \n\u2022 Envisager un audit fr\xE9quent de la configuration\
            \ de l'annuaire central (Active Directory dans l'environnement Windows),\
            \ en se concentrant sp\xE9cifiquement sur l'acc\xE8s aux donn\xE9es des\
            \ personnes cl\xE9s de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-6
      description: Integrity checking mechanisms are used to verify software, firmware,
        and information integrity
      translations:
        fr:
          name: null
          description: "Des m\xE9canismes de v\xE9rification de l'int\xE9grit\xE9\
            \ sont utilis\xE9s pour v\xE9rifier l'int\xE9grit\xE9 des logiciels, des\
            \ microprogrammes et des informations."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ds-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: IMPORTANT_PR.DS-6.1
      description: The organization shall implement software, firmware, and information
        integrity checks to detect unauthorized changes to its critical system components
        during storage, transport, start-up and when determined necessary.
      annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity
        checks, cyclical redundancy checks, cryptographic hashes) and associated tools
        can automatically monitor the integrity of information systems and hosted
        applications.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des contr\xF4les\
            \ d'int\xE9grit\xE9 des logiciels, des microprogrammes et des informations\
            \ pour d\xE9tecter les modifications non autoris\xE9es apport\xE9es aux\
            \ composants de ses syst\xE8mes critiques pendant le stockage, le transport,\
            \ le d\xE9marrage et lorsque cela est jug\xE9 n\xE9cessaire."
          annotation: "Les m\xE9canismes de v\xE9rification de l'int\xE9grit\xE9 conformes\
            \ \xE0 l'\xE9tat de l'art (par exemple, les contr\xF4les de parit\xE9\
            , les contr\xF4les de redondance cyclique, les hachages cryptographiques)\
            \ et les outils associ\xE9s peuvent surveiller automatiquement l'int\xE9\
            grit\xE9 des syst\xE8mes d'information et des applications h\xE9berg\xE9\
            es."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: PR.DS-6.2
      description: The organization shall implement automated tools where feasible
        to provide notification upon discovering discrepancies during integrity verification.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des outils automatis\xE9\
            s, dans la mesure du possible, afin de fournir une notification lors de\
            \ la d\xE9couverte de divergences pendant la v\xE9rification de l'int\xE9\
            grit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-6
      ref_id: PR.DS-6.3
      description: The organization shall implement automatic response capability
        with pre-defined security safeguards when integrity violations are discovered.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre une capacit\xE9 de\
            \ r\xE9ponse automatique avec des garanties de s\xE9curit\xE9 pr\xE9d\xE9\
            finies lorsque des violations de l'int\xE9grit\xE9 sont d\xE9couvertes."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-7
      description: The development and testing environment(s) are separate from the
        production environment
      translations:
        fr:
          name: null
          description: "L'environnement ou les environnements de d\xE9veloppement\
            \ et de test sont s\xE9par\xE9s de l'environnement de production."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-7
      ref_id: PR.DS-7.1
      description: The development and test environment(s) shall be isolated from
        the production environment.
      annotation: "\u2022\tAny change one wants to make to the ICT/OT environment\
        \ should first be tested in an environment that is different and separate\
        \ from the production environment (operational environment) before that change\
        \ is effectively implemented . That way, the effect of those changes can be\
        \ analysed and adjustments can be made without disrupting operational activities.\n\
        \u2022\tConsider adding and testing cybersecurity features as early as during\
        \ development (secure development lifecycle  principles). \u2022\tAny change\
        \ one wants to make to the ICT/OT environment should first be tested in an\
        \ environment that is different and separate from the production environment\
        \ (operational environment) before that change is effectively implemented\
        \ . That way, the effect of those changes can be analysed and adjustments\
        \ can be made without disrupting operational activities.\n\u2022\tConsider\
        \ adding and testing cybersecurity features as early as during development\
        \ (secure development lifecycle  principles)."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Le ou les environnements de d\xE9veloppement et de test doivent\
            \ \xEAtre isol\xE9s de l'environnement de production."
          annotation: "\u2022 Il convient que tout changement que l'on souhaite apporter\
            \ \xE0 l'environnement ICT/OT soit d'abord test\xE9 dans un environnement\
            \ diff\xE9rent et distinct de l'environnement de production (environnement\
            \ op\xE9rationnel) avant que ce changement ne soit effectivement mis en\
            \ \u0153uvre. De cette fa\xE7on, l'effet de ces changements peut \xEA\
            tre analys\xE9 et des ajustements peuvent \xEAtre effectu\xE9s sans perturber\
            \ les activit\xE9s op\xE9rationnelles. \n\u2022 Envisagez d'ajouter et\
            \ de tester des fonctions de cybers\xE9curit\xE9 d\xE8s le d\xE9but du\
            \ d\xE9veloppement (principes du cycle de d\xE9veloppement s\xE9curis\xE9\
            )."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds
      ref_id: PR.DS-8
      description: Integrity checking mechanisms are used to verify hardware integrity
      translations:
        fr:
          name: null
          description: "Les m\xE9canismes de contr\xF4le d'int\xE9grit\xE9 sont utilis\xE9\
            s pour v\xE9rifier l'int\xE9grit\xE9 du mat\xE9riel."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      ref_id: PR.DS-8.1
      description: The organization shall implement hardware integrity checks to detect
        unauthorized tampering to its critical system's hardware.
      annotation: State-of-the-practice integrity-checking mechanisms (e.g., parity
        checks, cyclical redundancy checks, cryptographic hashes) and associated tools
        can automatically monitor the integrity of information systems and hosted
        applications.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des contr\xF4les\
            \ d'int\xE9grit\xE9 du mat\xE9riel pour d\xE9tecter les alt\xE9rations\
            \ non autoris\xE9es du mat\xE9riel de ses syst\xE8mes critiques."
          annotation: "Les m\xE9canismes de v\xE9rification de l'int\xE9grit\xE9 conformes\
            \ \xE0 l'\xE9tat de l'art (par exemple, les contr\xF4les de parit\xE9\
            , les contr\xF4les de redondance cyclique, les hachages cryptographiques)\
            \ et les outils associ\xE9s peuvent surveiller automatiquement l'int\xE9\
            grit\xE9 des syst\xE8mes d'information et des applications h\xE9berg\xE9\
            es."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ds-8
      ref_id: PR.DS-8.2
      description: The organization shall incorporate the detection of unauthorized
        tampering to its critical system's hardware into the organization incident
        response capability.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit int\xE9grer la d\xE9tection de l'alt\xE9\
            ration non autoris\xE9e du mat\xE9riel de ses syst\xE8mes critiques dans\
            \ sa capacit\xE9 de r\xE9ponse aux incidents."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.IP
      name: Information Protection Processes and Procedures
      description: Security policies (that address purpose, scope, roles, responsibilities,
        management commitment, and coordination among organizational entities), processes,
        and procedures are maintained and used to manage protection of information
        systems and assets.
      translations:
        fr:
          name: "Processus et proc\xE9dures de protection de l'information"
          description: "Les politiques de s\xE9curit\xE9 (qui traitent de l'objectif,\
            \ de la port\xE9e, des r\xF4les, des responsabilit\xE9s, de l'engagement\
            \ de la direction et de la coordination entre les entit\xE9s organisationnelles),\
            \ les processus et les proc\xE9dures sont maintenus et utilis\xE9s pour\
            \ g\xE9rer la protection des syst\xE8mes d'information et des actifs."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-1
      description: A baseline configuration of information technology/industrial control
        systems is created and maintained incorporating security principles (e.g.
        concept of least functionality)
      translations:
        fr:
          name: null
          description: "Une configuration de base des syst\xE8mes de contr\xF4le des\
            \ technologies de l'information/de l'industrie est cr\xE9\xE9e et maintenue\
            \ en int\xE9grant les principes de s\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      ref_id: IMPORTANT_PR.IP-1.1
      description: '[KEY MEASURE] The organization shall develop, document, and maintain
        a baseline configuration for the its business critical systems. '
      annotation: "\u2022\tThis control includes the concept of least functionality.\n\
        \u2022\tBaseline configurations include for example, information about organization's\
        \ business critical systems, current version numbers and patch information\
        \ on operating systems and applications, configuration settings/parameters,\
        \ network topology, and the logical placement of those components within the\
        \ system architecture.\n\u2022\tNetwork topology should include the nerve\
        \ points of the IT/OT environment (external connections, servers hosting data\
        \ and/or sensitive functions, DNS services security, etc.)."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit d\xE9velopper, documenter\
            \ et maintenir une configuration de base pour ses syst\xE8mes critiques."
          annotation: "\u2022 Ce contr\xF4le inclut le concept de la moindre fonctionnalit\xE9\
            . \n\u2022 Les configurations de base comprennent, par exemple, des informations\
            \ sur les syst\xE8mes critiques de l'organisation, les num\xE9ros de version\
            \ actuels et les informations sur les correctifs des syst\xE8mes d'exploitation\
            \ et des applications, les param\xE8tres de configuration, la topologie\
            \ du r\xE9seau et l'emplacement logique de ces composants dans l'architecture\
            \ du syst\xE8me. \n\u2022 Il convient que la topologie du r\xE9seau inclue\
            \ les points n\xE9vralgiques de l'environnement IT/OT (connexions externes,\
            \ serveurs h\xE9bergeant des donn\xE9es et/ou des fonctions sensibles,\
            \ s\xE9curit\xE9 des services DNS, etc.)"
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-1
      ref_id: PR.IP-1.2
      description: The organization shall configure its business-critical systems
        to provide only essential capabilities; Therefore the baseline configuration
        shall be reviewed, and unnecessary capabilities disabled.
      annotation: "\u2022\tConfiguration of a system to provide only organization-defined\
        \ mission essential capabilities is known as the \u201Cconcept of least functionality\u201D\
        .\n\u2022\tCapabilities include functions, ports, protocols, software, and/or\
        \ services."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit configurer ses syst\xE8mes critiques pour\
            \ fournir uniquement les capacit\xE9s essentielles. Par cons\xE9quent,\
            \ la configuration de base doit \xEAtre revue et les capacit\xE9s inutiles\
            \ doivent \xEAtre d\xE9sactiv\xE9es."
          annotation: "\u2022 La configuration d'un syst\xE8me pour fournir uniquement\
            \ les capacit\xE9s essentielles \xE0 la mission d\xE9finies par l'organisation\
            \ est connue sous le nom de \"concept de moindre fonctionnalit\xE9\".\
            \ \n\u2022 Les capacit\xE9s comprennent les fonctions, les ports, les\
            \ protocoles, les logiciels et/ou les services."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-2
      description: A System Development Life Cycle to manage systems is implemented
      translations:
        fr:
          name: null
          description: "Un cycle de vie du d\xE9veloppement des syst\xE8mes pour g\xE9\
            rer les syst\xE8mes est mis en \u0153uvre ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      ref_id: IMPORTANT_PR.IP-2.1
      description: The system and application development life cycle shall include
        security considerations.
      annotation: "\u2022\tSystem and application development life cycle should include\
        \ the acquisition process of the organization's business critical systems\
        \ and its components.\n\u2022\tVulnerability awareness and prevention training\
        \ for (web application) developers, and advanced social engineering awareness\
        \ training for high-profile roles should be considered.\n\u2022\tWhen hosting\
        \ internet facing applications the implementation of a web application firewall\
        \ (WAF) should be considered."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Le cycle de vie du d\xE9veloppement des syst\xE8mes et des\
            \ applications doit inclure des consid\xE9rations de s\xE9curit\xE9."
          annotation: "\u2022 Il convient que le cycle de vie du d\xE9veloppement\
            \ des syst\xE8mes et des applications inclue le processus d'acquisition\
            \ des syst\xE8mes critiques de l'organisation et de ses composants. \n\
            \u2022 Il convient d'envisager une formation \xE0 la sensibilisation aux\
            \ vuln\xE9rabilit\xE9s et \xE0 la pr\xE9vention pour les d\xE9veloppeurs\
            \ (d'applications web), ainsi qu'une formation avanc\xE9e \xE0 la sensibilisation\
            \ \xE0 l'ing\xE9nierie sociale pour les r\xF4les importants. \n\u2022\
            \ Lorsque l'on h\xE9berge des applications tourn\xE9es vers l'internet,\
            \ il convient d'envisager la mise en place d'un pare-feu pour applications\
            \ web (WAF)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-2
      ref_id: PR.IP-2.2
      description: The development process for critical systems and system components
        shall cover the full design cycle and shall provide a description of the functional
        properties of security controls, and design and implementation information
        for security-relevant system interfaces.
      annotation: "The development cycle includes:\n\u2022\tAll development phases:\
        \ specification , design, development, implementation.\n\u2022\tConfiguration\
        \ management for planned and unplanned changes and change control during the\
        \ development.\n\u2022\tFlaw tracking & resolution.\n\u2022\tSecurity testing."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Le processus de d\xE9veloppement des syst\xE8mes critiques\
            \ et de leurs composants doit couvrir l'ensemble du cycle de conception\
            \ et fournir une description des propri\xE9t\xE9s fonctionnelles des contr\xF4\
            les de s\xE9curit\xE9, ainsi que des informations sur la conception et\
            \ la mise en \u0153uvre des interfaces du syst\xE8me relatives \xE0 la\
            \ s\xE9curit\xE9."
          annotation: "Le cycle de d\xE9veloppement comprend : \n\u2022 Toutes les\
            \ phases de d\xE9veloppement : sp\xE9cification, conception, d\xE9veloppement,\
            \ mise en \u0153uvre. \n\u2022 Gestion de la configuration pour les changements\
            \ planifi\xE9s et non planifi\xE9s et contr\xF4le des changements pendant\
            \ le d\xE9veloppement. \n\u2022 Suivi et r\xE9solution des failles. \n\
            \u2022 Test de s\xE9curit\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-3
      description: Configuration change control processes are in place
      translations:
        fr:
          name: null
          description: "Des processus de contr\xF4le des changements de configuration\
            \ sont en place."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      ref_id: IMPORTANT_PR.IP-3.1
      description: Changes shall be tested and validated before being implemented
        into operational systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les modifications doivent \xEAtre test\xE9es et valid\xE9\
            es avant d'\xEAtre mises en \u0153uvre dans les syst\xE8mes op\xE9rationnels."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-3
      ref_id: PR.IP-3.2
      description: For planned changes to the organization's critical systems, a security
        impact analysis shall be performed in a separate test environment before implementation
        in an operational environment.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Pour les modifications pr\xE9vues des syst\xE8mes critiques\
            \ de l'organisation, une analyse d'impact sur la s\xE9curit\xE9 doit \xEA\
            tre effectu\xE9e dans un environnement de test distinct avant la mise\
            \ en \u0153uvre dans un environnement op\xE9rationnel."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-4
      description: 'Backups of information are conducted, maintained, and tested '
      translations:
        fr:
          name: null
          description: "Des sauvegardes des informations sont effectu\xE9es, maintenues\
            \ et test\xE9es ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: BASIC_PR.IP-4.1
      description: '[KEY MEASURE] Backups for organization''s business critical data
        shall be conducted and stored on a system different from the device on which
        the original data resides'
      annotation: "\u2022\tOrganization's business critical system's data includes\
        \ for example software, configurations and settings, documentation, system\
        \ configuration data including computer configuration backups, application\
        \ configuration backups, etc.\n\u2022\tConsider a regular backup and put it\
        \ offline periodically.\n\u2022\tRecovery time and recovery point objectives\
        \ should be considered.\n\u2022\tConsider not storing the organization's data\
        \ backup on the same network as the system on which the original data resides\
        \ and provide an offline copy. Among other things, this prevents file encryption\
        \ by hackers (risk of ransomware)."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les sauvegardes des donn\xE9es critiques de\
            \ l'organisation doivent \xEAtre effectu\xE9es et stock\xE9es sur un syst\xE8\
            me diff\xE9rent du dispositif sur lequel se trouvent les donn\xE9es originales."
          annotation: "\u2022 Les donn\xE9es des syst\xE8mes critiques de l'organisation\
            \ comprennent par exemple les logiciels, les configurations et les param\xE8\
            tres, la documentation, les donn\xE9es de configuration du syst\xE8me,\
            \ y compris les sauvegardes de la configuration de l'ordinateur, les sauvegardes\
            \ de la configuration des applications, etc. \n\u2022 Envisagez une sauvegarde\
            \ r\xE9guli\xE8re et mettez-la hors ligne p\xE9riodiquement. \n\u2022\
            \ Il convient que les objectifs de temps et de point de r\xE9tablissement\
            \ doivent \xEAtre pris en compte. \n\u2022 Envisagez de ne pas stocker\
            \ la sauvegarde des donn\xE9es de l'organisation sur le m\xEAme r\xE9\
            seau que le syst\xE8me sur lequel r\xE9sident les donn\xE9es originales\
            \ et fournissez une copie hors ligne. Cela permet notamment d'\xE9viter\
            \ le cryptage des fichiers par les pirates (risque de ransomware)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: IMPORTANT_PR.IP-4.2
      description: The reliability and integrity of backups shall be verified and
        tested on regular basis.
      annotation: This should include regularly testing of the backup restore procedures.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La fiabilit\xE9 et l'int\xE9grit\xE9 des sauvegardes doivent\
            \ \xEAtre v\xE9rifi\xE9es et test\xE9es r\xE9guli\xE8rement."
          annotation: "Il convient d\u2019inclure des tests r\xE9guliers des proc\xE9\
            dures de restauration des sauvegardes."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: IMPORTANT_PR.IP-4.3
      description: A separate alternate storage site for system backups shall be operated
        and the same security safeguards as the primary storage location shall be
        employed.
      annotation: An offline backup of your data is ideally stored in a separate physical
        location from the original data source and where feasible offsite for extra
        protection and security.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un site de stockage alternatif distinct pour les sauvegardes\
            \ du syst\xE8me doit \xEAtre exploit\xE9 et les m\xEAmes mesures de s\xE9\
            curit\xE9 que le site de stockage principal doivent \xEAtre utilis\xE9\
            es."
          annotation: "Une sauvegarde hors ligne de vos donn\xE9es est id\xE9alement\
            \ stock\xE9e dans un endroit physique distinct de la source de donn\xE9\
            es originale et, si possible, hors site pour une protection et une s\xE9\
            curit\xE9 suppl\xE9mentaires."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: PR.IP-4.4
      description: Backup verification shall be coordinated with the functions in
        the organization that are responsible for related plans.
      annotation: "\u2022\tRelated plans include, for example, Business Continuity\
        \ Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications\
        \ Plans, Critical Infrastructure Plans, and Cyber Incident response plans.\n\
        \u2022\tRestoration of backup data during contingency plan testing should\
        \ be provided."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "La v\xE9rification des sauvegardes doit \xEAtre coordonn\xE9\
            e avec les fonctions de l'organisation qui sont responsables des plans\
            \ connexes."
          annotation: "\u2022 Les plans connexes comprennent, par exemple, les plans\
            \ de continuit\xE9 des activit\xE9s, les plans de reprise apr\xE8s sinistre,\
            \ les plans de continuit\xE9 des op\xE9rations, les plans de communication\
            \ de crise, les plans d'infrastructure critique et les plans de r\xE9\
            ponse aux cyberincidents. \n\u2022 Il convient que la restauration des\
            \ donn\xE9es de sauvegarde pendant les tests du plan d'urgence soit pr\xE9\
            vue."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-4
      ref_id: PR.IP-4.5
      description: Critical system backup shall be separated from critical information
        backup.
      annotation: Seperation of critical system backup from critical information backup
        should lead to a shorter recovery time.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "La sauvegarde des syst\xE8mes critiques doit \xEAtre s\xE9\
            par\xE9e de la sauvegarde des informations critiques."
          annotation: "Il convient que la s\xE9paration de la sauvegarde des syst\xE8\
            mes critiques et de la sauvegarde des informations critiques devrait permette\
            \ de r\xE9duire le temps de r\xE9tablissement."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-5
      description: Policy and regulations regarding the physical operating environment
        for organizational assets are met
      translations:
        fr:
          name: null
          description: "La politique et les r\xE8glements concernant l'environnement\
            \ physique d'exploitation des actifs de l'organisation sont respect\xE9\
            s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      ref_id: IMPORTANT_PR.IP-5.1
      description: The organization shall define, implement, and enforce policy and
        procedures regarding emergency and safety systems, fire protection systems,
        and environment controls for its critical systems.
      annotation: "The below measures should be considered:\n\u2022\tProtect unattended\
        \ computer equipment with padlocks or a locker and key system.\n\u2022\tFire\
        \ suppression mechanisms should take the organization's critical system environment\
        \ into account (e.g., water sprinkler systems could be hazardous in specific\
        \ environments)."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit d\xE9finir, mettre en \u0153uvre et appliquer\
            \ une politique et des proc\xE9dures concernant les syst\xE8mes d'urgence\
            \ et de s\xE9curit\xE9, les syst\xE8mes de protection contre l'incendie\
            \ et les contr\xF4les de l'environnement pour ses syst\xE8mes critiques."
          annotation: "Les mesures ci-dessous doivent \xEAtre envisag\xE9es : \n\u2022\
            \ Prot\xE9gez les \xE9quipements informatiques non surveill\xE9s avec\
            \ des cadenas ou un syst\xE8me de casiers et de cl\xE9s. \n\u2022 Il convient\
            \ que les m\xE9canismes d'extinction des incendies tiennent compte de\
            \ l'environnement des syst\xE8mes critiques de l'organisation (par exemple,\
            \ les syst\xE8mes d'extincteurs automatiques \xE0 eau peuvent \xEAtre\
            \ dangereux dans certains environnements)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-5
      ref_id: PR.IP-5.2
      description: The organization shall implement fire detection devices that activate
        and notify key personnel automatically in the event of a fire.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en place des dispositifs de d\xE9\
            tection d'incendie qui se d\xE9clenchent et avertissent automatiquement\
            \ le personnel cl\xE9 en cas d'incendie."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-6
      description: Data is destroyed according to policy
      translations:
        fr:
          name: null
          description: "Les donn\xE9es sont d\xE9truites conform\xE9ment \xE0 la politique."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      ref_id: IMPORTANT_PR.IP-6.1
      description: The organization shall ensure that its critical system's data is
        destroyed according to policy.
      annotation: "\u2022\tDisposal actions include media sanitization actions (See\
        \ PR.DS-3)\n\u2022\tThere are two primary types of media in common use:\n\
        o\tHard copy media (physical representations of information)\no\tElectronic\
        \ or soft copy media (the bits and bytes contained in hard drives, random\
        \ access memory (RAM), read-only memory (ROM), disks, memory devices, phones,\
        \ mobile computing devices, networking equipment\u2026)"
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les donn\xE9es de son syst\xE8\
            me critique sont d\xE9truites conform\xE9ment \xE0 la politique."
          annotation: "\u2022 Les actions d'\xE9limination comprennent des actions\
            \ d\u2019assainissement des m\xE9dias (voir PR.DS-3). \n\u2022 Il existe\
            \ deux principaux types de supports utilis\xE9s couramment : \no Supports\
            \ papier (repr\xE9sentations physiques de l'information) \no Les supports\
            \ \xE9lectroniques ou informatiques (les bits et les octets contenus dans\
            \ les disques durs, les m\xE9moires vives (RAM), les m\xE9moires mortes\
            \ (ROM), les disques, les dispositifs de m\xE9moire, les t\xE9l\xE9phones,\
            \ les dispositifs informatiques mobiles, les \xE9quipements de r\xE9seau...)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-6
      ref_id: PR.IP-6.2
      description: Sanitation processes shall be documented and tested.
      annotation: "\u2022\tSanitation processes include procedures and equipment.\n\
        \u2022\tConsider applying non-destructive sanitization techniques to portable\
        \ storage devices.\n\u2022\tConsider sanitation procedures in proportion to\
        \ confidentiality requirements."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les processus d'assainissement doivent \xEAtre document\xE9\
            s et test\xE9s."
          annotation: "\u2022 Les processus d'assainissement comprennent les proc\xE9\
            dures et les \xE9quipements. \n\u2022 Envisagez d'appliquer des techniques\
            \ d\u2019assainissement non destructives aux dispositifs de stockage portables.\
            \ \n\u2022 Consid\xE9rez les proc\xE9dures d'assainissement en fonction\
            \ des exigences de confidentialit\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-7
      description: Protection processes are improved
      translations:
        fr:
          name: null
          description: "Les processus de protection sont am\xE9lior\xE9s"
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: IMPORTANT_PR.IP-7.1
      description: The organization shall incorporate improvements derived from the
        monitoring, measurements, assessments, and lessons learned into protection
        process updates (continuous improvement).
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit int\xE9grer les am\xE9liorations d\xE9\
            coulant de la surveillance, des mesures, des \xE9valuations et des enseignements\
            \ tir\xE9s dans les mises \xE0 jour du processus de protection (am\xE9\
            lioration continue)."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: PR.IP-7.2
      description: The organization shall implement independent teams to assess the
        protection process(es).
      annotation: 'Independent teams, for example, may include internal or external
        impartial personnel.

        Impartiality implies that assessors are free from any perceived or actual
        conflicts of interest regarding the development, operation, or management
        of the organization''s critical system under assessment or to the determination
        of security control effectiveness.'
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en place des \xE9quipes ind\xE9\
            pendantes pour \xE9valuer le(s) processus de protection."
          annotation: "\u2022 Les \xE9quipes ind\xE9pendantes peuvent comprendre du\
            \ personnel impartial interne ou externe. \n\u2022 L'impartialit\xE9 implique\
            \ que les \xE9valuateurs soient libres de tout conflit d'int\xE9r\xEA\
            t per\xE7u ou r\xE9el concernant le d\xE9veloppement, l'exploitation ou\
            \ la gestion du syst\xE8me critique de l'organisation soumis \xE0 l'\xE9\
            valuation ou la d\xE9termination de l'efficacit\xE9 du contr\xF4le de\
            \ s\xE9curit\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-7
      ref_id: PR.IP-7.3
      description: The organization shall ensure that the security plan for its critical
        systems facilitates the review, testing, and continual improvement of the
        security protection processes.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que le plan de s\xE9curit\xE9\
            \ de ses syst\xE8mes critiques facilite l'examen, le test et l'am\xE9\
            lioration continue des processus de protection de la s\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-8
      description: 'Effectiveness of protection technologies is shared '
      translations:
        fr:
          name: null
          description: "L'efficacit\xE9 des technologies de protection est partag\xE9\
            e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.1
      description: The organization shall collaborate and share information about
        its critical system's related security incidents and mitigation measures with
        designated partners.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit collaborer et partager avec les partenaires\
            \ d\xE9sign\xE9s les informations relatives aux incidents de s\xE9curit\xE9\
            \ li\xE9s \xE0 son syst\xE8me critique et aux mesures d'att\xE9nuation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.2
      description: Communication of effectiveness of protection technologies shall
        be shared with appropriate parties.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La communication de l'efficacit\xE9 des technologies de protection\
            \ est partag\xE9e avec les parties appropri\xE9es."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-8.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-8
      ref_id: IMPORTANT_PR.IP-8.3
      description: The organization shall implement, where feasible, automated mechanisms
        to assist in information collaboration.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre, dans la mesure du\
            \ possible, des m\xE9canismes automatis\xE9s pour faciliter la collaboration\
            \ en mati\xE8re d'information."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-9
      description: Response plans (Incident Response and Business Continuity) and
        recovery plans (Incident Recovery and Disaster Recovery) are in place and
        managed
      translations:
        fr:
          name: null
          description: "Des plans de r\xE9ponse (r\xE9ponse aux incidents et continuit\xE9\
            \ des activit\xE9s) et des plans de r\xE9tablissement (reprise apr\xE8\
            s incident et reprise apr\xE8s sinistre) sont en place et g\xE9r\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-9.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      ref_id: IMPORTANT_PR.IP-9.1
      description: Incident response plans (Incident Response and Business Continuity)
        and recovery plans (Incident Recovery and Disaster Recovery) shall be established,
        maintained, approved, and tested to determine the effectiveness of the plans,
        and the readiness to execute the plans.
      annotation: "\u2022\tThe incident response plan is the documentation of a predetermined\
        \ set of instructions or procedures to detect, respond to, and limit consequences\
        \ of a malicious cyber-attack.\n\u2022\tPlans should incorporate recovery\
        \ objectives, restoration priorities, metrics, contingency roles, personnel\
        \ assignments and contact information.\n\u2022\tMaintaining essential functions\
        \ despite system disruption, and the eventual restoration of the organization\u2019\
        s systems, should be addressed.\n\u2022\tConsider defining incident types,\
        \ resources and management support needed to effectively maintain and mature\
        \ the incident response and contingency capabilities."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Des plans de r\xE9ponse en cas d'incident (r\xE9ponse aux\
            \ incidents et continuit\xE9 des activit\xE9s) et des plans de r\xE9tablissement\
            \ (r\xE9tablissement en cas d'incident et reprise apr\xE8s sinistre) doivent\
            \ \xEAtre \xE9tablis, maintenus, approuv\xE9s et test\xE9s afin de d\xE9\
            terminer l'efficacit\xE9 des plans et l'\xE9tat de pr\xE9paration \xE0\
            \ l'ex\xE9cution des plans."
          annotation: "\u2022 Le plan de r\xE9ponse aux incidents est la documentation\
            \ d'un ensemble pr\xE9d\xE9termin\xE9 d'instructions ou de proc\xE9dures\
            \ pour d\xE9tecter, r\xE9pondre et limiter les cons\xE9quences d'une cyber-attaque\
            \ malveillante. \n\u2022 Il convient d\u2019int\xE9grer dans les plans\
            \ les objectifs de r\xE9tablissement, les priorit\xE9s de r\xE9tablissement,\
            \ les mesures, les r\xF4les d'urgence, les affectations du personnel et\
            \ les informations de contact. \n\u2022 Il convient que le maintien des\
            \ fonctions essentielles malgr\xE9 la perturbation du syst\xE8me et la\
            \ restauration \xE9ventuelle des syst\xE8mes de l'organisation soient\
            \ abord\xE9s. \n\u2022 Envisagez de d\xE9finir les types d'incidents,\
            \ les ressources et le soutien de gestion n\xE9cessaires pour maintenir\
            \ et d\xE9velopper efficacement les capacit\xE9s de r\xE9ponse aux incidents\
            \ et de contingence."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-9
      ref_id: PR.IP-9.2
      description: The organization shall coordinate the development and the testing
        of incident response plans and recovery plans with stakeholders responsible
        for related plans.
      annotation: Related plans include, for example, Business Continuity Plans, Disaster
        Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans,
        Critical Infrastructure Plans, Cyber incident response plans, and Occupant
        Emergency Plans.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit coordonner l'\xE9laboration et le test\
            \ des plans de r\xE9ponse aux incidents et des plans de r\xE9tablissement\
            \ avec les parties prenantes responsables des plans connexes."
          annotation: "Les plans connexes comprennent, par exemple, les plans de continuit\xE9\
            \ des activit\xE9s, les plans de reprise apr\xE8s sinistre, les plans\
            \ de continuit\xE9 des op\xE9rations, les plans de communication de crise,\
            \ les plans d'infrastructure critique, les plans de r\xE9ponse aux cyberincidents\
            \ et les plans d'urgence pour les occupants."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-11
      description: Cybersecurity is included in human resources practices (e.g., deprovisioning,
        personnel screening)
      translations:
        fr:
          name: null
          description: "La cybers\xE9curit\xE9 est incluse dans les pratiques de ressources\
            \ humaines (d\xE9provisionnement, s\xE9lection du personnel...)."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ip-11.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      ref_id: BASIC_PR.IP-11.1
      description: "Personnel having access to the organization\u2019s most critical\
        \ information or technology shall be verified."
      annotation: "\u2022\tThe access to critical information or technology should\
        \ be considered when recruiting, during employment and at termination.\n\u2022\
        \tBackground verification checks should take into consideration applicable\
        \ laws, regulations, and ethics in proportion to the business requirements,\
        \ the classification of the information to be accessed and the perceived risks."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Le personnel ayant acc\xE8s aux informations ou aux technologies\
            \ les plus critiques de l'organisation doit \xEAtre v\xE9rifi\xE9."
          annotation: "\u2022 Il convient que l'acc\xE8s aux informations ou aux technologies\
            \ critiques soit pris en compte lors du recrutement, pendant l'emploi\
            \ et lors de la cessation d'activit\xE9. \n\u2022 Il convient que les\
            \ v\xE9rifications des ant\xE9c\xE9dents tiennent compte des lois, des\
            \ r\xE8glements et de l'\xE9thique applicables, proportionnellement aux\
            \ besoins de l'organisation, \xE0 la classification des informations auxquelles\
            \ il faut acc\xE9der et aux risques per\xE7us."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-11.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-11
      ref_id: IMPORTANT_PR.IP-11.2
      description: Develop and maintain a human resource information/cyber security
        process that is applicable when recruiting, during employment and at termination
        of employment.
      annotation: "The human resource information/cyber security process should include\
        \ access to critical information or technology; background verification checks;\
        \ code of conduct; roles, authorities, and responsibilities\u2026"
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "\xC9laborer et maintenir un processus de s\xE9curit\xE9 de\
            \ l'information/cyber des ressources humaines applicable lors du recrutement,\
            \ pendant l'emploi et \xE0 la fin de l'emploi."
          annotation: "Il convient que le processus de s\xE9curit\xE9 des ressources\
            \ humaines en mati\xE8re d'information et de cybercriminalit\xE9 comprenne\
            \ l'acc\xE8s aux informations ou aux technologies essentielles, la v\xE9\
            rification des ant\xE9c\xE9dents, le code de conduite, les r\xF4les, les\
            \ pouvoirs et les responsabilit\xE9s..."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip
      ref_id: PR.IP-12
      description: A vulnerability management plan is developed and implemented
      translations:
        fr:
          name: null
          description: "Un plan de gestion des vuln\xE9rabilit\xE9s est \xE9labor\xE9\
            \ et mis en \u0153uvre."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ip-12.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ip-12
      ref_id: IMPORTANT_PR.IP-12.1
      description: The organization shall establish and maintain a documented process
        that allows continuous review of vulnerabilities and strategies to mitigate
        them.
      annotation: "\u2022\tConsider inventorying sources likely to report vulnerabilities\
        \ in the identified components and distribute updates (software publisher\
        \ websites, CERT website, ENISA website).\n\u2022\tThe organization should\
        \ identify where its critical system's vulnerabilities may be exposed to adversaries."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit \xE9tablir et maintenir un processus document\xE9\
            \ qui permet un examen continu des vuln\xE9rabilit\xE9s et des strat\xE9\
            gies pour les att\xE9nuer."
          annotation: "\u2022 Envisager de recenser les sources susceptibles de signaler\
            \ les vuln\xE9rabilit\xE9s des composants identifi\xE9s et de diffuser\
            \ les mises \xE0 jour (sites web des \xE9diteurs de logiciels, site web\
            \ du CERT, site web de ENISA). \n\u2022 Il convient que l'organisation\
            \ identifie o\xF9 les vuln\xE9rabilit\xE9s de son syst\xE8me critique\
            \ peuvent \xEAtre expos\xE9es \xE0 des adversaires."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.MA
      name: Maintenance
      description: Maintenance and repairs of industrial control and information system
        components are performed consistent with policies and procedures.
      translations:
        fr:
          name: 'Maintenance '
          description: "La maintenance et la r\xE9paration des composants des syst\xE8\
            mes de contr\xF4le et d'information industriels sont effectu\xE9es conform\xE9\
            ment aux politiques et proc\xE9dures."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      ref_id: PR.MA-1
      description: Maintenance and repair of organizational assets are performed and
        logged, with approved and controlled tools
      translations:
        fr:
          name: null
          description: "L'entretien et la r\xE9paration des actifs de l'organisation\
            \ sont effectu\xE9s et consign\xE9s, avec des outils approuv\xE9s et contr\xF4\
            l\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.ma-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: BASIC_PR.MA-1.1
      description: '[KEY MEASURE] Patches and security updates for Operating Systems
        and critical system components shall be installed.'
      annotation: "The following should be considered:\n\u2022\tLimit yourself to\
        \ only install those applications (operating systems, firmware, or plugins\
        \ ) that you need to run your business and patch/update them regularly.\n\u2022\
        \tYou should only install a current and vendor-supported version of software\
        \ you choose to use. It may be useful to assign a day each month to check\
        \ for patches.\n\u2022\tThere are products which can scan your system and\
        \ notify you when there is an update for an application you have installed.\
        \ If you use one of these products, make sure it checks for updates for every\
        \ application you use.\n\u2022\tInstall patches and security updates in a\
        \ timely manner."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les correctifs et les mises \xE0 jour de s\xE9\
            curit\xE9 pour les syst\xE8mes d'exploitation et les composants critiques\
            \ du syst\xE8me doivent \xEAtre install\xE9s."
          annotation: "Il convient de consid\xE9rer les \xE9l\xE9ments suivants: \n\
            \u2022 Limitez-vous \xE0 l'installation des applications (syst\xE8mes\
            \ d'exploitation, microprogrammes ou plugins) dont vous avez besoin pour\
            \ g\xE9rer votre organisation et mettez-les \xE0 jour r\xE9guli\xE8rement.\
            \ \n\u2022 Il convient de n\u2019installer que la version actuelle et\
            \ prise en charge par le fournisseur du logiciel que vous choisissez d'utiliser.\
            \ Il peut \xEAtre utile d'attribuer un jour par mois \xE0 la v\xE9rification\
            \ des correctifs. \n\u2022 Il existe des produits qui peuvent analyser\
            \ votre syst\xE8me et vous avertir lorsqu'il existe une mise \xE0 jour\
            \ pour une application que vous avez install\xE9e. Si vous utilisez l'un\
            \ de ces produits, assurez-vous qu'il v\xE9rifie les mises \xE0 jour pour\
            \ chaque application que vous utilisez. \u2022 Installer les correctifs\
            \ et les mises \xE0 jour de s\xE9curit\xE9 en temps voulu."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.2
      description: The organization shall plan, perform and document preventive maintenance
        and repairs on its critical system components according to approved processes
        and tools.
      annotation: 'Consider the below measures:

        (1) Perform security updates on all software in a timely manner.

        (2) Automate the update process and audit its effectiveness.

        (3) Introduce an internal patching culture on desktops, mobile devices, servers,
        network components, etc. to ensure updates are tracked.'
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit planifier, r\xE9aliser et documenter la\
            \ maintenance pr\xE9ventive et les r\xE9parations des composants critiques\
            \ de son syst\xE8me selon des processus et des outils approuv\xE9s."
          annotation: "Il convient de consid\xE9rer les \xE9l\xE9ments suivants: \n\
            \u2022 Effectuer les mises \xE0 jour de s\xE9curit\xE9 sur tous les logiciels\
            \ en temps voulu. \n\u2022 Automatisez le processus de mise \xE0 jour\
            \ et contr\xF4lez son efficacit\xE9. \n\u2022 Introduire une culture interne\
            \ de l'application de correctifs sur les ordinateurs de bureau, les appareils\
            \ mobiles, les serveurs, les composants de r\xE9seau, etc. pour assurer\
            \ le suivi des mises \xE0 jour."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.3
      description: The organization shall enforce approval requirements, control,
        and monitoring of maintenance tools for use on the its critical systems.
      annotation: Maintenance tools can include, for example, hardware/software diagnostic
        test equipment, hardware/software packet sniffers and laptops.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit appliquer les exigences d'approbation,\
            \ de contr\xF4le et de surveillance des outils de maintenance destin\xE9\
            s \xE0 \xEAtre utilis\xE9s sur ses syst\xE8mes critiques."
          annotation: "Les outils de maintenance peuvent inclure des \xE9quipements\
            \ de test de diagnostic mat\xE9riel/logiciel, des renifleurs de paquets\
            \ mat\xE9riel/logiciel et des ordinateurs portables."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: IMPORTANT_PR.MA-1.4
      description: The organization shall verify security controls following hardware
        maintenance or repairs, and take action as appropriate.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit v\xE9rifier les contr\xF4les de s\xE9\
            curit\xE9 apr\xE8s la maintenance ou la r\xE9paration du mat\xE9riel et\
            \ prendre les mesures qui s'imposent."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.5
      description: '[KEY MEASURE] The organization shall prevent the unauthorized
        removal of maintenance equipment containing organization''s critical system
        information.'
      annotation: This requirement maily focuses mainly on OT/ICS environments.
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit emp\xEAcher le retrait\
            \ non autoris\xE9 des \xE9quipements de maintenance contenant des informations\
            \ critiques sur les syst\xE8mes de l'organisation."
          annotation: Cette exigence concerne principalement les environnements OT/ICS.
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.6
      description: '[KEY MEASURE] Maintenance tools and portable storage devices shall
        be inspected when  brought into the facility and shall be protected by anti-malware
        solutions so that they are scanned for malicious code before they are used
        on organization''s systems. '
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les outils de maintenance et les dispositifs\
            \ de stockage portables doivent \xEAtre inspect\xE9s lorsqu'ils sont introduits\
            \ dans l'\xE9tablissement et doivent \xEAtre prot\xE9g\xE9s par des solutions\
            \ anti-malware afin qu'ils soient analys\xE9s pour d\xE9tecter les codes\
            \ malveillants avant d'\xEAtre utilis\xE9s sur les syst\xE8mes de l'organisation."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-1
      ref_id: PR.MA-1.7
      description: '[KEY MEASURE] The organization shall verify security controls
        following hardware and software maintenance or repairs/patching and take action
        as appropriate.'
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit v\xE9rifier les contr\xF4\
            les de s\xE9curit\xE9 \xE0 la suite de la maintenance ou de la r\xE9paration/du\
            \ correctif du mat\xE9riel et des logiciels et prendre les mesures qui\
            \ s'imposent."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma
      ref_id: PR.MA-2
      description: Remote maintenance of organizational assets is approved, logged,
        and performed in a manner that prevents unauthorized access
      translations:
        fr:
          name: null
          description: "La maintenance \xE0 distance des actifs de l'organisation\
            \ est approuv\xE9e, consign\xE9e et effectu\xE9e de mani\xE8re \xE0 emp\xEA\
            cher tout acc\xE8s non autoris\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: IMPORTANT_PR.MA-2.1
      description: Remote maintenance shall only occur after prior approval, monitoring
        to avoid unauthorised access, and approval of the outcome of the maintenance
        activities as described in approved processes or procedures.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La t\xE9l\xE9maintenance ne doit avoir lieu qu'apr\xE8s approbation\
            \ pr\xE9alable, surveillance pour \xE9viter tout acc\xE8s non autoris\xE9\
            , et approbation du r\xE9sultat des activit\xE9s de maintenance telles\
            \ que d\xE9crites dans les processus ou proc\xE9dures approuv\xE9s."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.ma-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: IMPORTANT_PR.MA-2.2
      description: The organization shall make sure that strong authenticators, record
        keeping, and session termination for remote maintenance is implemented.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer de la mise en \u0153uvre d'authentificateurs\
            \ forts, de la prise d'enregistrements et de la fermeture de session pour\
            \ la maintenance \xE0 distance."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.ma-2
      ref_id: PR.MA-2.3
      description: The organization shall require that diagnostic services pertaining
        to remote maintenance be performed from a system that implements a security
        capability comparable to the capability implemented on the equivalent organization's
        critical system.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit exiger que les services de diagnostic\
            \ relatifs \xE0 la t\xE9l\xE9maintenance soient effectu\xE9s \xE0 partir\
            \ d'un syst\xE8me qui met en \u0153uvre une capacit\xE9 de s\xE9curit\xE9\
            \ comparable \xE0 celle mise en \u0153uvre sur le syst\xE8me critique\
            \ de l'organisation \xE9quivalent."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr
      ref_id: PR.PT
      name: Protective Technology
      description: Technical security solutions are managed to ensure the security
        and resilience of systems and assets, consistent with related policies, procedures,
        and agreements.
      translations:
        fr:
          name: Technologie de protection
          description: "Les solutions de s\xE9curit\xE9 technique sont g\xE9r\xE9\
            es de mani\xE8re \xE0 garantir la s\xE9curit\xE9 et la r\xE9silience des\
            \ syst\xE8mes et des actifs, conform\xE9ment aux politiques, proc\xE9\
            dures et accords connexes."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-1
      description: Audit/log records are determined, documented, implemented, and
        reviewed in accordance with policy
      translations:
        fr:
          name: null
          description: "Les enregistrements d'audit/logs sont d\xE9termin\xE9s, document\xE9\
            s, mis en \u0153uvre et r\xE9vis\xE9s conform\xE9ment \xE0 la politique."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: BASIC_PR.PT-1.1
      description: '[KEY MEASURE]  Logs shall be maintained, documented, and reviewed.'
      annotation: "\u2022\tEnsure the activity logging functionality of protection\
        \ / detection hardware or software (e.g. firewalls, anti-virus) is enabled.\n\
        \u2022\tLogs should be backed up and saved for a predefined period.\n\u2022\
        \tThe logs should be reviewed for any unusual or unwanted trends, such as\
        \ a large use of social media websites or an unusual number of viruses consistently\
        \ found on a particular computer. These trends may indicate a more serious\
        \ problem or signal the need for stronger protections in a particular area."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les logs doivent \xEAtre maintenus, document\xE9\
            s et examin\xE9s."
          annotation: "\u2022 Assurez-vous que la fonctionnalit\xE9 d'enregistrement\
            \ des activit\xE9s du mat\xE9riel ou du logiciel de protection/d\xE9tection\
            \ (par exemple, les pare-feu, les antivirus) est activ\xE9e. \n\u2022\
            \ Il convient que les logs soient sauvegard\xE9s et conserv\xE9s pendant\
            \ une p\xE9riode pr\xE9d\xE9finie. \n\u2022 Il convient que les logs soient\
            \ examin\xE9s pour d\xE9celer toute tendance inhabituelle ou ind\xE9sirable,\
            \ telle qu'une utilisation importante des sites Web de m\xE9dias sociaux\
            \ ou un nombre inhabituel de virus trouv\xE9s r\xE9guli\xE8rement sur\
            \ un ordinateur particulier. Ces tendances peuvent indiquer un probl\xE8\
            me plus grave ou signaler la n\xE9cessit\xE9 de renforcer les protections\
            \ dans un domaine particulier."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: IMPORTANT_PR.PT-1.2
      description: 'The organization shall ensure that the log records include an
        authoritative time source or internal clock time stamp that are compared and
        synchronized  to an authoritative time source. '
      annotation: Authoritative time sources include for example, an internal Network
        Time Protocol (NTP) server, radio clock, atomic clock, GPS time source.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les enregistrements de log\
            \ comprennent une source de temps faisant autorit\xE9 ou un horodateur\
            \ d'horloge interne qui sont compar\xE9s et synchronis\xE9s avec une source\
            \ de temps faisant autorit\xE9."
          annotation: "Les sources de temps faisant autorit\xE9 comprennent, par exemple,\
            \ un serveur interne NTP (Network Time Protocol), une horloge radio, une\
            \ horloge atomique, une source de temps GPS."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: PR.PT-1.3
      description: "The organization shall ensure that audit processing failures on\
        \ the organization's systems generate alerts and trigger defined responses.\t"
      annotation: The use of System Logging Protocol (Syslog) servers can be considered.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les \xE9checs de traitement\
            \ des audits sur les syst\xE8mes de l'organisation g\xE9n\xE8rent des\
            \ alertes et d\xE9clenchent des r\xE9ponses d\xE9finies."
          annotation: "L'utilisation de serveurs System Logging Protocol (Syslog)\
            \ peut \xEAtre envisag\xE9e."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-1
      ref_id: PR.PT-1.4
      description: The organization shall enable authorized individuals to extend
        audit capabilities when required by events.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit permettre aux personnes autoris\xE9es\
            \ d'\xE9tendre les capacit\xE9s d'audit lorsque les \xE9v\xE9nements l'exigent."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-2
      description: Removable media is protected and its use restricted according to
        policy
      translations:
        fr:
          name: null
          description: "Les supports amovibles sont prot\xE9g\xE9s et leur utilisation\
            \ est limit\xE9e conform\xE9ment \xE0 la politique."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: IMPORTANT_PR.PT-2.1
      description: The usage restriction of portable storage devices shall be ensured
        through an appropriate documented policy and supporting safeguards.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La restriction de l'utilisation des dispositifs de stockage\
            \ portables doit \xEAtre assur\xE9e par une politique document\xE9e appropri\xE9\
            e et des mesures de protection compl\xE9mentaires."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: IMPORTANT_PR.PT-2.2
      description: The organisation should technically prohibit the connection of
        removable media unless strictly necessary; in other instances, the execution
        of autoruns from such media should be disabled.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Il convient que l'organisation interdisse techniquement la\
            \ connexion de supports amovibles, sauf si cela est strictement n\xE9\
            cessaire ; dans les autres cas, il convient de d\xE9sactiver l'ex\xE9\
            cution de programmes automatiques \xE0 partir de ces support."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-2
      ref_id: PR.PT-2.3
      description: '[KEY MEASURE] Portable storage devices containing system data
        shall be controlled and protected while in transit and in storage.'
      annotation: Protection and control should include the scanning of all portable
        storage devices for malicious code before they are used on organization's
        systems.
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les dispositifs de stockage portables contenant\
            \ des donn\xE9es syst\xE8me doivent \xEAtre contr\xF4l\xE9s et prot\xE9\
            g\xE9s pendant leur transport et leur stockage."
          annotation: "Il convient que la protection et le contr\xF4le incluent le\
            \ scannage de tous les dispositifs de stockage portables pour d\xE9tecter\
            \ les codes malveillants avant qu'ils ne soient utilis\xE9s sur les syst\xE8\
            mes de l'organisation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-3
      description: The principle of least functionality is incorporated by configuring
        systems to provide only essential capabilities
      translations:
        fr:
          name: null
          description: "Le principe de la moindre fonctionnalit\xE9 est incorpor\xE9\
            \ en configurant les syst\xE8mes de mani\xE8re \xE0 ne fournir que les\
            \ capacit\xE9s essentielles."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_pr.pt-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: IMPORTANT_PR.PT-3.1
      description: The organization shall configure the business critical systems
        to provide only essential capabilities.
      annotation: Consider applying the principle of least functionality to access
        systems and assets (see also PR.AC-4).
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit configurer les syst\xE8mes critiques pour\
            \ l'organisation afin de ne fournir que les capacit\xE9s essentielles."
          annotation: "Envisagez d'appliquer le principe de la moindre fonctionnalit\xE9\
            \ aux syst\xE8mes d'acc\xE8s et aux actifs (voir \xE9galement PR.AC-4)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: PR.PT-3.2
      description: The organization shall disable defined functions, ports, protocols,
        and services within its critical systems that it deems unnecessary.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit d\xE9sactiver les fonctions, ports, protocoles\
            \ et services d\xE9finis au sein de ses syst\xE8mes critiques qu'il juge\
            \ inutiles."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-3
      ref_id: PR.PT-3.3
      description: The organization shall implement technical safeguards to enforce
        a deny-all, permit-by-exception policy to only allow the execution of authorized
        software programs.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des mesures de protection\
            \ techniques pour appliquer une politique de refus de tout, d'autorisation\
            \ par exception, afin de n'autoriser que l'ex\xE9cution des programmes\
            \ logiciels autoris\xE9s."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt
      ref_id: PR.PT-4
      description: Communications and control networks are protected
      translations:
        fr:
          name: null
          description: "Les r\xE9seaux de communication et de contr\xF4le sont prot\xE9\
            g\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_pr.pt-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: BASIC_PR.PT-4.1
      description: Web and e-mail filters shall be installed and used.
      annotation: "\u2022\tE-mail filters should detect malicious e-mails, and filtering\
        \ should be configured based on the type of message attachments so that files\
        \ of the specified types are automatically processed (e.g. deleted).\n\u2022\
        \tWeb-filters should notify the user if a website may contain malware and\
        \ potentially preventing users from accessing that website."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Des filtres web et e-mail doivent \xEAtre install\xE9s et\
            \ utilis\xE9s."
          annotation: "\u2022 Il convient que les filtres de messagerie d\xE9tectent\
            \ les courriers \xE9lectroniques malveillants et que le filtrage soit\
            \ configur\xE9 en fonction du type de pi\xE8ces jointes des messages afin\
            \ que les fichiers des types sp\xE9cifi\xE9s soient automatiquement trait\xE9\
            s (par exemple, supprim\xE9s). \n\u2022 Il convient que les filtres Web\
            \ avertissent l'utilisateur si un site Web est susceptible de contenir\
            \ des logiciels malveillants et emp\xEAcher potentiellement les utilisateurs\
            \ d'acc\xE9der \xE0 ce site."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: PR.PT-4.2
      description: The organization shall control the information flows/data flows
        within its critical systems and between interconnected systems.
      annotation: "Consider the following:\n\u2022\tInformation flow may be supported,\
        \ for example, by labelling or colouring physical connectors as an aid to\
        \ manual hook-up.\n\u2022\tInspection of message content may enforce information\
        \ flow policy. For example, a message containing a command to an actuator\
        \ may not be permitted to flow between the control network and any other network.\n\
        \u2022\tPhysical addresses (e.g., a serial port) may be implicitly or explicitly\
        \ associated with labels or attributes (e.g., hardware I/O address). Manual\
        \ methods are typically static. Label or attribute policy mechanisms may be\
        \ implemented in hardware, firmware, and software that controls or has device\
        \ access, such as device drivers and communications controllers."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit ma\xEEtriser les flux d'informations/de\
            \ donn\xE9es au sein de ses syst\xE8mes critiques et entre les syst\xE8\
            mes interconnect\xE9s."
          annotation: "Consid\xE9rez ce qui suit : \n\u2022 Le flux d'informations\
            \ peut \xEAtre facilit\xE9, par exemple, par l'\xE9tiquetage ou la coloration\
            \ des connecteurs physiques pour faciliter le branchement manuel. \n\u2022\
            \ L'inspection du contenu des messages peut permettre d'appliquer la politique\
            \ de circulation des informations. Par exemple, un message contenant une\
            \ commande \xE0 un actionneur peut ne pas \xEAtre autoris\xE9 \xE0 circuler\
            \ entre le r\xE9seau de contr\xF4le et tout autre r\xE9seau. \n\u2022\
            \ Les adresses physiques (par exemple, un port s\xE9rie) peuvent \xEA\
            tre implicitement ou explicitement associ\xE9es \xE0 des \xE9tiquettes\
            \ ou \xE0 des attributs (par exemple, une adresse d'I/O hardware). Les\
            \ m\xE9thodes manuelles sont g\xE9n\xE9ralement statiques. Les m\xE9canismes\
            \ de politique d'\xE9tiquettes ou d'attributs peuvent \xEAtre mis en \u0153\
            uvre dans le mat\xE9riel, les microprogrammes et les logiciels qui contr\xF4\
            lent ou ont acc\xE8s aux dispositifs, tels que les drivers et les contr\xF4\
            leurs de communications."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:pr.pt-4
      ref_id: PR.PT-4.3
      description: The organization shall manage the interface for external communication
        services by establishing a traffic flow policy, protecting the confidentiality
        and integrity of the information being transmitted; This includes the review
        and documenting of each exception to the traffic flow policy.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit g\xE9rer l'interface pour les services\
            \ de communication externe en \xE9tablissant une politique de flux de\
            \ trafic, prot\xE9geant la confidentialit\xE9 et l'int\xE9grit\xE9 des\
            \ informations transmises ; cela inclut l'examen et la documentation de\
            \ chaque exception \xE0 la politique de flux de trafic."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      assessable: false
      depth: 1
      ref_id: DE
      name: DETECT (DE)
      translations:
        fr:
          name: DETECTER (DE)
          description: null
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.AE
      name: Anomalies and Events
      description: Anomalous activity is detected and the potential impact of events
        is understood.
      translations:
        fr:
          name: "Anomalies et \xE9v\xE9nements"
          description: ''
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-1
      description: A baseline of network operations and expected data flows for users
        and systems is established and managed
      translations:
        fr:
          name: null
          description: "Une base de r\xE9f\xE9rence des op\xE9rations du r\xE9seau\
            \ et des flux de donn\xE9es attendus pour les utilisateurs et les syst\xE8\
            mes est \xE9tablie et g\xE9r\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-1
      ref_id: DE.AE-1.1
      description: '[KEY MEASURE] The organization shall ensure that a baseline of
        network operations and expected data flows for its critical systems is developed,
        documented and maintained to track events.'
      annotation: "\u2022\tConsider enabling local logging on all your systems and\
        \ network devices and keep them for a certain period, for example up to 6\
        \ months.\n\u2022\tEnsure that your logs contain enough information (source,\
        \ date, user, timestamp, etc.) and that you have enough storage space for\
        \ their generation.\n\u2022\tConsider centralizing your logs.\n\u2022\tConsider\
        \ deploying a Security Information and Event Management tool (SIEM) that will\
        \ facilitate the correlation and analysis of your data."
      implementation_groups:
      - E
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit s'assurer qu'une base\
            \ de r\xE9f\xE9rence des op\xE9rations du r\xE9seau et des flux de donn\xE9\
            es attendus pour ses syst\xE8mes critiques est d\xE9velopp\xE9e, document\xE9\
            e et maintenue pour suivre les \xE9v\xE9nements."
          annotation: "\u2022 Envisagez d'activer l'enregistrement local sur tous\
            \ vos syst\xE8mes et p\xE9riph\xE9riques r\xE9seau et conservez-les pendant\
            \ une certaine p\xE9riode, par exemple jusqu'\xE0 6 mois. \n\u2022 Assurez-vous\
            \ que vos logs contiennent suffisamment d'informations (source, date,\
            \ utilisateur, horodatage, etc.) et que vous disposez d'un espace de stockage\
            \ suffisant pour leur g\xE9n\xE9ration. \n\u2022 Envisagez de centraliser\
            \ vos logs. \n\u2022 Envisagez le d\xE9ploiement d'un outil de gestion\
            \ des informations et des \xE9v\xE9nements de s\xE9curit\xE9 (SIEM) qui\
            \ facilitera la corr\xE9lation et l'analyse de vos donn\xE9es."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-2
      description: Detected events are analyzed to understand attack targets and methods
      translations:
        fr:
          name: null
          description: "Les \xE9v\xE9nements d\xE9tect\xE9s sont analys\xE9s pour\
            \ comprendre les cibles et les m\xE9thodes d\u2019attaque."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      ref_id: IMPORTANT_DE.AE-2.1
      description: The organization shall review and analyze detected events to understand
        attack targets and methods.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit examiner et analyser les \xE9v\xE9nements\
            \ d\xE9tect\xE9s pour comprendre les cibles et les m\xE9thodes d'attaque."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-2
      ref_id: DE.AE-2.2
      description: 'The organization shall implement automated mechanisms where feasible
        to review and analyze detected events. '
      annotation: Consider to review your logs regularly to identify anomalies or
        abnormal events.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des m\xE9canismes\
            \ automatis\xE9s, lorsque cela est possible, pour examiner et analyser\
            \ les \xE9v\xE9nements d\xE9tect\xE9s."
          annotation: "Pensez \xE0 examiner r\xE9guli\xE8rement vos logs pour identifier\
            \ les anomalies ou les \xE9v\xE9nements anormaux."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-3
      description: Event data are collected and correlated from multiple sources and
        sensors
      translations:
        fr:
          name: null
          description: "Les donn\xE9es d'\xE9v\xE9nements sont collect\xE9es et corr\xE9\
            l\xE9es \xE0 partir de sources et de capteurs multiples."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.ae-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: BASIC_DE.AE-3.1
      description: "[KEY MEASURE] The activity logging functionality of protection\
        \ / detection hardware or software \n(e.g. firewalls, anti-virus) shall be\
        \ enabled, backed-up and reviewed."
      annotation: "\u2022\tLogs should be backed up and saved for a predefined period.\n\
        \u2022\tThe logs should be reviewed for any unusual or unwanted trends, such\
        \ as a large use of social media websites or an unusual number of viruses\
        \ consistently found on a particular computer. These trends may indicate a\
        \ more serious problem or signal the need for stronger protections in a particular\
        \ area."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] La fonctionnalit\xE9 d'enregistrement de l'activit\xE9\
            \ du mat\xE9riel ou du logiciel de protection/d\xE9tection (par exemple,\
            \ les pare-feu, les anti-virus) doit \xEAtre activ\xE9e, sauvegard\xE9\
            e et examin\xE9e."
          annotation: "\u2022 Il convient que les logs soient sauvegard\xE9s et conserv\xE9\
            s pendant une p\xE9riode pr\xE9d\xE9finie. \n\u2022 Il convient que les\
            \ logs soient examin\xE9s pour d\xE9celer toute tendance inhabituelle\
            \ ou ind\xE9sirable, telle qu'une utilisation importante des sites Web\
            \ de m\xE9dias sociaux ou un nombre inhabituel de virus trouv\xE9s r\xE9\
            guli\xE8rement sur un ordinateur particulier. Ces tendances peuvent indiquer\
            \ un probl\xE8me plus grave ou signaler la n\xE9cessit\xE9 de renforcer\
            \ les protections dans un domaine particulier."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: IMPORTANT_DE.AE-3.2
      description: The organization shall ensure that event data is compiled and correlated
        across its critical systems using various sources such as event reports, audit
        monitoring, network monitoring, physical access monitoring, and user/administrator
        reports.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que les donn\xE9es relatives\
            \ aux \xE9v\xE9nements sont compil\xE9es et corr\xE9l\xE9es dans l'ensemble\
            \ de ses syst\xE8mes critiques en utilisant diverses sources telles que\
            \ les rapports d'\xE9v\xE9nements, la surveillance des audits, la surveillance\
            \ du r\xE9seau, la surveillance de l'acc\xE8s physique et les rapports\
            \ des utilisateurs/administrateurs."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-3
      ref_id: DE.AE-3.3
      description: The organization shall integrate analysis of events where feasible
        with the analysis of vulnerability scanning information; performance data;
        its critical system's monitoring, and facility monitoring to further enhance
        the ability to identify inappropriate or unusual activity.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit int\xE9grer l'analyse des \xE9v\xE9nements,\
            \ lorsque cela est possible, \xE0 l'analyse des informations du scannage\
            \ de vuln\xE9rabilit\xE9, aux donn\xE9es sur les performances, \xE0 la\
            \ surveillance de ses syst\xE8mes critiques et \xE0 la surveillance des\
            \ installations, afin d'am\xE9liorer encore la capacit\xE9 \xE0 identifier\
            \ les activit\xE9s inappropri\xE9es ou inhabituelles."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-4
      description: Impact of events is determined
      translations:
        fr:
          name: null
          description: "L'impact des \xE9v\xE9nements est d\xE9termin\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-4
      ref_id: DE.AE-4.1
      description: "Negative impacts to organization\u2019s operations, assets, and\
        \ individuals resulting from detected events shall be determined and correlated\
        \ with risk assessment outcomes."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les impacts n\xE9gatifs sur les op\xE9rations, les actifs\
            \ et les individus de l'organisation r\xE9sultant des \xE9v\xE9nements\
            \ d\xE9tect\xE9s doivent \xEAtre d\xE9termin\xE9s et mis en corr\xE9lation\
            \ avec les r\xE9sultats de l'\xE9valuation des risques."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae
      ref_id: DE.AE-5
      description: Incident alert thresholds are established
      translations:
        fr:
          name: null
          description: "Les seuils d'alerte des incidents sont \xE9tablis."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      ref_id: IMPORTANT_DE.AE-5.1
      description: The organization shall implement automated mechanisms and system
        generated alerts to support event detection and to assist in the identification
        of security alert thresholds.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des m\xE9canismes\
            \ automatis\xE9s et des alertes g\xE9n\xE9r\xE9es par le syst\xE8me pour\
            \ faciliter la d\xE9tection des \xE9v\xE9nements et l'identification des\
            \ seuils d'alerte de s\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.ae-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.ae-5
      ref_id: IMPORTANT_DE.AE-5.2
      description: The organization shall define incident alert thresholds.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit d\xE9finir des seuils d'alerte d'incidents."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.CM
      name: Security Continuous Monitoring
      description: The information system and assets are monitored to identify cybersecurity
        events and verify the effectiveness of protective measures.
      translations:
        fr:
          name: "Surveillance continue de la s\xE9curit\xE9 "
          description: "Le syst\xE8me d'information et les actifs sont surveill\xE9\
            s pour identifier les \xE9v\xE9nements de cybers\xE9curit\xE9 et v\xE9\
            rifier l'efficacit\xE9 des mesures de protection."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-1
      description: The network is monitored to detect potential cybersecurity events
      translations:
        fr:
          name: null
          description: "Le r\xE9seau est surveill\xE9 pour d\xE9tecter les \xE9v\xE9\
            nements potentiels de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: BASIC_DE.CM-1.1
      description: Firewalls shall be installed and  operated on the network boundaries
        and completed with firewall protection on the endpoints.
      annotation: "\u2022\tEndpoints include desktops, laptops, servers...\n\u2022\
        \tConsider, where feasible, including smart phones and other networked devices\
        \ when installing and operating firewalls.\n\u2022\tConsider limiting the\
        \ number of interconnection gateways to the Internet."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Des pare-feu doivent \xEAtre install\xE9s et exploit\xE9s\
            \ aux limites du r\xE9seau et compl\xE9t\xE9s par une protection pare-feu\
            \ sur les terminaux."
          annotation: "\u2022 Les terminaux comprennent les ordinateurs de bureau,\
            \ les ordinateurs portables, les serveurs... \n\u2022 Envisagez, dans\
            \ la mesure du possible, d'inclure les t\xE9l\xE9phones intelligents et\
            \ autres appareils en r\xE9seau dans l'installation et l'exploitation\
            \ des pare-feu. \u2022 Envisagez de limiter le nombre de gateways vers\
            \ internet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: IMPORTANT_DE.CM-1.2
      description: '[KEY MEASURE] The organization shall monitor and identify unauthorized
        use of its business critical systems through the detection of unauthorized
        local connections, network connections and remote connections.'
      annotation: "\u2022\tMonitoring of network communications should happen at the\
        \ external boundary of the organization's business critical systems and at\
        \ key internal boundaries within the systems.\n\u2022\tWhen hosting internet\
        \ facing applications the implementation of a web application firewall (WAF)\
        \ should be considered."
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit surveiller et identifier\
            \ l'utilisation non autoris\xE9e de ses syst\xE8mes critiques pour l'organisation\
            \ en d\xE9tectant les connexions locales, les connexions r\xE9seau et\
            \ les connexions \xE0 distance non autoris\xE9es."
          annotation: "\u2022 Il convient que la surveillance des communications r\xE9\
            seau se fasse \xE0 la fronti\xE8re externe des syst\xE8mes critiques de\
            \ l'organisation et aux fronti\xE8res internes cl\xE9s des syst\xE8mes.\
            \ \n\u2022 Lors de l'h\xE9bergement d'applications tourn\xE9es vers l'internet,\
            \ il convient d'envisager la mise en place d'un pare-feu pour applications\
            \ web (WAF)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-1
      ref_id: DE.CM-1.3
      description: "The organization shall conduct ongoing security status monitoring\
        \ of its network to detect defined information/cybersecurity events and indicators\
        \ of potential information/cybersecurity events.\t"
      annotation: "Security status monitoring should include:\n\u2022\tThe generation\
        \ of system alerts when indications of compromise or potential compromise\
        \ occur.\n\u2022\tDetection and reporting of atypical usage of organization's\
        \ critical systems.\n\u2022\tThe establishment of audit records for defined\
        \ information/cybersecurity events.\n\u2022\tBoosting system monitoring activity\
        \ whenever there is an indication of increased risk.\n\u2022\tPhysical environment,\
        \ personnel, and service provider."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer une surveillance permanente\
            \ de l'\xE9tat de s\xE9curit\xE9 de son r\xE9seau afin de d\xE9tecter\
            \ les \xE9v\xE9nements d\xE9finis en mati\xE8re d'information/cybers\xE9\
            curit\xE9 et les indicateurs d'\xE9v\xE9nements potentiels en mati\xE8\
            re d'information/cybers\xE9curit\xE9."
          annotation: "Il convient que la surveillance de l'\xE9tat de la s\xE9curit\xE9\
            \ inclue : \n\u2022 La g\xE9n\xE9ration d'alertes syst\xE8me en cas d'indications\
            \ de compromission ou de compromission potentielle. \n\u2022 D\xE9tection\
            \ et signalement de l'utilisation atypique des syst\xE8mes critiques de\
            \ l'organisation. \n\u2022 L'\xE9tablissement d'enregistrements d'audit\
            \ pour des \xE9v\xE9nements d\xE9finis en mati\xE8re d'information/cybers\xE9\
            curit\xE9. \n\u2022 Renforcer l'activit\xE9 de surveillance du syst\xE8\
            me d\xE8s qu'il y a une indication d'un risque accru. \u2022 Environnement\
            \ physique, personnel et fournisseur de services."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-2
      description: The physical environment is monitored to detect potential cybersecurity
        events
      translations:
        fr:
          name: null
          description: "L'environnement physique est surveill\xE9 pour d\xE9tecter\
            \ les \xE9v\xE9nements potentiels de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      ref_id: IMPORTANT_DE.CM-2.1
      description: The physical environment of the facility shall be monitored for
        potential information/cybersecurity events.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'environnement physique de l'installation doit \xEAtre surveill\xE9\
            \ pour d\xE9tecter les \xE9v\xE9nements potentiels li\xE9s \xE0 l'information\
            \ et \xE0 la cybers\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-2
      ref_id: DE.CM-2.2
      description: The physical access to organization's critical systems and devices
        shall be, on top of the physical access monitoring to the facility, increased
        through physical intrusion alarms, surveillance equipment, independent surveillance
        teams.
      annotation: It is recommended to log all visitors.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "En plus de la surveillance de l'acc\xE8s physique \xE0 l'installation,\
            \ l'acc\xE8s physique aux syst\xE8mes et dispositifs critiques de l'organisation\
            \ doit \xEAtre renforc\xE9 par des alarmes d'intrusion physique, des \xE9\
            quipements de surveillance et des \xE9quipes de surveillance ind\xE9pendantes."
          annotation: "Il est recommand\xE9 d'enregistrer tous les visiteurs."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-3
      description: Personnel activity is monitored to detect potential cybersecurity
        events
      translations:
        fr:
          name: null
          description: "L'activit\xE9 du personnel est surveill\xE9e pour d\xE9tecter\
            \ les \xE9v\xE9nements potentiels de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: BASIC_DE.CM-3.1
      description: End point and network protection tools to monitor end-user behavior
        for dangerous activity shall be implemented.
      annotation: Consider deploying an Intrusion Detection/Prevention system (IDS/IPS).
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Des outils de protection des terminaux et des r\xE9seaux permettant\
            \ de surveiller le comportement de l'utilisateur final pour d\xE9tecter\
            \ toute activit\xE9 dangereuse doivent \xEAtre mis en \u0153uvre."
          annotation: "Envisagez le d\xE9ploiement d'un syst\xE8me de d\xE9tection/pr\xE9\
            vention des intrusions (IDS/IPS)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: IMPORTANT_DE.CM-3.2
      description: End point and network protection tools that monitor end-user behavior
        for dangerous activity shall be managed.
      annotation: Consider using a centralized log platform for the consolidation
        and exploitation of log files. Consider to actively investigate the alerts
        generated because of suspicious activities and take the appropriate actions
        to remediate the threat, e.g. through the deployment of a security operations
        centre (SOC).
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les outils de protection des terminaux et des r\xE9seaux qui\
            \ surveillent le comportement de l'utilisateur final pour d\xE9tecter\
            \ toute activit\xE9 dangereuse doivent \xEAtre g\xE9r\xE9s."
          annotation: "\u2022 Envisagez l'utilisation d'une plateforme centralis\xE9\
            e pour la consolidation et l'exploitation des fichiers de logs. \n\u2022\
            \ Envisagez d'examiner activement les alertes g\xE9n\xE9r\xE9es par des\
            \ activit\xE9s suspectes et prenez les mesures appropri\xE9es pour rem\xE9\
            dier \xE0 la menace, par exemple en d\xE9ployant un centre op\xE9rationnel\
            \ de s\xE9curit\xE9 (SOC)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-3
      ref_id: IMPORTANT_DE.CM-3.3
      description: Software usage and installation restrictions shall be enforced.
      annotation: Only authorized software should be used and user access rights should
        be limited to the specific data, resources and applications needed to complete
        a required task (least privilege principle).
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les restrictions d'utilisation et d'installation des logiciels\
            \ sont appliqu\xE9es."
          annotation: "Il convient que seuls les logiciels autoris\xE9s soient utilis\xE9\
            s, et que les droits d'acc\xE8s des utilisateurs soient limit\xE9s aux\
            \ donn\xE9es, ressources et applications sp\xE9cifiques n\xE9cessaires\
            \ pour accomplir une t\xE2che requise (principe du moindre privil\xE8\
            ge)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-4
      description: Malicious code is detected
      translations:
        fr:
          name: null
          description: "Le code malveillant est d\xE9tect\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_de.cm-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      ref_id: BASIC_DE.CM-4.1
      description: '[KEY MEASURE] Anti-virus, -spyware, and other -malware programs
        shall be installed and updated.'
      annotation: "\u2022\tMalware includes viruses, spyware, and ransomware and should\
        \ be countered by installing, using, and regularly updating anti-virus and\
        \ anti-spyware software on every device used in company\u2019s business (including\
        \ computers, smart phones, tablets, and servers).\n\u2022\tAnti-virus and\
        \ anti-spyware software should automatically check for updates in \u201Creal-time\u201D\
        \ or at least daily followed by system scanning as appropriate.\n\u2022\t\
        It should be considered to provide the same malicious code protection mechanisms\
        \ for home computers (e.g. teleworking) or personal devices that are used\
        \ for professional work (BYOD)."
      implementation_groups:
      - B
      - I
      - E
      - BK
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] Les programmes anti-virus, anti-spyware et\
            \ autres programmes malveillants doivent \xEAtre install\xE9s et mis \xE0\
            \ jour."
          annotation: "\u2022 Les logiciels malveillants comprennent les virus, les\
            \ logiciels espions et les ransomwares et il convient qu\u2019ils soients\
            \ combattus par l'installation, l'utilisation et la mise \xE0 jour r\xE9\
            guli\xE8re de logiciels antivirus et anti logiciels espions sur chaque\
            \ appareil utilis\xE9 dans le cadre des activit\xE9s de l'organisation\
            \ (y compris les ordinateurs, les smartphones, les tablettes et les serveurs).\
            \ \n\u2022 Il convient que les logiciels antivirus et anti logiciels espions\
            \ recherchent automatiquement les mises \xE0 jour en \"temps r\xE9el\"\
            \ ou au moins quotidiennement, puis proc\xE9dent \xE0 une analyse du syst\xE8\
            me, le cas \xE9ch\xE9ant. \n\u2022 Il convient de fournir les m\xEAmes\
            \ m\xE9canismes de protection contre les codes malveillants pour les ordinateurs\
            \ \xE0 domicile (t\xE9l\xE9travail, par exemple) ou les appareils personnels\
            \ utilis\xE9s pour le travail professionnel (BYOD)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-4
      ref_id: DE.CM-4.2
      description: The organisation shall set up a system to detect false positives
        while detecting and eradicating malicious code.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en place un syst\xE8me de d\xE9\
            tection des faux positifs lors de la d\xE9tection et de l'\xE9radication\
            \ des codes malveillants."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-5
      description: Unauthorized mobile code is detected
      translations:
        fr:
          name: null
          description: "Un code mobile non autoris\xE9 est d\xE9tect\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-5
      ref_id: IMPORTANT_DE.CM-5.1
      description: The organization shall define acceptable and unacceptable mobile
        code and mobile code technologies; and authorize, monitor, and control the
        use of mobile code within the system.
      annotation: "\u2022\tMobile code includes any program, application, or content\
        \ that can be transmitted across a network (e.g., embedded in an email, document,\
        \ or website) and executed on a remote system. Mobile code technologies include\
        \  for example Java applets, JavaScript, HTML5, WebGL, and VBScript.\n\u2022\
        \tDecisions regarding the use of mobile code in organizational systems should\
        \ be based on the potential for the code to cause damage to the systems if\
        \ used maliciously. Usage restrictions and implementation guidance should\
        \ apply to the selection and use of mobile code installed."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit d\xE9finir le code mobile et les technologies\
            \ de code mobile acceptables et inacceptables ; et autoriser, surveiller\
            \ et contr\xF4ler l'utilisation du code mobile au sein du syst\xE8me."
          annotation: "\u2022 Le code mobile comprend tout programme, application\
            \ ou contenu qui peut \xEAtre transmis sur un r\xE9seau (par exemple,\
            \ int\xE9gr\xE9 dans un courrier \xE9lectronique, un document ou un site\
            \ web) et ex\xE9cut\xE9 sur un syst\xE8me distant. Les technologies de\
            \ code mobile comprennent par exemple les applets Java, JavaScript, HTML5,\
            \ WebGL et VBScript. \n\u2022 Il convient que les d\xE9cisions concernant\
            \ l'utilisation du code mobile dans les syst\xE8mes organisationnels soient\
            \ fond\xE9es sur le potentiel du code \xE0 causer des dommages aux syst\xE8\
            mes en cas d'utilisation malveillante. Il convient que des restrictions\
            \ d'utilisation et des conseils de mise en \u0153uvre s'appliquent \xE0\
            \ la s\xE9lection et \xE0 l'utilisation du code mobile install\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-6
      description: External service provider activity is monitored to detect potential
        cybersecurity events
      translations:
        fr:
          name: null
          description: "L'activit\xE9 des prestataires de services externes est surveill\xE9\
            e pour d\xE9tecter les \xE9v\xE9nements potentiels de cybers\xE9curit\xE9\
            ."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      ref_id: IMPORTANT_DE.CM-6.1
      description: All external connections by vendors supporting IT/OT applications
        or infrastructure shall be secured and actively monitored to ensure that only
        permissible actions occur during the connection.
      annotation: This monitoring includes unauthorized personnel access, connections,
        devices, and software.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Toutes les connexions externes des fournisseurs qui prennent\
            \ en charge des applications ou des infrastructures IT/OT doivent \xEA\
            tre s\xE9curis\xE9es et surveill\xE9es activement afin de garantir que\
            \ seules des actions autoris\xE9es se produisent pendant la connexion."
          annotation: "Cette surveillance comprend l'acc\xE8s du personnel non autoris\xE9\
            , les connexions, les dispositifs et les logiciels."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-6
      ref_id: IMPORTANT_DE.CM-6.2
      description: External service providers' conformance with personnel security
        policies and procedures and contract security requirements shall be monitored
        relative to their cybersecurity risks.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "La conformit\xE9 des prestataires de services externes aux\
            \ politiques et proc\xE9dures de s\xE9curit\xE9 du personnel et aux exigences\
            \ de s\xE9curit\xE9 contractuelles est contr\xF4l\xE9e par rapport aux\
            \ risques de cybers\xE9curit\xE9 qu'ils pr\xE9sentent."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-7
      description: Monitoring for unauthorized personnel, connections, devices, and
        software is performed
      translations:
        fr:
          name: null
          description: "La surveillance du personnel, des connexions, des dispositifs\
            \ et des logiciels non autoris\xE9s est effectu\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      ref_id: IMPORTANT_DE.CM-7.1
      description: The organization's business critical systems shall be monitored
        for unauthorized personnel access, connections, devices, access points, and
        software.
      annotation: "\u2022\tUnauthorized personnel access includes access by external\
        \ service providers.\n\u2022\tSystem inventory discrepancies should be included\
        \ in the monitoring.\n\u2022\tUnauthorized configuration changes to organization's\
        \ critical systems should be included in the monitoring."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les syst\xE8mes essentiels aux op\xE9rations de l'organisation\
            \ doivent \xEAtre surveill\xE9s pour d\xE9tecter les acc\xE8s, les connexions,\
            \ les dispositifs, les points d'acc\xE8s et les logiciels non autoris\xE9\
            s par le personnel."
          annotation: "\u2022 L'acc\xE8s par du personnel non autoris\xE9 comprend\
            \ l'acc\xE8s par des prestataires de services externes. \n\u2022 Il convient\
            \ que les \xE9carts d'inventaire du syst\xE8me soient inclus dans le suivi.\
            \ \n\u2022 Il convient que les changements de configuration non autoris\xE9\
            s des syst\xE8mes critiques de l'organisation soient inclus dans la surveillance."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-7
      ref_id: DE.CM-7.2
      description: Unauthorized configuration changes to organization's systems shall
        be monitored and addressed with the appropriate mitigation actions.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les modifications non autoris\xE9es de la configuration des\
            \ syst\xE8mes de l'organisation doivent \xEAtre surveill\xE9es et trait\xE9\
            es par des mesures d'att\xE9nuation appropri\xE9es."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm
      ref_id: DE.CM-8
      description: Vulnerability scans are performed
      translations:
        fr:
          name: null
          description: "Les analyses de vuln\xE9rabilit\xE9 sont effectu\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      ref_id: IMPORTANT_DE.CM-8.1
      description: The organization shall monitor and scan for vulnerabilities in
        its critical systems and hosted applications ensuring that system functions
        are not adversely impacted by the scanning process.
      annotation: Consider the implementation of a continuous vulnerability scanning
        program; Including reporting and mitigation plans.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit surveiller et analyser les vuln\xE9rabilit\xE9\
            s de ses syst\xE8mes critiques et de ses applications h\xE9berg\xE9es\
            \ en veillant \xE0 ce que les fonctions du syst\xE8me ne soient pas affect\xE9\
            es par le processus d'analyse."
          annotation: "Envisagez la mise en \u0153uvre d'un programme de balayage\
            \ continu des vuln\xE9rabilit\xE9s ; y compris les rapports et les plans\
            \ d'att\xE9nuation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.cm-8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.cm-8
      ref_id: IMPORTANT_DE.CM-8.2
      description: The vulnerability scanning process shall include analysis, remediation,
        and information sharing.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Le processus d'analyse de la vuln\xE9rabilit\xE9 comprend\
            \ l'analyse, la correction et le partage des informations."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de
      ref_id: DE.DP
      name: Detection Processes
      description: Detection processes and procedures are maintained and tested to
        ensure awareness of anomalous events.
      translations:
        fr:
          name: "Processus de d\xE9tection"
          description: "Les processus et proc\xE9dures de d\xE9tection sont maintenus\
            \ et test\xE9s pour garantir la prise de conscience des \xE9v\xE9nements\
            \ anormaux."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-2
      description: Detection activities comply with all applicable requirements
      translations:
        fr:
          name: null
          description: "Les activit\xE9s de d\xE9tection sont conformes \xE0 toutes\
            \ les exigences applicables."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-2
      ref_id: IMPORTANT_DE.DP-2.1
      description: The organization shall conduct detection activities in accordance
        with applicable federal and regional laws, industry regulations and standards,
        policies, and other applicable requirements.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mener des activit\xE9s de d\xE9tection\
            \ conform\xE9ment aux lois f\xE9d\xE9rales et r\xE9gionales, aux r\xE9\
            glementations et normes industrielles, aux politiques et aux autres exigences\
            \ applicables."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-3
      description: Detection processes are tested
      translations:
        fr:
          name: null
          description: "Les processus de d\xE9tection sont test\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-3
      ref_id: IMPORTANT_DE.DP-3.1
      description: The organization shall validate that event detection processes
        are operating as intended.
      annotation: "\u2022\tValidation includes testing.\n\u2022\tValidation should\
        \ be demonstrable."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit valider que les processus de d\xE9tection\
            \ des \xE9v\xE9nements fonctionnent comme pr\xE9vu."
          annotation: "\u2022 La validation comprend des tests. \n\u2022 Il convient\
            \ de pouvoir d\xE9montrer la validation."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-4
      description: Event detection information is communicated
      translations:
        fr:
          name: null
          description: "Les informations relatives \xE0 la d\xE9tection des \xE9v\xE9\
            nements sont communiqu\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-4
      ref_id: IMPORTANT_DE.DP-4.1
      description: The organization shall communicate event detection information
        to predefined parties.
      annotation: Event detection information includes for example, alerts on atypical
        account usage, unauthorized remote access, wireless connectivity, mobile device
        connection, altered configuration settings, contrasting system component inventory,
        use of maintenance tools and nonlocal maintenance, physical access, temperature
        and humidity, equipment delivery and removal, communications at the information
        system boundaries, use of mobile code, use of Voice over Internet Protocol
        (VoIP), and malware disclosure.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit communiquer les informations relatives\
            \ \xE0 la d\xE9tection des \xE9v\xE9nements aux parties pr\xE9d\xE9finies."
          annotation: "Les informations de d\xE9tection d'\xE9v\xE9nements comprennent,\
            \ par exemple, des alertes sur l'utilisation atypique d'un compte, l'acc\xE8\
            s \xE0 distance non autoris\xE9, la connectivit\xE9 sans fil, la connexion\
            \ d'un dispositif mobile, la modification des param\xE8tres de configuration,\
            \ l'inventaire contrast\xE9 des composants du syst\xE8me, l'utilisation\
            \ d'outils de maintenance et la maintenance non locale, l'acc\xE8s physique,\
            \ la temp\xE9rature et l'humidit\xE9, la livraison et le retrait d'\xE9\
            quipements, les communications aux fronti\xE8res du syst\xE8me d'information,\
            \ l'utilisation d'un code mobile, l'utilisation de la voix sur IP (VoIP)\
            \ et la divulgation de logiciels malveillants."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp
      ref_id: DE.DP-5
      description: Detection processes are continuously improved
      translations:
        fr:
          name: null
          description: "Les processus de d\xE9tection sont am\xE9lior\xE9s en permanence."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_de.dp-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      ref_id: IMPORTANT_DE.DP-5.1
      description: Improvements derived from the monitoring, measurement, assessment,
        testing, review, and lessons learned, shall be incorporated into detection
        process revisions.
      annotation: "\u2022\tThis results in a continuous improvement of the detection\
        \ processes.\n\u2022\tThe use of independent teams to assess the detection\
        \ process could be considered."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les am\xE9liorations d\xE9coulant de la surveillance, de la\
            \ mesure, de l'\xE9valuation, des tests, de l'examen et des enseignements\
            \ tir\xE9s seront incorpor\xE9es dans les r\xE9visions du processus de\
            \ d\xE9tection."
          annotation: "\u2022 Il en r\xE9sulte une am\xE9lioration continue des processus\
            \ de d\xE9tection. \n\u2022 Le recours \xE0 des \xE9quipes ind\xE9pendantes\
            \ pour \xE9valuer le processus de d\xE9tection pourrait \xEAtre envisag\xE9\
            ."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:de.dp-5
      ref_id: DE.DP-5.2
      description: The organization shall conduct specialized assessments including
        in-depth monitoring, vulnerability scanning, malicious user testing, insider
        threat assessment, performance/load testing, and verification and validation
        testing on the organization's critical systems.
      annotation: These activities can be outsourced, preferably to accredited organizations.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer des \xE9valuations sp\xE9cialis\xE9\
            es, notamment une surveillance approfondie, un scannage de vuln\xE9rabilit\xE9\
            , des tests d'utilisateurs malveillants, une \xE9valuation de la menace\
            \ interne, des tests de performance/charge, ainsi que des tests de v\xE9\
            rification et de validation sur les syst\xE8mes critiques de l'organisation."
          annotation: "Ces activit\xE9s peuvent \xEAtre externalis\xE9es, de pr\xE9\
            f\xE9rence aupr\xE8s d'organisations accr\xE9dit\xE9s."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      assessable: false
      depth: 1
      ref_id: RS
      name: RESPOND (RS)
      translations:
        fr:
          name: REPONDRE (RS)
          description: ''
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.RP
      name: Response Planning
      description: Response processes and procedures are executed and maintained,
        to ensure response to detected cybersecurity incidents.
      translations:
        fr:
          name: "Planification de la r\xE9ponse"
          description: "Les processus et proc\xE9dures de r\xE9ponse sont ex\xE9cut\xE9\
            s et maintenus, afin de garantir une r\xE9ponse aux incidents de cybers\xE9\
            curit\xE9 d\xE9tect\xE9s."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp
      ref_id: RS.RP-1
      description: Response plan is executed during or after an incident
      translations:
        fr:
          name: null
          description: " Le plan de r\xE9ponse est ex\xE9cut\xE9 pendant ou apr\xE8\
            s un incident."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.rp-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.rp-1
      ref_id: BASIC_RS.RP-1.1
      description: An incident response process, including roles, responsibilities,
        and authorities, shall be executed during or after an information/cybersecurity
        event on the organization's critical systems.
      annotation: "\u2022\tThe incident response process should include a predetermined\
        \ set of instructions or procedures to detect, respond to, and limit consequences\
        \ of a malicious cyber-attack.\n\u2022\tThe roles, responsibilities, and authorities\
        \ in the incident response plan should be specific on involved people, contact\
        \ info, different roles and responsibilities, and who makes the decision to\
        \ initiate recovery procedures as well as who will be the contact with appropriate\
        \ external stakeholders. It should be considered to determine the causes of\
        \ an information/cybersecurity event and implement a corrective action in\
        \ order that the event does not recur or occur elsewhere (an infection by\
        \ malicious code on one machine did not have spread elsewhere in the network).\
        \ The effectiveness of any corrective action taken should be reviewed. Corrective\
        \ actions should be appropriate to the effects of the information/cybersecurity\
        \ event encountered.\nInternal Note: Requirements are covered in PR.IP-9"
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un processus de r\xE9ponse aux incidents, comprenant les r\xF4\
            les, les responsabilit\xE9s et les pouvoirs, doit \xEAtre ex\xE9cut\xE9\
            \ pendant ou apr\xE8s un \xE9v\xE9nement li\xE9 \xE0 l'information ou\
            \ \xE0 la cybers\xE9curit\xE9 sur les syst\xE8mes critiques de l'organisation."
          annotation: "\u2022 Il convient que le processus de r\xE9ponse aux incidents\
            \ inclue un ensemble pr\xE9d\xE9termin\xE9 d'instructions ou de proc\xE9\
            dures pour d\xE9tecter, r\xE9pondre et limiter les cons\xE9quences d'une\
            \ cyber-attaque malveillante. \n\u2022 Il convient que les r\xF4les, les\
            \ responsabilit\xE9s et les pouvoirs pr\xE9vus dans le plan de r\xE9ponse\
            \ aux incidents soient pr\xE9cis quant aux personnes impliqu\xE9es, leurs\
            \ coordonn\xE9es, leurs diff\xE9rents r\xF4les et responsabilit\xE9s,\
            \ \xE0 la personne qui prend la d\xE9cision de lancer les proc\xE9dures\
            \ de r\xE9tablissement et \xE0 celle qui sera le contact avec les parties\
            \ prenantes externes appropri\xE9es. \n\u2022 Il convient d\u2019envisager\
            \ de d\xE9terminer les causes d'un \xE9v\xE9nement de s\xE9curit\xE9 de\
            \ l'information/cybers\xE9curit\xE9 et de mettre en \u0153uvre une action\
            \ corrective afin que l'\xE9v\xE9nement ne se reproduise plus ou ne se\
            \ produise pas ailleurs (une infection par un code malveillant sur une\
            \ machine ne s'est pas propag\xE9e ailleurs dans le r\xE9seau). Il convient\
            \ que l'efficacit\xE9 de toute mesure corrective prise soit examin\xE9\
            e. Il convient que les actions correctives soient adapt\xE9es aux effets\
            \ de l'\xE9v\xE9nement de s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9\
            \ rencontr\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.CO
      name: Communications
      description: Response activities are coordinated with internal and external
        stakeholders (e.g. external support from law enforcement agencies).
      translations:
        fr:
          name: Communications
          description: "Les activit\xE9s de r\xE9ponse sont coordonn\xE9es avec les\
            \ parties prenantes internes et externes (par exemple, le soutien externe\
            \ des forces de l'ordre)."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-1
      description: Personnel know their roles and order of operations when a response
        is needed
      translations:
        fr:
          name: null
          description: "Le personnel conna\xEEt ses r\xF4les et l'ordre des op\xE9\
            rations lorsqu'une r\xE9ponse est n\xE9cessaire."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-1
      ref_id: IMPORTANT_RS.CO-1.1
      description: The organization shall ensure that personnel understand their roles,
        objectives, restoration priorities, task sequences (order of operations) and
        assignment responsibilities for event response.
      annotation: Consider the use the CCB Incident Management Guide to guide you
        through this exercise and consider bringing in outside experts if needed.
        Test your plan regularly and adjust it after each incident.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit s'assurer que le personnel comprend ses\
            \ r\xF4les, ses objectifs, les priorit\xE9s de restauration, les s\xE9\
            quences de t\xE2ches (ordre des op\xE9rations) et les responsabilit\xE9\
            s d'affectation pour la r\xE9ponse aux \xE9v\xE9nements."
          annotation: "Envisagez d'utiliser le Guide de gestion des incidents du CCB\
            \ pour vous guider dans cet exercice et envisagez de faire appel \xE0\
            \ des experts ext\xE9rieurs si n\xE9cessaire. Testez votre plan r\xE9\
            guli\xE8rement et ajustez- le apr\xE8s chaque incident."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-2
      description: Incidents are reported consistent with established criteria
      translations:
        fr:
          name: null
          description: "Les incidents sont signal\xE9s conform\xE9ment aux crit\xE8\
            res \xE9tablis."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      ref_id: IMPORTANT_RS.CO-2.1
      description: The organization shall implement reporting on information/cybersecurity
        incidents on its critical systems in an organization-defined time frame to
        organization-defined personnel or roles.
      annotation: All users should have a single point of contact to report any incident
        and be encouraged to do so.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en place un syst\xE8me de notification\
            \ des incidents li\xE9s \xE0 la s\xE9curit\xE9 de l'information/cybers\xE9\
            curit\xE9 sur ses syst\xE8mes critiques, dans un d\xE9lai d\xE9fini par\
            \ l'organisation, \xE0 l'intention du personnel ou des r\xF4les d\xE9\
            finis par l'organisation."
          annotation: "Il convient que tous les utilisateurs aient un point de contact\
            \ unique pour signaler tout incident et soient encourag\xE9s \xE0 le faire."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-2
      ref_id: RS.CO-2.2
      description: Events shall be reported consistent with established criteria.
      annotation: Criteria to report should be included in the incident response plan.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les \xE9v\xE9nements doivent \xEAtre signal\xE9s conform\xE9\
            ment aux crit\xE8res \xE9tablis."
          annotation: "Il convient que les crit\xE8res de signalement soient inclus\
            \ dans le plan de r\xE9ponse aux incidents."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-3
      description: Information is shared consistent with response plans
      translations:
        fr:
          name: null
          description: "Les informations sont partag\xE9es conform\xE9ment aux plans\
            \ de r\xE9ponse."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.co-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      ref_id: BASIC_RS.CO-3.1
      description: "Information/cybersecurity incident information shall be communicated\
        \ and shared with the organization\u2019s employees in a format that they\
        \ can understand."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les informations relatives aux incidents de cybers\xE9curit\xE9\
            \ doivent \xEAtre communiqu\xE9es et partag\xE9es avec les employ\xE9\
            s de l'organisation dans un format qu'ils peuvent comprendre."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-3
      ref_id: IMPORTANT_RS.CO-3.2
      description: The organization shall share information/cybersecurity incident
        information with relevant stakeholders as foreseen in the incident response
        plan.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit partager les informations relatives aux\
            \ incidents de cybers\xE9curit\xE9 avec les parties prenantes concern\xE9\
            es, comme pr\xE9vu dans le plan de r\xE9ponse aux incidents."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-4
      description: Coordination with stakeholders occurs consistent with response
        plans
      translations:
        fr:
          name: null
          description: "La coordination avec les parties prenantes se fait conform\xE9\
            ment aux plans de r\xE9ponse."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-4
      ref_id: IMPORTANT_RS.CO-4.1
      description: The organization shall coordinate information/cybersecurity incident
        response actions with all predefined stakeholders.
      annotation: "\u2022\tStakeholders for incident response include for example,\
        \ mission/business owners, organization's critical system owners, integrators,\
        \ vendors, human resources offices, physical and personnel security offices,\
        \ legal departments, operations personnel, and procurement offices.\n\u2022\
        \tCoordination with stakeholders occurs consistent with incident response\
        \ plans."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit coordonner les actions de r\xE9ponse aux\
            \ incidents de s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9 avec\
            \ toutes les parties prenantes pr\xE9d\xE9finies."
          annotation: "\u2022 Les parties prenantes de la r\xE9ponse aux incidents\
            \ comprennent par exemple les gestionnaires de la mission/de l'activit\xE9\
            , les gestionnaires des syst\xE8mes critiques de l'organisation, les int\xE9\
            grateurs, les fournisseurs, les bureaux des ressources humaines, les bureaux\
            \ de la s\xE9curit\xE9 physique et du personnel, les services juridiques,\
            \ le personnel des op\xE9rations et les bureaux des achats. \n\u2022 La\
            \ coordination avec les parties prenantes se fait conform\xE9ment aux\
            \ plans de r\xE9ponse aux incidents."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co
      ref_id: RS.CO-5
      description: 'Voluntary information sharing occurs with external stakeholders
        to achieve broader cybersecurity situational awareness '
      translations:
        fr:
          name: null
          description: "Le partage volontaire d'informations se fait avec des parties\
            \ prenantes externes afin d'obtenir une meilleure connaissance de la situation\
            \ en mati\xE8re de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.co-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.co-5
      ref_id: IMPORTANT_RS.CO-5.1
      description: "The organization shall share information/cybersecurity event information\
        \ voluntarily, as appropriate, with external stakeholders, industry security\
        \ groups,\u2026 to achieve broader information/cybersecurity situational awareness."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit partager volontairement les informations\
            \ sur les \xE9v\xE9nements de cybers\xE9curit\xE9, le cas \xE9ch\xE9ant,\
            \ avec les parties prenantes externes, les groupes de s\xE9curit\xE9 de\
            \ l'industrie... afin de parvenir \xE0 une connaissance plus large de\
            \ la situation en mati\xE8re d'information et de cybers\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.AN
      name: Analysis
      description: Analysis is conducted to ensure effective response and support
        recovery activities.
      translations:
        fr:
          name: Analyse
          description: "Une analyse est effectu\xE9e pour garantir une r\xE9ponse\
            \ efficace et soutenir les activit\xE9s de r\xE9tablissement."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-1
      description: Notifications from detection systems are investigated
      translations:
        fr:
          name: null
          description: "Les notifications des syst\xE8mes de d\xE9tection sont examin\xE9\
            es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      ref_id: IMPORTANT_RS.AN-1.1
      description: The organization shall investigate information/cybersecurity-related
        notifications generated from detection systems.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit enqu\xEAter sur les notifications relatives\
            \ \xE0 l'information/la cybers\xE9curit\xE9 g\xE9n\xE9r\xE9es par les\
            \ syst\xE8mes de d\xE9tection."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-1
      ref_id: RS.AN-1.2
      description: The organization shall implement automated mechanisms to assist
        in the investigation and analysis of information/cybersecurity-related notifications.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des m\xE9canismes\
            \ automatis\xE9s pour faciliter l'enqu\xEAte et l'analyse des notifications\
            \ li\xE9es \xE0 l'information/la cybers\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-2
      description: The impact of the incident is understood
      translations:
        fr:
          name: null
          description: L'impact de l'incident est compris.
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      ref_id: IMPORTANT_RS.AN-2.1
      description: Thorough investigation and result analysis shall be the base for
        understanding the full implication of the information/cybersecurity incident.
      annotation: "\u2022\tResult analysis can involve the outcome of determining\
        \ the correlation between the information of the detected event and the outcome\
        \ of risk assessments. In this way, insight is gained into the impact of the\
        \ event across the organization.\n\u2022\tConsider including detection of\
        \ unauthorized changes to its critical systems in its incident response capabilities."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Une enqu\xEAte approfondie et l'analyse des r\xE9sultats doivent\
            \ permettre de comprendre toutes les implications de l'incident de s\xE9\
            curit\xE9 de l'information/cybers\xE9curit\xE9."
          annotation: "\u2022 L'analyse des r\xE9sultats peut consister \xE0 d\xE9\
            terminer la corr\xE9lation entre les informations de l'\xE9v\xE9nement\
            \ d\xE9tect\xE9 et les r\xE9sultats des \xE9valuations des risques. De\
            \ cette fa\xE7on, on obtient un aper\xE7u de l'impact de l'\xE9v\xE9nement\
            \ sur l'ensemble de l'organisation. \n\u2022 Envisager d'inclure la d\xE9\
            tection des modifications non autoris\xE9es de ses syst\xE8mes critiques\
            \ dans ses capacit\xE9s de r\xE9ponse aux incidents."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-2
      ref_id: RS.AN-2.2
      description: The organization shall implement automated mechanisms to support
        incident impact analysis.
      annotation: Implementation could vary from a ticketing system to a Security
        Information and Event Management (SIEM).
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre des m\xE9canismes\
            \ automatis\xE9s pour soutenir l'analyse de l'impact des incidents."
          annotation: "La mise en \u0153uvre peut aller d'un syst\xE8me de billetterie\
            \ \xE0 un syst\xE8me de gestion des informations et des \xE9v\xE9nements\
            \ de s\xE9curit\xE9 (SIEM)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-3
      description: Forensics are performed
      translations:
        fr:
          name: null
          description: "L'analyse forensique est r\xE9alis\xE9e."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      ref_id: RS.AN-3.1
      description: The organization shall provide on-demand audit review, analysis,
        and reporting for after-the-fact investigations of information/cybersecurity
        incidents.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit fournir un examen, une analyse et un rapport\
            \ d'audit \xE0 la demande pour les enqu\xEAtes apr\xE8s coup sur les incidents\
            \ li\xE9s \xE0 l'information et \xE0 la cybers\xE9curit\xE9."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-3
      ref_id: RS.AN-3.2
      description: The organization shall conduct forensic analysis on collected information/cybersecurity
        event information to determine root cause.
      annotation: Consider to determine the root cause of an incident. If necessary,
        use forensics analysis on collected information/cybersecurity event information
        to achieve this.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer une analyse forensique des informations\
            \ collect\xE9es/des informations sur les \xE9v\xE9nements de cybers\xE9\
            curit\xE9 afin de d\xE9terminer la cause d'origine."
          annotation: "Envisagez de d\xE9terminer la cause d\u2019origine d'un incident.\
            \ Si n\xE9cessaire, utilisez l'analyse forensique des informations recueillies/des\
            \ informations sur les \xE9v\xE9nements de cybers\xE9curit\xE9 pour y\
            \ parvenir."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-4
      description: Incidents are categorized consistent with response plans
      translations:
        fr:
          name: null
          description: "Les incidents sont class\xE9s par cat\xE9gories conform\xE9\
            ment aux plans de r\xE9ponse."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-4
      ref_id: IMPORTANT_RS.AN-4.1
      description: Information/cybersecurity incidents shall be categorized according
        to the level of severity and impact consistent with the evaluation criteria
        included the incident response plan.
      annotation: "\u2022\tIt should be considered to determine the causes of an information/cybersecurity\
        \ incident and implement a corrective action in order that the incident does\
        \ not recur or occur elsewhere.\n\u2022\tThe effectiveness of any corrective\
        \ action taken should be reviewed.\n\u2022\tCorrective actions should be appropriate\
        \ to the effects of the information/cybersecurity incident encountered."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les incidents li\xE9s \xE0 l'information et \xE0 la cybers\xE9\
            curit\xE9 sont class\xE9s en fonction de leur niveau de gravit\xE9 et\
            \ de leur impact, conform\xE9ment aux crit\xE8res d'\xE9valuation inclus\
            \ dans le plan de r\xE9ponse aux incidents."
          annotation: "\u2022 Il convient d\u2019envisag\xE9e de d\xE9terminer les\
            \ causes d'un incident de s\xE9curit\xE9 de l'information/cybers\xE9curit\xE9\
            \ et de mettre en \u0153uvre une action corrective afin que l'incident\
            \ ne se reproduise plus ou ne se reproduise pas ailleurs. \u2022 Il convient\
            \ que l'efficacit\xE9 de toute mesure corrective prise soit examin\xE9\
            e. \n\u2022 Il convient que les actions correctives soient adapt\xE9es\
            \ aux effets de l'incident de s\xE9curit\xE9 de l'information/cybers\xE9\
            curit\xE9 rencontr\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an
      ref_id: RS.AN-5
      description: Processes are established to receive, analyze and respond to vulnerabilities
        disclosed to the organization from internal and external sources (e.g. internal
        testing, security bulletins, or security researchers)
      translations:
        fr:
          name: null
          description: "Des processus sont \xE9tablis pour recevoir, analyser et r\xE9\
            pondre aux vuln\xE9rabilit\xE9s divulgu\xE9es \xE0 l'organisation par\
            \ des sources internes et externes (par exemple, tests internes, bulletins\
            \ de s\xE9curit\xE9 ou chercheurs en s\xE9curit\xE9)."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.an-5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      ref_id: IMPORTANT_RS.AN-5.1
      description: '[KEY MEASURE] The organization shall implement vulnerability management
        processes and procedures that include processing, analyzing and remedying
        vulnerabilities from internal and external sources. '
      annotation: Internal and external sources could be e.g. internal testing, security
        bulletins, or security researchers.
      implementation_groups:
      - I
      - E
      - IK
      - EK
      translations:
        fr:
          name: null
          description: "[MESURE CL\xC9] L'organisation doit mettre en \u0153uvre des\
            \ processus et des proc\xE9dures de gestion des vuln\xE9rabilit\xE9s qui\
            \ comprennent le traitement, l'analyse et la correction des vuln\xE9rabilit\xE9\
            s provenant de sources internes et externes."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.an-5
      ref_id: RS.AN-5.2
      description: The organization shall implement automated mechanisms to disseminate
        and track remediation efforts for vulnerability information, captured from
        internal and external sources, to key stakeholders.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en place des m\xE9canismes automatis\xE9\
            s pour diffuser et suivre les efforts de rem\xE9diation pour les informations\
            \ de vuln\xE9rabilit\xE9s, captur\xE9es \xE0 partir de sources internes\
            \ et externes, aupr\xE8s des principales parties prenantes."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.MI
      name: Mitigation
      description: Activities are performed to prevent expansion of an event, mitigate
        its effects, and resolve the incident.
      translations:
        fr:
          name: "Att\xE9nuation"
          description: "Les activit\xE9s de r\xE9ponse de l'organisation sont am\xE9\
            lior\xE9es par l'int\xE9gration des enseignements tir\xE9s des activit\xE9\
            s de d\xE9tection/r\xE9ponse actuelles et pr\xE9c\xE9dentes."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi
      ref_id: RS.MI-1
      description: Incidents are contained
      translations:
        fr:
          name: null
          description: Les incidents sont contenus.
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.mi-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.mi-1
      ref_id: IMPORTANT_RS.MI-1.1
      description: The organization shall implement an incident handling capability
        for information/cybersecurity incidents on its business critical systems that
        includes preparation, detection and analysis, containment, eradication, recovery
        and documented risk acceptance.
      annotation: A documented risk acceptance deals with risks that the organisation
        assesses as not dangerous to the organisation's business critical systems
        and where the risk owner formally accepts the risk (related with the risk
        appetite of the organization)
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre une capacit\xE9 de\
            \ traitement des incidents de s\xE9curit\xE9 de l'information/cybers\xE9\
            curit\xE9 sur ses syst\xE8mes essentiels \xE0 l'activit\xE9, qui comprend\
            \ la pr\xE9paration, la d\xE9tection et l'analyse, le confinement, l'\xE9\
            radication, le r\xE9tablissement et l'acceptation document\xE9e des risques."
          annotation: "Une acceptation des risques document\xE9e concerne les risques\
            \ que l'organisation \xE9value comme non dangereux pour les syst\xE8mes\
            \ critiques de l'organisation et pour lesquels le propri\xE9taire du risque\
            \ accepte formellement le risque (en relation avec l'app\xE9tit de l'organisation\
            \ pour le risque)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs
      ref_id: RS.IM
      name: Improvements
      description: Organizational response activities are improved by incorporating
        lessons learned from current and previous detection/response activities.
      translations:
        fr:
          name: "Am\xE9liorations "
          description: "Les activit\xE9s de r\xE9ponse de l'organisation sont am\xE9\
            lior\xE9es par l'int\xE9gration des enseignements tir\xE9s des activit\xE9\
            s de d\xE9tection/r\xE9ponse actuelles et pr\xE9c\xE9dentes."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      ref_id: RS.IM-1
      description: Response plans incorporate lessons learned
      translations:
        fr:
          name: null
          description: "Les plans de r\xE9ponse int\xE8grent les le\xE7ons apprises."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rs.im-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      ref_id: BASIC_RS.IM-1.1
      description: The organization shall conduct post-incident evaluations to analyse
        lessons learned from incident response and recovery, and consequently improve
        processes / procedures / technologies to enhance its cyber resilience.
      annotation: Consider bringing involved people together after each incident and
        reflect together on ways to improve what happened, how it happened, how we
        reacted, how it could have gone better, what should be done to prevent it
        from happening again, etc.
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit effectuer des \xE9valuations post-incident\
            \ afin d'analyser les enseignements tir\xE9s de la r\xE9ponse \xE0 l'incident\
            \ et du r\xE9tablissement, et par cons\xE9quent am\xE9liorer les processus\
            \ / proc\xE9dures / technologies pour renforcer sa cyber-r\xE9silience."
          annotation: "Envisagez de r\xE9unir les personnes concern\xE9es apr\xE8\
            s chaque incident et r\xE9fl\xE9chissez ensemble aux moyens d'am\xE9liorer\
            \ ce qui s'est pass\xE9, comment cela s'est pass\xE9, comment nous avons\
            \ r\xE9agi, comment cela aurait pu mieux se passer, ce qui devrait \xEA\
            tre fait pour \xE9viter que cela ne se reproduise, etc."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-1
      ref_id: IMPORTANT_RS.IM-1.2
      description: Lessons learned from incident handling shall be translated into
        updated or new incident handling procedures that shall be tested, approved
        and trained.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "Les enseignements tir\xE9s du traitement des incidents sont\
            \ traduits en proc\xE9dures de traitement des incidents actualis\xE9es\
            \ ou nouvelles qui sont test\xE9es, approuv\xE9es et enseign\xE9es."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im
      ref_id: RS.IM-2
      description: Response and Recovery strategies are updated
      translations:
        fr:
          name: null
          description: "Les plans de r\xE9ponse int\xE8grent les le\xE7ons apprises."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rs.im-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rs.im-2
      ref_id: IMPORTANT_RS.IM-2.1
      description: The organization shall update the response and recovery  plans
        to address changes in its context.
      annotation: "The organization\u2019s context relates to the organizational structure,\
        \ its critical systems, attack vectors, new threats, improved technology,\
        \ environment of operation, problems encountered during plan implementation/execution/testing\
        \ and lessons learned."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre \xE0 jour les plans de r\xE9ponse\
            \ et de r\xE9tablissement pour tenir compte des changements survenus dans\
            \ son contexte."
          annotation: "Le contexte de l'organisation concerne la structure organisationnelle,\
            \ ses syst\xE8mes critiques, les vecteurs d'attaque, les nouvelles menaces,\
            \ les am\xE9liorations technologiques, l'environnement d'exploitation,\
            \ les probl\xE8mes rencontr\xE9s lors de la mise en \u0153uvre/ex\xE9\
            cution/test du plan et les enseignements tir\xE9s."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      assessable: false
      depth: 1
      ref_id: RC
      name: RECOVER (RC)
      translations:
        fr:
          name: RETABLIR (RC)
          description: ''
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.RP
      name: Recovery Planning
      description: Recovery processes and procedures are executed and maintained to
        ensure restoration of systems or assets affected by cybersecurity incidents.
      translations:
        fr:
          name: "Planification du r\xE9tablissement "
          description: "Des processus et des proc\xE9dures de r\xE9tablissement sont\
            \ ex\xE9cut\xE9s et maintenus pour assurer la restauration des syst\xE8\
            mes ou des actifs touch\xE9s par des incidents de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp
      ref_id: RC.RP-1
      description: 'Recovery plan is executed during or after a cybersecurity incident '
      translations:
        fr:
          name: null
          description: " Le plan de reprise est ex\xE9cut\xE9 pendant ou apr\xE8s\
            \ un incident de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:basic_rc.rp-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      ref_id: BASIC_RC.RP-1.1
      description: A recovery process for disasters and information/cybersecurity
        incidents shall be developed and executed as appropriate.
      annotation: "A process should be developed for what immediate actions will be\
        \ taken in case of a fire, medical emergency, burglary, natural disaster,\
        \ or  an information/cyber security incident.\nThis process should consider:\n\
        \u2022\tRoles and Responsibilities, including of who makes the decision to\
        \ initiate recovery procedures and who will be the contact with appropriate\
        \ external stakeholders.\n\u2022\tWhat to do with company\u2019s information\
        \ and information systems in case of an incident. This includes shutting down\
        \ or locking computers, moving to a backup site, physically removing important\
        \ documents, etc.\n\u2022\tWho to call in case of an incident."
      implementation_groups:
      - B
      - I
      - E
      translations:
        fr:
          name: null
          description: "Un processus de r\xE9tablissement en cas de catastrophes et\
            \ d'incidents li\xE9s \xE0 l'information et \xE0 la cybers\xE9curit\xE9\
            \ est \xE9labor\xE9 et ex\xE9cut\xE9 selon les besoins."
          annotation: "Il convient qu\u2019un processus soit \xE9labor\xE9 pour d\xE9\
            terminer les mesures imm\xE9diates \xE0 prendre en cas d'incendie, d'urgence\
            \ m\xE9dicale, de cambriolage, de catastrophe naturelle ou d'incident\
            \ de s\xE9curit\xE9 informatique. Il convient que ce processus prenne\
            \ en compte : \n\u2022 R\xF4les et responsabilit\xE9s, y compris qui prend\
            \ la d\xE9cision de lancer les proc\xE9dures de r\xE9tablissement et qui\
            \ sera le contact avec les parties prenantes externes appropri\xE9es.\
            \ \n\u2022 Ce qu'il faut faire avec les informations et les syst\xE8mes\
            \ d'information de l'organisation en cas d'incident. Cela comprend l'arr\xEA\
            t ou le verrouillage des ordinateurs, le d\xE9placement vers un site de\
            \ secours, le retrait physique des documents importants, etc. \n\u2022\
            \ Qui appeler en cas d'incident."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.rp-1
      ref_id: RC.RP-1.2
      description: "The essential organization\u2019s functions and services shall\
        \ be continued with little or no loss of operational continuity and continuity\
        \ shall be sustained until full system restoration."
      annotation: No additional guidance on this topic.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Les fonctions et services de l'organisation essentielle doivent\
            \ \xEAtre poursuivis avec peu ou pas de perte de continuit\xE9 op\xE9\
            rationnelle et la continuit\xE9 doit \xEAtre maintenue jusqu'\xE0 la restauration\
            \ compl\xE8te du syst\xE8me."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.IM
      name: Improvements
      description: Recovery planning and processes are improved by incorporating lessons
        learned into future activities.
      translations:
        fr:
          name: "Am\xE9liorations "
          description: "Des processus et des proc\xE9dures de r\xE9tablissement sont\
            \ ex\xE9cut\xE9s et maintenus pour assurer la restauration des syst\xE8\
            mes ou des actifs touch\xE9s par des incidents de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im
      ref_id: RC.IM-1
      description: Recovery plans incorporate lessons learned
      translations:
        fr:
          name: null
          description: "Les plans de r\xE9tablissement int\xE8grent les le\xE7ons\
            \ apprises."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.im-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.im-1
      ref_id: IMPORTANT_RC.IM-1.1
      description: The organization shall incorporate lessons learned from incident
        recovery activities into updated or new system recovery procedures and, after
        testing, frame this with appropriate training.
      annotation: No additional guidance on this topic.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit int\xE9grer les enseignements tir\xE9\
            s des activit\xE9s de r\xE9tablissement des incidents dans les proc\xE9\
            dures de r\xE9tablissement du syst\xE8me, nouvelles ou mises \xE0 jour,\
            \ et, apr\xE8s les avoir test\xE9es, les encadrer par une formation appropri\xE9\
            e."
          annotation: "Aucune orientation suppl\xE9mentaire sur ce sujet."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc
      ref_id: RC.CO
      name: Communications
      description: Restoration activities are coordinated with internal and external
        parties (e.g.  coordinating centers, Internet Service Providers, owners of
        attacking systems, victims, other CSIRTs, and vendors).
      translations:
        fr:
          name: 'Communications '
          description: "Des processus et des proc\xE9dures de r\xE9tablissement sont\
            \ ex\xE9cut\xE9s et maintenus pour assurer la restauration des syst\xE8\
            mes ou des actifs touch\xE9s par des incidents de cybers\xE9curit\xE9."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-1
      description: Public relations are managed
      translations:
        fr:
          name: null
          description: "Les relations publiques sont g\xE9r\xE9es."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      ref_id: IMPORTANT_RC.CO-1.1
      description: The organization shall centralize and coordinate how information
        is disseminated and manage how the organization is presented to the public.
      annotation: "Public relations management may include, for example, managing\
        \ media interactions, coordinating and logging all requests for interviews,\
        \ handling and \u2018triaging\u2019 phone calls and e-mail requests, matching\
        \ media requests with appropriate and available internal experts who are ready\
        \ to be interviewed, screening all of information provided to the media, ensuring\
        \ personnel are familiar with public relations and privacy policies."
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit centraliser et coordonner la mani\xE8\
            re dont les informations sont diffus\xE9es et g\xE9rer la mani\xE8re dont\
            \ l'organisation est pr\xE9sent\xE9e au public."
          annotation: "La gestion des relations publiques peut comprendre, par exemple,\
            \ la gestion des interactions avec les m\xE9dias, la coordination et l'enregistrement\
            \ de toutes les demandes d'interviews, le traitement et le triage des\
            \ appels t\xE9l\xE9phoniques et des demandes par e-mail, la mise en relation\
            \ des demandes des m\xE9dias avec les experts internes appropri\xE9s et\
            \ disponibles qui sont pr\xEAts \xE0 \xEAtre interview\xE9s, le filtrage\
            \ de toutes les informations fournies aux m\xE9dias, l'assurance que le\
            \ personnel conna\xEEt bien les politiques en mati\xE8re de relations\
            \ publiques et de confidentialit\xE9."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-1
      ref_id: RC.CO-1.2
      description: A Public Relations Officer shall be assigned.
      annotation: "The Public Relations Officer should consider the use of pre-define\
        \ external contacts \n(e.g. press, regulators, interest groups)."
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "Un responsable des relations publiques est d\xE9sign\xE9."
          annotation: "Il convient que le responsable des relations publiques envisage\
            \ l'utilisation de contacts externes pr\xE9d\xE9finis (par exemple, la\
            \ presse, les r\xE9gulateurs, les groupes d'int\xE9r\xEAt)."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-2
      description: 'Reputation is repaired after an incident '
      translations:
        fr:
          name: null
          description: "La r\xE9putation est r\xE9par\xE9e apr\xE8s un incident."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-2
      ref_id: RC.CO-2.1
      description: The organization shall implement a crisis response strategy to
        protect the organization from the negative consequences of a crisis and help
        restore its reputation.
      annotation: Crisis response strategies include, for example, actions to shape
        attributions of the crisis, change perceptions of the organization in crisis,
        and reduce the negative effect generated by the crisis.
      implementation_groups:
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit mettre en \u0153uvre une strat\xE9gie\
            \ de r\xE9ponse aux crises afin de prot\xE9ger l'organisation des cons\xE9\
            quences n\xE9gatives d'une crise et de contribuer \xE0 restaurer sa r\xE9\
            putation."
          annotation: "Les strat\xE9gies de r\xE9ponse aux crises comprennent, par\
            \ exemple, des actions visant \xE0 d\xE9terminer les attributions de la\
            \ crise, \xE0 modifier les perceptions de l'organisation en crise et \xE0\
            \ r\xE9duire l'effet n\xE9gatif g\xE9n\xE9r\xE9 par la crise."
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3
      assessable: false
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co
      ref_id: RC.CO-3
      description: Recovery activities are communicated to internal and external stakeholders
        as well as executive and management teams
      translations:
        fr:
          name: null
          description: "Les activit\xE9s de r\xE9tablissement sont communiqu\xE9es\
            \ aux parties prenantes internes et externes, ainsi qu'aux \xE9quipes\
            \ de direction et de gestion."
          annotation: ''
    - urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:important_rc.co-3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:ccb-cff-2023-03-01:rc.co-3
      ref_id: IMPORTANT_RC.CO-3.1
      description: The organization shall communicate recovery activities to predefined
        stakeholders, executive and management teams.
      annotation: Communication of recovery activities to all relevant stakeholders
        applies only to entities subject to the NIS legislation.
      implementation_groups:
      - I
      - E
      translations:
        fr:
          name: null
          description: "L'organisation doit communiquer les activit\xE9s de r\xE9\
            tablissement aux parties prenantes pr\xE9d\xE9finies, aux \xE9quipes de\
            \ direction et de gestion."
          annotation: "La communication des activit\xE9s de r\xE9tablissement \xE0\
            \ toutes les parties prenantes concern\xE9es ne s'applique qu'aux entit\xE9\
            s soumises \xE0 la l\xE9gislation NIS."